Last active
June 28, 2020 19:01
-
-
Save AymenSegni/630a6853056a3594f18edc21ac51e8cc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Provide your own unique aksname within the Azure AD tenant | |
aksname="run-it-on-cloud" | |
resourcegroup="runItOnCloud" | |
location="westeurope" | |
# Create the Azure AD application Server | |
serverApplicationId=$(az ad app create \ | |
--display-name "${aksname}Server" \ | |
--identifier-uris "https://${aksname}Server" \ | |
--query appId -o tsv) | |
# Update the application group memebership claims | |
az ad app update --id $serverApplicationId --set groupMembershipClaims=All | |
# Create a service principal for the Azure AD application | |
az ad sp create --id $serverApplicationId | |
# Get the service principal secret | |
serverApplicationSecret=$(az ad sp credential reset \ | |
--name $serverApplicationId \ | |
--credential-description "AKSPassword" \ | |
--query password -o tsv) | |
# The Azure AD needs permissions to perform the following actions: | |
# 1-Read directory data | |
# 2-Sign in and read user profile | |
az ad app permission add \ | |
--id $serverApplicationId \ | |
--api 00000003-0000-0000-c000-000000000000 \ | |
--api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope 7ab1d382-f21e-4acd-a863-ba3e13f7da61=Role | |
# grant the permissions assigned in the previous step for the server application | |
# You must be the Azure AD tenant admin for these steps to successfully complete | |
az ad app permission grant --id $serverApplicationId --api 00000003-0000-0000-c000-000000000000 | |
az ad app permission admin-consent --id $serverApplicationId | |
# Create the Azure AD application Client | |
clientApplicationId=$(az ad app create \ | |
--display-name "${aksname}Client" \ | |
--native-app \ | |
--reply-urls "https://${aksname}Client" \ | |
--query appId -o tsv) | |
# Create a service principal for the client application | |
az ad sp create --id $clientApplicationId | |
# Get the oAuth2 ID for the server app to allow authentication flow | |
oAuthPermissionId=$(az ad app show --id $serverApplicationId --query "oauth2Permissions[0].id" -o tsv) | |
# Assign permissions for the client and server applications to communicate with each other | |
az ad app permission add --id $clientApplicationId --api $serverApplicationId --api-permissions $oAuthPermissionId=Scope | |
az ad app permission grant --id $clientApplicationId --api $serverApplicationId |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment