Support for Service Principal with certificate (no password)

Azure-Samples · Mar 4, 2024 · eb25c70 · eb25c70
1 parent c56833c
commit eb25c70
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 6 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
 {
   "name": "Terraform AzureCLI and Kubectl",
-  "postAttachCommand": "bash .devcontainer/script.sh",
+  "postAttachCommand": "source .devcontainer/script.sh",
   "customizations": {
     "vscode": {
       "extensions": [
@@ -25,4 +25,4 @@
     "ghcr.io/dhoeric/features/stern:1": {},
     "ghcr.io/devcontainers-contrib/features/kubectx-kubens:1": {}
   }
-}
+}
diff --git a/.devcontainer/script.sh b/.devcontainer/script.sh
@@ -5,9 +5,9 @@ if [ -z "$ARM_CLIENT_ID" ]; then
     exit 0
 fi
 
-# Check if $ARM_CLIENT_SECRET exists
-if [ -z "$ARM_CLIENT_SECRET" ]; then
-    echo "ARM_CLIENT_SECRET is not set"
+# Check if either $ARM_CLIENT_SECRET or $ARM_CLIENT_CERTIFICATE is set
+if [ -z "$ARM_CLIENT_SECRET" ] && [ -z "$ARM_CLIENT_CERTIFICATE" ]; then
+    echo "Either ARM_CLIENT_SECRET or ARM_CLIENT_CERTIFICATE should be set"
     exit 0
 fi
 
@@ -23,4 +23,16 @@ if [ -z "$ARM_SUBSCRIPTION_ID" ]; then
     exit 0
 fi
 
-az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID
+# If ARM_CLIENT_CERTIFICATE is set, decode it and save to a temp file
+if [ -n "$ARM_CLIENT_CERTIFICATE" ]; then
+    echo "$ARM_CLIENT_CERTIFICATE" | base64 -d > /tmp/certfile.pem
+    export ARM_CLIENT_CERTIFICATE_PATH="/tmp/certfile.pfx"
+    export ARM_CLIENT_CERTIFICATE_PASSWORD=$(date '+%s')
+    echo "$ARM_CLIENT_CERTIFICATE" | base64 -d | openssl pkcs12 -export -password pass:"${ARM_CLIENT_CERTIFICATE_PASSWORD}" -out $ARM_CLIENT_CERTIFICATE_PATH
+    unset ARM_CLIENT_CERTIFICATE
+    az login --service-principal -u $ARM_CLIENT_ID --tenant $ARM_TENANT_ID -p /tmp/certfile.pem
+
+else
+    # Otherwise, use ARM_CLIENT_SECRET
+    az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID
+fi
diff --git a/README.md b/README.md
@@ -24,6 +24,12 @@ The easiest way to run this sample is to run it creating a new [GitHub Codespace
     az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/<SUBSCRIPTION_ID>" -o json
     ```
 
+  Note: If your organization has a policy prohibiting Service Principals with passwords on the tenant, create a Service Principal with a certificate:
+
+    ```
+    az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/<SUBSCRIPTION_ID>" --create-cert -o json
+
+
 - In your github account go to Codespaces and Create a new Codespace with "Azure-Sample/azure-openai-terraform-deployment-sample" repository and select the main branch.
 
     ![codespace_create](./images/codespace-create.png)
@@ -32,6 +38,8 @@ The easiest way to run this sample is to run it creating a new [GitHub Codespace
 
     ![codespace_secrets](./images/codespace_secrets.png)
 
+  Note: if using Service Principal certificate set `ARM_CLIENT_CERTIFICATE` as `ARM_CLIENT_CERTIFICATE=$(cat cert-and-private-key.pem| base64)`
+
 - Follow this link to create a new [GitHub Codespace](https://codespaces.new/Azure-Samples/azure-openai-terraform-deployment-sample).
 
 [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/Azure-Samples/azure-openai-terraform-deployment-sample)