- Create an azure app that we will use for federation
az ad app create --display-name my-sample-app \ --oauth2-allow-implicit-flow false
- Note the objectId of the created app
OBJECT_ID=32f3c6d0-f8a0-42c2-8ae3-962d79e4cb14
- Get the appId (also known as clientId) for the create app
CLIENT_ID=$(az ad app show --id 4ccb1668-07cd-4570-ad17-dd7182c1e269 --query 'appId' --output tsv)
- Create a service principal for the app
az ad sp create --id $CLIENT_ID
- Allow the service principal what it has to do (this example let's it use storage). Note that this can take 5+ minutes before it is active :-(
az role assignment create \ --role "Storage Blob Data Contributor" \ --assignee $CLIENT_ID \ --scope "/subscriptions/[SUBSCRIPTION_GUID]/resourceGroups/[RESOURCE_GROUP_NAME]/providers/Microsoft.Storage/storageAccounts/[STORAGE_ACCOUNT_NAME]"
- Allow federation to the service principal from google service account (using the numerical id of the google service account). We are using
jq
to build the request payload so it does al the escaping for us. Recently the microsoft documentation has been updated with similar instructions for the console or cli.GOOGLE_SERVICE_ACCOUNT_ID=109999999999999999999 jq -n \ --arg googleServiceAccountId $GOOGLE_SERVICE_ACCOUNT_ID \ '{ name: "my-federated-credentials", issuer: "https://accounts.google.com", subject: $googleServiceAccountId, description: "Test federation from a google service account", audiences: ["api://AzureADTokenExchange"] }' | az rest --method POST \ --uri "https://graph.microsoft.com/beta/applications/$OBJECT_ID/federatedIdentityCredentials" \ --body @-
- Retrieve details about the created federation
az rest -m GET -u "https://graph.microsoft.com/beta/applications/$OBJECT_ID/federatedIdentityCredentials"
- See the other file in this Gist for an example how to use the federated identity from Google Cloud to write to Azure storage
If you ever want to remove the federated identity you can use the following commands:
FEDERATED_ID=$(az rest -m GET -u "https://graph.microsoft.com/beta/applications/$OBJECT_ID/federatedIdentityCredentials" --query 'value[0].id' --output tsv)
az rest -m DELETE -u "https://graph.microsoft.com/beta/applications/$OBJECT_ID/federatedIdentityCredentials/$FEDERATED_ID"