I would like to use a service principal account to run a Powershell script that creates Azure resources, as suggested in this article about doing so when provisioning via TeamCity
I am able to create the service principal and assign it the 'Owner' role on the subscription, so in theory it should have rights to do anything in the Azure account. (I will adjust the rights later to just what is required by the principal.) The commands are basically the following:
Login-AzureRmAccount # using my Azure admin account
$azureAdApplication = New-AzureRmADApplication -DisplayName "Deploy" -HomePage "https://deploy" -IdentifierUris "https://deploy" -Password "password"
New-AzureRmADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
New-AzureRmRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $azureAdApplication.ApplicationId
$subscription = Get-AzureRmSubscription
$creds = Get-Credential
Login-AzureRmAccount -Credential $creds -ServicePrincipal -Tenant $subscription.TenantId
However, when I then run a Powershell script that provisions resources, I get the following warnings when creating a Key Vault:
- Insufficient privileges to complete the operation
- Access policy is not set. No user or application have access permission to use this vault. Please use Set-AzureRmKeyVaultAccessPolicy to set access policies
I don't get these warnings when creating the Key Vault via my own admin account. How do I give a service principal sufficient privileges to be able to create resources in an Azure subscription without getting permissions issues?