Create an Azure service principal with Node.js

When an app needs to access resources, you can set up an identity for the app and authenticate the app with its own credentials. This identity is known as a service principal. Essentially, you create keys for your Azure Active Directory account that you provide to the SDK to authenticate rather than requiring user intervention or username/password.

The service principal approach enables you to:

  • Assign permissions to the app identity that are different than your own permissions. Typically, these permissions are restricted to exactly what the app needs to do.
  • Use a certificate for authentication when running an unattended script.

This topic shows you three techniques for creating a service principal.

  • Azure portal
  • Azure CLI 2.0
  • Azure SDK for Node.js

Create a service principal using the Azure portal

Follow the steps outlined in the topic, Use portal to create an Azure Active Directory application and service principal that can access resources, to generate the service principal.

Create a service principal using the Azure CLI 2.0

Creating a service principal using the Azure CLI 2.0 can be accomplished with the following steps:

  1. Download the Azure CLI 2.0.

  2. Open a terminal window.

  3. Type the following command to start the login process:

    $ az login
    
  4. Calling az login results in a URL and a code. Browse to the specified URL, enter the code, and login with your Azure identity (this may happen automatically if you're already logged in). You'll then be able to access your account via the CLI.

  5. Get your subscription and tenant id:

    $ az account list
    

    The following shows an example of the output:

    {
    "cloudName": "AzureCloud",
    "id": "<subscriptionId>",
    "isDefault": true,
    "name": "<subscriptionName>",
    "registeredProviders": [],
    "state": "Enabled",
    "tenantId": "<tenantId>",
        "user": {
            "name": "hello@example.com",
            "type": "user"
        }
    }
    

    Note the subscription ID as it will be used in Step 7.

  6. Create a service principal to get a JSON object containing the other pieces of information you need to authenticate with Azure.

    $ az ad sp create-for-rbac
    

    The following shows an example of the output:

    {
    "appId": "<appId>",
    "displayName": "<displayName>",
    "name": "<name>",
    "password": "<password>",
    "tenant": "<tenant>"
    }
    

    Note the tenant, name, and password values as they'll be used in Step 7.

  7. Set up the environment variables - replacing the <subscriptionId>, <tenant>, <name>, and <password> placeholders with the values you obtained in steps 4 and 5.

    Using bash

    export azureSubId='<subscriptionId>'
    export azureServicePrincipalTenantId='<tenant>'
    export azureServicePrincipalClientId='<name>'
    export azureServicePrincipalPassword='<password>'
    

    Using PowerShell

    $env:azureSubId='<subscriptionId>'
    $env:azureServicePrincipalTenantId='<tenant>'
    $env:azureServicePrincipalClientId='<name>'
    $env:azureServicePrincipalPassword='<password>'
    

Create a service principal using the Azure SDK for Node.js

To programmatically create a service principal using JavaScript, use the ServicePrincipal script.

Using the service principal

Once you have a service principal, the following JavaScript code snippet illustrates how to use the service principal keys to authenticate with the Azure SDK for Node.js. Modify the following placeholders: <clientId or appId>, <secret or password>, and <domain or tenant>,

const Azure = require('azure');
const MsRest = require('ms-rest-azure');

MsRest.loginWithServicePrincipalSecret(
  <clientId or appId>,
  <secret or password>,
  <domain or tenant>,
  (err, credentials) => {
    if (err) throw err

    let storageClient = Azure.createARMStorageManagementClient(credentials, '<azure-subscription-id>');

    // ..use the client instance to manage service resources.
  }
);