The first thing we are going to do today, is discuss the setup of a resource group to hold all of the news components. Here are the tasks I want to accomplish:
1) Create a Service Principal (with password) for managing the Sleepy Security News resource group
2) Create an ARM template to host all the resources
3) Assign the contributor permission to the service principal for this resource group
Creating a Service Principal
Creating a service principal is actually quite easy with the new powershell commandlets. You can find instructions here. I opted to create a service principal with password rather than certificate. Your decision here will strictly depend on your security needs and what fits best with your organization.
The following code snippit outlines the key steps:
PS C:\WINDOWS\system32> $ssnAppCredentials = (Get-Credential) PS C:\WINDOWS\system32> $ssnApp = New-AzureRMADApplication -DisplayName "ssnApp" -HomePage "http://news.sleepysecurity.ninja" -IdentifierUris "http://news.sleepysecurity.ninja" -Password $ssnAppCredentials.Password PS C:\WINDOWS\system32> New-AzureRmADServicePrincipal -ApplicationId $ssnApp.ApplicationId
Essentially this creates a service principal in AAD, but does not assign it any roles or permissions.
Create a base Resource Group and Assign the Role
Being a developer, I've opted to use Visual Studio as my engine for creating ARM templates. You can see the setup steps for this here. In my case, the only resource that I will be adding is the permissions for the service principal. Therefore, my template that I started with is blank.
Role permissions can be assigned via ARM templates, but it is a little tricky. The github example can be found here.
A couple of notes about this template:
- The API version has changed, so you will be prompted to update it. It should be "2014-10-01-preview"
- The name of this resource needs to be a GUID. There is currently no way to make a guid in ARM templates, so you will need to assign one
- You will need the application object ID, which can be found when you create the new service principal, or by simply running the equivalent get command.
- The role types are also GUIDs and are hard coded. I haven't experimented how to make this work with custom roles, but the examples in github repo works.
When all is said and done, and you have deployed the template, you should see the following permissions/roles assigned:
Access = Assigned means that it was assigned at this level (as opposed to inherited). Contributor was the role I had selected.
Now that the base has been created, I can start adding and securing resources within this resource group.