forked from tonsV2/aks-rbac-azure-ad
-
Notifications
You must be signed in to change notification settings - Fork 0
/
create-azure-ad-server-app.sh
executable file
·50 lines (41 loc) · 2.21 KB
/
create-azure-ad-server-app.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/bin/bash
set -e
source .env
RBAC_SERVER_APP_SECRET="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
# create the Azure Active Directory server application
echo "Creating server application..."
az ad app create --display-name "${RBAC_SERVER_APP_NAME}" \
--password "${RBAC_SERVER_APP_SECRET}" \
--identifier-uris "${RBAC_SERVER_APP_URL}" \
--reply-urls "${RBAC_SERVER_APP_URL}" \
--homepage "${RBAC_SERVER_APP_URL}" \
--required-resource-accesses @manifest-server.json
RBAC_SERVER_APP_ID=$(az ad app list --display-name ${RBAC_SERVER_APP_NAME} --query [].appId -o tsv)
RBAC_SERVER_APP_OAUTH2PERMISSIONS_ID=$(az ad app show --id ${RBAC_SERVER_APP_ID} --query oauth2Permissions[0].id -o tsv)
# update the application
az ad app update --id ${RBAC_SERVER_APP_ID} --set groupMembershipClaims=All
# TODO: When does this expire?
# create service principal for the server application
echo "Creating service principal for server application..."
az ad sp create --id ${RBAC_SERVER_APP_ID}
# grant permissions to server application
echo "Granting permissions to the server application..."
RBAC_SERVER_APP_RESOURCES_API_IDS=$(az ad app permission list --id ${RBAC_SERVER_APP_ID} --query [].resourceAppId --out tsv | xargs echo)
for RESOURCE_API_ID in ${RBAC_SERVER_APP_RESOURCES_API_IDS};
do
if [[ "$RESOURCE_API_ID" == "00000002-0000-0000-c000-000000000000" ]]
then
az ad app permission grant --api ${RESOURCE_API_ID} --id ${RBAC_SERVER_APP_ID} --scope "User.Read"
elif [[ "$RESOURCE_API_ID" == "00000003-0000-0000-c000-000000000000" ]]
then
az ad app permission grant --api ${RESOURCE_API_ID} --id ${RBAC_SERVER_APP_ID} --scope "Directory.Read.All"
else
az ad app permission grant --api ${RESOURCE_API_ID} --id ${RBAC_SERVER_APP_ID} --scope "user_impersonation"
fi
done
echo "The Azure Active Directory application has been created. You need to ask an Azure AD Administrator to go the Azure portal an click the 'Grant permissions' button for this app."
echo "The following variables must be exported
export RBAC_SERVER_APP_ID="${RBAC_SERVER_APP_ID}"
export RBAC_SERVER_APP_OAUTH2PERMISSIONS_ID="${RBAC_SERVER_APP_OAUTH2PERMISSIONS_ID}"
export RBAC_SERVER_APP_SECRET="${RBAC_SERVER_APP_SECRET}"
"