问题
How can I, using the Azure Python API, create a full set of credentials that can later be used to start and deallocate all VMs in a named resource group, without any other permissions?
I have thoroughly researched the example code and both official and unofficial documentation, but I don't even know where to start...
I know I will need a tenant ID, client ID, client secret and subscription ID. Which of those can I make using an API, and how would I go about assigning roles to allow for starting/deallocating VMs of an existing resource group?
Sample code highly sought after, but will take any hint!
回答1:
Your need the azure-graphrbac package to create a Service Principal:
- https://docs.microsoft.com/python/api/overview/azure/activedirectory
The closer to a sample might be this unittest:
- https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/graphrbac/azure-graphrbac/tests/test_graphrbac.py
For role and permissions, you need azure-mgmt-authorization:
- https://docs.microsoft.com/python/api/overview/azure/authorization
Best sample for this one, is probably the sub-part of this sample:
- https://github.com/Azure-Samples/compute-python-msi-vm#role-assignement-to-the-msi-credentials
"msi_identity" is a synonym of "service principal" in your context.
Note that all of this is supported by the CLI v2.0:
- https://docs.microsoft.com/cli/azure/ad/sp
- https://docs.microsoft.com/cli/azure/role/assignment
It might be interested to test the CLI in --debug mode and sniffing in the code repo at the same time:
- https://github.com/Azure/azure-cli
(full disclosure, I work at MS in the Azure SDK for Python team)
来源:https://stackoverflow.com/questions/47958126/create-service-principal-programmatically-in-azure-python-api