Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update service principal credentials #699

Closed
chessman opened this issue Jul 27, 2017 · 8 comments
Closed

Update service principal credentials #699

chessman opened this issue Jul 27, 2017 · 8 comments
Assignees
@mcardosos

Comments

@chessman
Copy link

I have a multi-tenant native application and corresponding service principal. I'm trying to add a key to the service principal to have app-only access to Graph API (BTW, I'm not sure it is proper scenario). This is an example:

	value := "11111"
	keyID := "1a3df8b2-d051-494a-ad38-f343f15ae6c8"
	typ := "Symmetric"
	s := date.Time{time.Now()}
	e := date.Time{s.Add(1 * time.Hour)}
	usage := "usage"
	_, err = client.UpdateKeyCredentials(spID, graphrbac.KeyCredentialsUpdateParameters{
		Value: &[]graphrbac.KeyCredential{
			graphrbac.KeyCredential{
				Usage:     &usage,
				StartDate: &s,
				EndDate:   &e,
				Value:     &value,
				KeyID:     &keyID,
				Type:      &typ,
			},
		},
	})

It fails with an error:

panic: graphrbac.ServicePrincipalsClient#UpdateKeyCredentials: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: error response cannot be parsed: "" error: EOF

Response:

{"odata.error":{"code":"Request_BadRequest","message":{"lang":"en","value":"Cannot convert a primitive value to the expected type 'Edm.Binary'. See the inner exception for more details."}}}

It looks like KeyCredential contains a field customKeyIdentifier which doesn't exist in Go structure (the field has type Edm.Binary):
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#keycredential-type
Nevertheless, the meaning of this field is not clear. How to use UpdateKeyCredentials?
@salameer
Copy link
Member

Thanks Chessman,

@mcardosos will be talking a look at this

@chessman
Copy link
Author

It seems that Keys in SDK are Certificates on Portal and Keys on Portal are Passwords in SDK...

@mcardosos
Copy link
Contributor

Hello @chessman ! What you say is correct, keys in the SDK are certificates in the portal and the passwords are the keys.
Yes, the keys / passwords are meant to be added to the AAD application, not the service principal.
Important note, first get the current passwords and include them in the update operation.

	cliAAD := graphrbac.NewApplicationsClient(tenantID)
	cliAAD.Authorizer = graphAuth

	list, err := cliAAD.ListPasswordCredentials(appObjID)
	if err != nil {
		panic(err)
	}

	passwords := *list.Value
	passwords = append(passwords, graphrbac.PasswordCredential{
		StartDate: &date.Time{time.Now()},
		EndDate:   &date.Time{time.Now().Add(30 * 24 * time.Hour)},
		Value:     to.StringPtr("some-value"),
	})

	_, err = cliAAD.UpdatePasswordCredentials(appObjID, graphrbac.PasswordCredentialsUpdateParameters{
		Value: &passwords,
	})
	if err != nil {
		panic(err)
	}

@chessman
Copy link
Author

chessman commented Aug 7, 2017

@mcardosos Thanks for your reply! Are you sure that passwords can be added only to applications? I tried to add a password to service principal and it works. Furthermore, it is mentioned in docs (PATCH method on passwordCredentials):
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#serviceprincipal-entity

@mcardosos
Copy link
Contributor

@chessman Adding passwords to service principal is equivalent to adding them to the application :)

@chessman
Copy link
Author

chessman commented Aug 7, 2017

@mcardosos But if I have a multi-tenant application and I'm adding a password to service principal, will it be added for all tenants or just for the tenant of service principal?

@dkershaw10
Copy link

dkershaw10 commented Aug 14, 2017
edited
Loading

If you have a multi-tenant application, then you need to add the password/key to the application and not to the service principal. The application is centralized (together with the app's credentials). The service principal (which is an application instance) references back to the application (and its credentials). As the app developer, you then just need to manage the app's credentials in one place. In general, whether you have a single-tenant or multi-tenant application, you should add the credentials (password/key/secret) to the application. It can be added to the service principal too (per the API), but it's only intended for certain scenarios.

NOTE: If you have questions about multi-tenant model etc, please feel free to send questions to stack overflow (and tag [azure-active-directory])
Hope this helps

@mcardosos
Copy link
Contributor

Closing this issue since stack overflow is the best place to send questions about AAD.
Thanks for clarifying this @dkershaw10 !

@Stavrus Stavrus mentioned this issue Jul 4, 2018
Merged
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mcardosos mcardosos

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chessman @dkershaw10 @salameer @mcardosos