| title | description | author | manager | ms.author | ms.date | ms.topic | ms.prod | ms.devlang | ms.service |
|---|---|---|---|---|---|---|---|---|---|
Create an Azure service principal with Node.js |
Learn how to use service principal authentication via Node.js |
karlerickson |
douge |
karler |
06/17/2017 |
article |
azure |
nodejs |
azure-nodejs |
When an app needs to access resources, you can set up an identity for the app and authenticate the app with its own credentials. This identity is known as a service principal. Essentially, you create keys for your Azure Active Directory account that you provide to the SDK to authenticate rather than requiring user intervention or username/password.
The service principal approach enables you to:
- Assign permissions to the app identity that are different than your own permissions. Typically, these permissions are restricted to exactly what the app needs to do.
- Use a certificate for authentication when running an unattended script.
This topic shows you three techniques for creating a service principal.
- Azure portal
- Azure CLI 2.0
- Azure SDK for Node.js
Follow the steps outlined in the topic, Use portal to create an Azure Active Directory application and service principal that can access resources, to generate the service principal.
Creating a service principal using the Azure CLI 2.0 can be accomplished with the following steps:
-
Download the Azure CLI 2.0.
-
Open a terminal window.
-
Type the following command to start the login process:
$ az login
-
Calling
az loginresults in a URL and a code. Browse to the specified URL, enter the code, and login with your Azure identity (this may happen automatically if you're already logged in). You'll then be able to access your account via the CLI. -
Get your subscription and tenant id:
$ az account list
The following shows an example of the output:
{ "cloudName": "AzureCloud", "id": "<subscriptionId>", "isDefault": true, "name": "<subscriptionName>", "registeredProviders": [], "state": "Enabled", "tenantId": "<tenantId>", "user": { "name": "hello@example.com", "type": "user" } }Note the subscription ID as it will be used in Step 7.
-
Create a service principal to get a JSON object containing the other pieces of information you need to authenticate with Azure.
$ az ad sp create-for-rbac
The following shows an example of the output:
{ "appId": "<appId>", "displayName": "<displayName>", "name": "<name>", "password": "<password>", "tenant": "<tenant>" }Note the tenant, name, and password values as they'll be used in Step 7.
-
Set up the environment variables - replacing the <subscriptionId>, <tenant>, <name>, and <password> placeholders with the values you obtained in steps 4 and 5.
Using bash
export azureSubId='<subscriptionId>' export azureServicePrincipalTenantId='<tenant>' export azureServicePrincipalClientId='<name>' export azureServicePrincipalPassword='<password>'
Using PowerShell
$env:azureSubId='<subscriptionId>' $env:azureServicePrincipalTenantId='<tenant>' $env:azureServicePrincipalClientId='<name>' $env:azureServicePrincipalPassword='<password>'
To programmatically create a service principal using JavaScript, use the ServicePrincipal script.
Once you have a service principal, the following JavaScript code snippet illustrates how to use the service principal keys to authenticate with the Azure SDK for Node.js. Modify the following placeholders: <clientId or appId>, <secret or password>, and <domain or tenant>,
const Azure = require('azure');
const MsRest = require('ms-rest-azure');
MsRest.loginWithServicePrincipalSecret(
<clientId or appId>,
<secret or password>,
<domain or tenant>,
(err, credentials) => {
if (err) throw err
let storageClient = Azure.createARMStorageManagementClient(credentials, '<azure-subscription-id>');
// ..use the client instance to manage service resources.
}
);