How to assign role to an Azure service principal from different subscription?

3
votes

problem statement
currently, I am in the process to create/modify azure resources in the different subscription with the help of azure terraform.

error 

Principal <appid> does not exist in the directory {destination-tenant-id-for which contribution role required}

consider the following scenario.
we want to create Azure AKS cluster in one subscription and in same execution, we want to update DNS define in another subscription. this process works well if we are having both i.e. DNS zone and aks cluster in the same subscription but it will not work if these two resources in the different subscription.

steps taken
create service principal without assignment 

az ad sp create-for-rbac -n sp-terraform-001 --skip-assignment

assign contributor role for current sp for current subscription

az role assignment create --assignee <appid>  --role Contributor --scope /subscriptions/<sub-id>

*assign contributor role to current sp for a different subscription. it will fail with *

az role assignment create --assignee <appid>  --role Contributor --scope /subscriptions/<diff-sub-id>/<resource-group>....

please let me know correct steps to access resources in another subscriptions

2
azureazure-active-directory
whats the error?4c74356b41
Are these subscriptions in the same Azure AD tenant?Jamie
both of these subscriptions in a different tenant id. i am getting error like Principal <appid> does not exist in the directory <destination-tenant-id-for which contribution role required>. as per this error, i assume I need to add newly created SP in destination subscriptionGanesh Pol

2 Answers

3
votes

You can assign rights to a service principal to multiple subscriptions, that is not an issue, as the SP sits outside of the subscription, it is in Azure AD.

However, you cannot assign rights to resources in a different Azure AD tenant to the one the service principal sits in, which it sounds like you are trying to do here.

1
votes

First create a service principal in the tenant against which the 'different' subscription is attached, passing the appid assigned to the existing service principal. I'll attempt to explain in commands...

az login --tenant <tenant_requiring_new_sp> --subscription <diff-sub-id>
az ad sp create --id <appid>
az role assignment create --assignee <appid> --role Contributor --scope /subscriptions/<diff-sub-id>

Yes, the appid (originally) belongs to a service principal in a different tenant, but a service principal is unique to a tenant (with its own objectid), and it's the service principal against which roles are assigned. However, when passing an appid on creation of a service principal, you're instructing Azure AD to use the same appid for the new service principal, which is then created with a new and unique objectid (that is ultimately used for role assignment, not the appid).

If you're a programmer, it might help to think of a service principal as an 'instance' of an app registration, where the app registration is more like a class definition. As such, it's the service principal 'instance' that has substance against which roles can be assigned, not the definition.