How can I find resource group associated with service principal?

0
votes

Problem

I have an azure pipeline YAML file. It is able to run through a service connection which accesses a service principal with all the proper authority, etc.

But I am now trying to clean up the code; we have multiple service principals running on multiple subscriptions and resource groups. They need to create storage accounts, which need to be unique.

So I am trying to create a storage account built partially from the associated subscription and resource group of the service principal creating the storage account.

Example Solution

For the subscription, it is fairly easy. I can do something like this, from within a PowerShell script called inside the pipeline:

$subscriptionId = $(az account show --query 'id' -o tsv)
Write-Output "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID;isoutput=true;issecret=true]$subscriptionId"

Now I have the variables $subscription ID and AZURE_SUBSCRIPTION_ID set, and can access subscription information within the pipeline itself.

Question

But how can I do something similar with resource groups?

There is no equivalent to az account show with resource groups, without knowing the resource group name itself. (Eg, I have to type az group show -name <RG-name>, but it is precisely the name that I am trying to get.)

Again, to be clear, I am running inside of a particular resource group and subscription, it is those that are associated with the service connection. Now I simply want that information available to the pipeline.

1
azureazure-pipelinesazure-service-principal
I'm not sure what you mean by am running inside of a particular resource group A service connection using a SP is only scoped to either Subscription or Management Groupsilent
Does the az group list command meet your needs?Walter
No, @WalterQian-MSFT, I am doing all of this work within a pipeline. (1) az group list gives me a list, and I am not sure the list is deterministic (that, for instance, the group I want is always #2 on the list), and (2) this seems like a very fragile way to build a pipeline: that number on the list will be different each time.Mike Williamson
@silent Sorry for any confustion: a service connection provides a service principal that can be scoped by resource group, I want to know the name of that resource group from within the pipeline.Mike Williamson
@MikeWilliamson that is not "scoping". That is merely giving the SP access to one RG. But it can always have access to multiple RGssilent

1 Answers

2
votes

I'm not sure if I completely understand what you are trying to accomplish. But I suspect that the options below might help.

Get role assignments

If you created separate service connections for each individual resource group you can simply check the role assignments for the SPN and determine the scope of the service connection.

If you, for example, use the Azure PowerShell task, you have configured it with a Service Connection. So when the task starts, it has the context of the service principal. You can then do Get-AzRoleAssignment which should output the Resource Groups to which its authorised. Again, this is only useful if you use a service connection per RG, as you otherwise get results for multiple RGs. (Or for subscriptions and Management groups, if you also assigned a role to those scropes)

Use the Azure DevOps API

You can use the Get Service Endpoint request of the Azure DevOps API to get the service connections. The JSON output will contain information regarding the scope of the service connection.

If you find working with the API directly a bit hard, you can try the PSDevOps PowerShell module to interact with the Azure DevOps API. It has the Get-ADOServiceEndpoint command that allows you to get the available service endpoints.