Azure AD 通过 Azure CLI 添加密钥 [英] Azure AD add keys via Azure CLI

问题描述

我正在尝试使用 Azure CLI 在我的 Azure AD 应用程序中添加一个密钥.但是通过 Azure CLI API 似乎没有这样的命令.

I'm trying to add a key in my Azure AD application using Azure CLI. But looking throught the Azure CLI API it seems that there is no such command.

例如:

我正在尝试通过 Azure CLI 自动执行以下链接中的任务:http://blog.davidebbo.com/2014/12/azure-service-principal.html

I'm trying to automate the task from the link below via Azure CLI: http://blog.davidebbo.com/2014/12/azure-service-principal.html

我可以创建 AD 应用程序、服务主体，但我找不到为新创建的 AD 应用程序添加密钥的方法.

I can create AD application, service principal, but I can't find a way to add key for newly create AD application.

我会很感激任何想法和方向:)

I'll appreciate any ideas and directions :)

提前致谢！

推荐答案

对于一个新的AD应用，你可以在创建的时候用-p指定一个key.例如，

For a new AD application, you can specify a key with -p while creating. For example,

azure ad app create -n <your application name> --home-page <the homepage of you application> -i <the identifier URI of you application> -p <your key>

对于现有的 AD 应用程序，Graph API 肯定能够更新 AD 应用程序凭据.阅读此 API 参考，您可以看到密码凭证可以使用POST、GET、PATCH".但是，使用 Graph API 太复杂了.我检查了 Azure CLI.该功能尚未实现，源代码对我来说是不可读的.然后看了一下Azure SDK for Python，因为我对python比较熟悉，发现他们已经在2.0.0rc2中实现了.请参阅 GitHub 存储库

For an existing AD application, surely the Graph API is able to update the AD Application Credential. Read this API reference, and you can see that the password credential is able to use "POST, GET, PATCH". However, it's too complicated to use the Graph API. I have check the Azure CLI. That functionality is not yet implemented, and the source is unreadable for me. Then, I took a look at Azure SDK for Python, because I am familiar with python, and I found out that they have already implemented it in 2.0.0rc2. See the GitHub Repo

我写了一个python脚本.但是，要使用我的脚本，您不仅需要安装 azure2.0.0rc2，还需要安装 msrest 和 msrestazure.

I have written a python script. But, in order to use my script you need to install not only azure2.0.0rc2, but also msrest and msrestazure.

from azure.common.credentials import UserPassCredentials
from azure.graphrbac import GraphRbacManagementClient, GraphRbacManagementClientConfiguration
from azure.graphrbac.models import ApplicationCreateParameters, PasswordCredential

credentials = UserPassCredentials("<your Azure Account>", "<your password>")

subscription_id = "<your subscription id>"

tenant_id = "<your tenant id>"

graphrbac_client = GraphRbacManagementClient(
    GraphRbacManagementClientConfiguration(
        credentials,
        subscription_id,
        tenant_id
    )
)

application = graphrbac_client.application.get('<your application object id>')

passwordCredential = PasswordCredential(start_date="2016-04-13T06:08:04.0863895Z", 
                                        end_date="2018-04-13T06:08:04.0863895Z",
                                        value="<your new key>")

parameters = ApplicationCreateParameters(application.available_to_other_tenants,
                                     application.display_name,
                                     "<the homepage of your AD application>",
                                     application.identifier_uris,
                                     reply_urls=application.reply_urls,
                                     password_credentials = [passwordCredential])

application = graphrbac_client.application.update('<your application object id>', parameters)

此脚本的唯一问题是您只能覆盖 AD 应用程序的所有现有键.您无法附加新密钥.这是 Graph API 的问题.Graph API 不允许用户读取现有密钥.一种可能的解决方案是将现有的密钥存储在其他地方.但是，这会带来额外的安全风险.

The only problem with this script is that you are only able to override all the existing keys of you AD application. You are not able to append a new key. This is a problem of the Graph API. The Graph API does not allow users to read an existing key. One possible solution would be storing your existing keys somewhere else. But, this will bring extra security risk.

这篇关于Azure AD 通过 Azure CLI 添加密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！