How do I properly create service principal secret in Azure

artisticcheese · February 10, 2023, 11:54pm

I’m trying to figure out the difference between this 2 resources (azuread_service_principal_password and azuread_application_password) . I’m creating with code below and expected it to create service principal


resource "azuread_application" "sp-application" {
  display_name = "${azurerm_storage_account.dataplatform.name}-app"
  owners       = local.owners
  tags         = ["Auto-rotate"]
}

resource "azuread_service_principal" "sp-serviceprincipal" {
  application_id               = azuread_application.sp-application.application_id
  app_role_assignment_required = false
  owners                       = local.owners
  notes                        = "Service principal for Databricks application to access storage account"
  tags                         = ["Auto-rotate"]
}

resource "azuread_service_principal_password" "sp-password" {
  service_principal_id = azuread_service_principal.sp-serviceprincipal.object_id
  rotate_when_changed = {
    rotation = time_rotating.sp-password-rotation.id
  }
}

It does create a password which I can capture in output but I don’t see this password as part of service principal secret in portal. Objecty_id being returned actually is object_id of application itself and not service principal derived from it. I don’t see any option to see any passwords present in Enterprise Application either. Confused about what password being created and where.

b0bu · July 10, 2023, 3:23pm

azuread_service_principal creates an enterprise application, and azuread_service_principal_password sets a credential for that.

azuread_application creates an application registrations and azuread_application_password sets a password for that.

When creating azuread_application_password it takes a good 10 minutes before it shows in the portal.

artisticcheese · July 10, 2023, 5:06pm

Thanks,

Naming seems to be backwards though I expected azuread_application to create Enterprise Application and azuread_service_principal to create App Registration instead.

b0bu · July 10, 2023, 8:42pm

Yea it is confusing.

You actually need both azuread_application and azuread_service_principal if your going to do role assignments. The oid of the latter is used as the principal_id at assignment time, but the application_id and password value of the former are used to authenticate to the resource.

Go figure

PhanindraReddyP · June 9, 2024, 10:57am

Hello @b0bu,

So, I don’t actually need “azuread_service_principal_password” to create, right ?
only below are enough, right ?
azuread_application, azuread_application_password - For Authentication
azuread_service_principal - For RBAC

Thanks.

Topic		Replies	Views
How do I import an Azure AD Service Principal Password into Terraform? Terraform	1	1242	September 25, 2020
Azuread_service_principal permissions Directory.ReadWrite.All Azure azure	2	1186	January 25, 2022
Dynamically generate Service Principal with Azure secret backend Vault	0	310	June 5, 2023
Azuread_application_password rotation Terraform Providers azure	1	1782	February 4, 2022
How to mimic az ad sp create-for-rbac in terraform? Azure	0	1366	February 7, 2022

How do I properly create service principal secret in Azure

Related topics