How do I properly create service principal secret in Azure

artisticcheese · February 10, 2023, 11:54pm

I’m trying to figure out the difference between this 2 resources (azuread_service_principal_password and azuread_application_password) . I’m creating with code below and expected it to create service principal


resource "azuread_application" "sp-application" {
  display_name = "${azurerm_storage_account.dataplatform.name}-app"
  owners       = local.owners
  tags         = ["Auto-rotate"]
}

resource "azuread_service_principal" "sp-serviceprincipal" {
  application_id               = azuread_application.sp-application.application_id
  app_role_assignment_required = false
  owners                       = local.owners
  notes                        = "Service principal for Databricks application to access storage account"
  tags                         = ["Auto-rotate"]
}

resource "azuread_service_principal_password" "sp-password" {
  service_principal_id = azuread_service_principal.sp-serviceprincipal.object_id
  rotate_when_changed = {
    rotation = time_rotating.sp-password-rotation.id
  }
}

It does create a password which I can capture in output but I don’t see this password as part of service principal secret in portal. Objecty_id being returned actually is object_id of application itself and not service principal derived from it. I don’t see any option to see any passwords present in Enterprise Application either. Confused about what password being created and where.

b0bu · July 10, 2023, 3:23pm

azuread_service_principal creates an enterprise application, and azuread_service_principal_password sets a credential for that.

azuread_application creates an application registrations and azuread_application_password sets a password for that.

When creating azuread_application_password it takes a good 10 minutes before it shows in the portal.

artisticcheese · July 10, 2023, 5:06pm

Thanks,

Naming seems to be backwards though I expected azuread_application to create Enterprise Application and azuread_service_principal to create App Registration instead.

b0bu · July 10, 2023, 8:42pm

Yea it is confusing.

You actually need both azuread_application and azuread_service_principal if your going to do role assignments. The oid of the latter is used as the principal_id at assignment time, but the application_id and password value of the former are used to authenticate to the resource.

Go figure