Support for Service Principal with certificate (no password)

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "Terraform AzureCLI and Kubectl",
-  "postAttachCommand": "bash .devcontainer/script.sh",
+  "postAttachCommand": "source .devcontainer/script.sh",
   "customizations": {
     "vscode": {
       "extensions": [
@@ -25,4 +25,4 @@
     "ghcr.io/dhoeric/features/stern:1": {},
     "ghcr.io/devcontainers-contrib/features/kubectx-kubens:1": {}
   }
-}
+}

.devcontainer/script.sh

@@ -5,9 +5,9 @@ if [ -z "$ARM_CLIENT_ID" ]; then
     exit 0
 fi
 
-# Check if $ARM_CLIENT_SECRET exists
-if [ -z "$ARM_CLIENT_SECRET" ]; then
-    echo "ARM_CLIENT_SECRET is not set"
+# Check if both $ARM_CLIENT_SECRET and $ARM_CLIENT_CERTIFICATE are empty
+if [ -z "$ARM_CLIENT_SECRET" ] && [ -z "$ARM_CLIENT_CERTIFICATE" ]; then
+    echo "Either ARM_CLIENT_SECRET or ARM_CLIENT_CERTIFICATE should be set"
     exit 0
 fi
 
@@ -23,4 +23,16 @@ if [ -z "$ARM_SUBSCRIPTION_ID" ]; then
     exit 0
 fi
 
-az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID
+# If ARM_CLIENT_CERTIFICATE is set, decode it and save to a temp file
+if [ -n "$ARM_CLIENT_CERTIFICATE" ]; then
+    echo "$ARM_CLIENT_CERTIFICATE" | base64 -d > /tmp/certfile.pem
+    export ARM_CLIENT_CERTIFICATE_PATH="/tmp/certfile.pfx"
+    export ARM_CLIENT_CERTIFICATE_PASSWORD=$(date '+%s')
+    echo "$ARM_CLIENT_CERTIFICATE" | base64 -d | openssl pkcs12 -export -password pass:"${ARM_CLIENT_CERTIFICATE_PASSWORD}" -out $ARM_CLIENT_CERTIFICATE_PATH
+    unset ARM_CLIENT_CERTIFICATE
+    az login --service-principal -u $ARM_CLIENT_ID --tenant $ARM_TENANT_ID -p /tmp/certfile.pem
+
+else
+    # Otherwise, use ARM_CLIENT_SECRET
+    az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID
+fi

README.md

@@ -24,6 +24,12 @@ The easiest way to run this sample is to run it creating a new [GitHub Codespace
     az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/<SUBSCRIPTION_ID>" -o json
     ```
 
+  Note: If your organization has a policy prohibiting Service Principals with passwords on the tenant, create a Service Principal with a certificate:
+
+    ```
+    az ad sp create-for-rbac --role="Owner" --scopes="/subscriptions/<SUBSCRIPTION_ID>" --create-cert -o json
+
+
 - In your github account go to Codespaces and Create a new Codespace with "Azure-Sample/azure-openai-terraform-deployment-sample" repository and select the main branch.
 
     ![codespace_create](./images/codespace-create.png)
@@ -32,6 +38,8 @@ The easiest way to run this sample is to run it creating a new [GitHub Codespace
 
     ![codespace_secrets](./images/codespace_secrets.png)
 
+  Note: if using Service Principal certificate set `ARM_CLIENT_CERTIFICATE` as `ARM_CLIENT_CERTIFICATE=$(cat cert-and-private-key.pem| base64)`
+
 - Follow this link to create a new [GitHub Codespace](https://codespaces.new/Azure-Samples/azure-openai-terraform-deployment-sample).
 
 [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/Azure-Samples/azure-openai-terraform-deployment-sample)