Infrastructure as Code example using Terraform to create an Azure Service Principal and store its credentials in Key Vault.
- Mass automation of creation of Service Principals a common use case for central IT teams.
- Advantage: save service principal password expiration in Key Vault to setup other automation to rotate secrets
ARM templates cannot create service principals, which is an Azure AD resource. Instead of creating them with CLI and querying JSON outputs, we will just use Terraform.
This code example…
- Creates an Azure Resource Group
- Creates an Azure Key Vault
- give current ARM client access to manage secrets in the Key Vault (in order to save secrets)
- Creates a new Azure Service Principal (SP)
- store SP client ID in Key Vault
- store SP client secret in Key Vault
- scope SP to resource group
Note: a randomly generated suffix is included in resource names because Key Vault names must be globally unique.
| Resource | Name |
|---|---|
| Resource Group | tf-kv-demo-e6vh-rg |
| Service Principal | tf-kv-demo-e6vh-rg-sp |
| Key Vault | tf-kv-demo-e6vh-kv |
This example is meant to be run locally. So first make sure you have logged into Azure:
az login
Initialize
terraform initRun the plan command to see what resources Terraform will create:
terraform plan -out plan.tfplanIf you are satisfied with the plan, run it:
terraform apply plan.tfplanFirst see which secret Terraform used for the service principal
terraform output demo_secretThen compare with the result in Key Vault, which should be the same:
az keyvault secret show \
--name demo-secret \
--vault $(terraform output key_vault_name | tr -d '"') | jq '.value'Note that because this example creates random suffixes, we also need to ask Terraform for the key vault name.
When you are finished, remove the example resources with the destroy command.
terraform destroy