How to create Azure Network Security Group via Python SDK

0
votes

I'm using Azure Python SDK to deploy Azure VM. I can create VM with Network Security Group without any issue via the Azure portal. However, I failed to create a Network Security Group by using API like:

async_nsg_create=network_client.network_security_groups.begin_create_or_update(
    GROUP_NAME,
    NSG_NAME,
    nsg_parameters
)

It always complains that I "does not have authorization to perform action 'Microsoft.Network/networkSecurityGroups/write'". However, I can create a Network Security Group via the Azure portal by clicking "create a resource" or add new source in Resource Group. I suspect I may have to create NSG via ResourceManagementClient, but I couldn't find any useful info in API doc:https://docs.microsoft.com/en-us/python/api/azure-mgmt-resource/azure.mgmt.resource.resourcemanagementclient?view=azure-python#models-api-version--2020-06-01--

I checked the solution in this issue: enter link description here, but failed at step: resource_client.providers.register('Microsoft.Compute') and it complains:"does not have authorization to perform action 'Microsoft.Compute/register/action'"

1
pythonazure
What credentials are being used by the scrip/code? Check this example for reference.Bhargavi Annadevara

1 Answers

1
votes

The error means your client does not have the permission to do the operations, you need to add it as an RBAC role in your resource group/subscription.

However, I can create a Network Security Group via the Azure portal by clicking "create a resource" or add new source in Resource Group.

In the portal, your are using the account logged in the portal, if you are using the code here, it uses the credentials of the service principal, it is different.

Here is a complete sample works for me, you follow the steps below.

1.Register an application with Azure AD and create a service principal.

2.Get values for signing in and create a new application secret.

3.Navigate to the resource group or the subscription -> Access control (IAM) -> Add -> add service principal of the AD App as an RBAC role e.g. Contributor, details follow this.

4.Then use the code below.

from azure.identity import ClientSecretCredential
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2020_06_01.models import NetworkSecurityGroup
from azure.mgmt.network.v2020_06_01.models import SecurityRule

tenant_id = "<tenant-id>"
client_id = "<client-id>"
client_secret = "<client-secret>"
subscription_id = "<subscription-id>"

credential = ClientSecretCredential(tenant_id, client_id, client_secret)
network_client = NetworkManagementClient(credential, subscription_id)

resource_group_name = "<group-name>"
nsg_name = "testnsg"

nsg_params = NetworkSecurityGroup(id= "testnsg", location="UK South", tags={ "name" : "testnsg" })
nsg = network_client.network_security_groups.begin_create_or_update(resource_group_name, "testnsg", parameters=nsg_params)
print(nsg.result().as_dict())

enter image description here

5.Check in the portal:

enter image description here

Update:

If you want to use the user account, you just need to use AzureCliCredential.

1.Install the Azure CLI, then login your account with az login in a local terminal, e.g. powershell.

2.After login, change the code like below and run it.

from azure.identity import ClientSecretCredential
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.network.v2020_06_01.models import NetworkSecurityGroup
from azure.mgmt.network.v2020_06_01.models import SecurityRule


subscription_id = "<subscription-id>"

credential = AzureCliCredential()
network_client = NetworkManagementClient(credential, subscription_id)

resource_group_name = "<group-name>"
nsg_name = "testnsg"

nsg_params = NetworkSecurityGroup(id= "testnsg", location="UK South", tags={ "name" : "testnsg" })
nsg = network_client.network_security_groups.begin_create_or_update(resource_group_name, "testnsg", parameters=nsg_params)
print(nsg.result().as_dict())