Pass Service Principal Client Id and Secret to ARM Template

0
votes

I have an ARM template that creates an Azure Key Vault followed by an Azure Kubernetes service. The problem is that the Azure Kubernetes service needs a Service Principle's Client ID and Client Secret passed in the first time I create it. So I run the application.json without the kubernetes_servicePrincipalClientId and kubernetes_servicePrincipalClientSecret parameters in the production.parameters.json file:

application.json

{
  "comments": "Kubernetes Service Principal Client ID",
  "type": "Microsoft.KeyVault/vaults/secrets",
  "name": "[concat(parameters('key_vault_name'), '/KubernetesServicePrincipalClientId')]",
  "apiVersion": "2018-02-14",
  "properties": {
    "contentType": "text/plain",
    "value": "[parameters('kubernetes_servicePrincipalClientId')]"
  }
},
{
  "comments": "Kubernetes Service Principal Client Secret",
  "type": "Microsoft.KeyVault/vaults/secrets",
  "name": "[concat(parameters('key_vault_name'), '/KubernetesServicePrincipalClientSecret')]",
  "apiVersion": "2018-02-14",
  "properties": {
    "contentType": "text/plain",
    "value": "[parameters('kubernetes_servicePrincipalClientSecret')]"
  }
}

The second time I run the ARM template, I add the following lines to my production.parameters.json file, so that the Client ID and Client Secret are retrieved from Azure Key Vault where they were stored the first time I ran the ARM template.

production.parameters.json

"kubernetes_servicePrincipalClientId": {
  "reference": {
    "keyVault": {
      "id": "/subscriptions/[Subscription Id]/resourcegroups/[Resource Group Name]/providers/Microsoft.KeyVault/vaults/[Vault Name]"
    },
    "secretName": "KubernetesServicePrincipalClientId"
  }
},
"kubernetes_servicePrincipalClientSecret": {
  "reference": {
    "keyVault": {
      "id": "/subscriptions/[Subscription Id]/resourcegroups/[Resource Group Name]/providers/Microsoft.KeyVault/vaults/[Vault Name]"
    },
    "secretName": "KubernetesServicePrincipalClientSecret"
  }
}

Unfortunately it looks like you can't create a service principal in an ARM template. Is there a better way to configure all this in an automated way, so that regardless of whether or not I'm running the template the first time or second time, I don't have to perform any manual steps?

1
azureazure-active-directoryazure-keyvaultarm-templateservice-principal
Can you provide the document you refer to?Jim Xu

1 Answers

3
votes

no, those apis are not exposed to arm, there is no way of managing a service principal with an ARM Template. you can however create a script that will provision the service principal and pass its details to the arm template, or you can use some sort of tool to handle all of this for you (pulumi\terraform\ansible)