How to do AssumeRole in Azure

How to do AssumeRole in Azure

Today I would like to give you a solution that will allow you to control one Azure account from another.

Let’s start from the basics. AWS AssumeRole is used for cross-account access in AWS. It is used to allow user in one AWS account to manage resources in completely different AWS account. It is well-known feature and the are a lot of resources on this topic.

In Azure Microsoft Cloud it is possible to achieve same result but using a different method. Microsoft Azure has a notion of Applications. Application has a broad meaning in connection to Azure. In this article I will only be interested in the fact that it is possible to allow access from application on another AWS account.

Let’s say you have Main account and a Second account that you want to control.

Configure Main account.

Basically it is very simple. You need to create an application that will have access to the Second account in the next stage. Here is how you can create Application:

  1. Sign in to the Azure portal using your Azure account.
  2. Select Azure Active Directory > App registrations > New registration.
  3. Provide a name for the application.
  4. Select the appropriate Supported account types.
  5. Under Redirect URI, select Web as the application type, and (optionally) specify a redirect URI if your application requires it.
  6. After setting the values, select Register. The application registration is created and the Overview page is presented.
  7. Copy the Application ID for use in your application code. This value is also referred to as the Client ID.

You can get the same results using the following command:

az ad app create --display-name MyApp1 --homepage --identifier-uris --password password123

In case you used web console you need to configure application password. Here is a command to do this in command line:

az ad app update --id uuid-client-app-id --password password123

Configure Second account

The configuration is very simple. I will show how I do this in command line as it is more easy for me:

Get tenant id and we will use it in the last step as uuid-tenant-id:

az account show --output=json | jq '.tenantId'

You will need to service principal account that will grant access to the application we creates in the Main account. This command will return “object-id“. We will useuuid-sp-object-id bellow

az ad sp create --id uuid-client-app-id

Next step will be to add role to this service principle account. You can create a new role or assign role from one of the existing. For example:

  • Reader acdd72a7-3385-48ef-bd42-f606fba81ae7
  • Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
  • Virtual Machine Contributor d73bb868-a0df-4d4d-bd69-98a00b01fccb
  • Virtual Network Contributor b34d265f-36f7-4a0d-a4d4-e158ca92e90f
  • Storage Account Contributor 86e8f5dc-a6e9-4c67-9d15-de283e8eac25
  • Website Contributor de139f84-1756-47ae-9be6-808fbbe84772
  • Web Plan Contributor 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b
  • SQL Server Contributor 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437
  • SQL DB Contributor 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec

You probably know that Microsoft allows you to be very specific creating role, but for this project I will use the Contributor role. Use next command to assign role to service principal account created:

az role assignment create -g my-group-name --assignee-object-id uuid-sp-object-id --role b24988ac-6180-42a0-ab88-20f7382dd24c 

Final step

Now everything is configured. You will need to open fresh terminal and make sure you are not connected to cloud.

You can do this command to logout from Azure:

az logout

Now you can simply login to the Second cloud with the password configured in the application.

az login --service-principal --username uuid-client-app-id --tenant uuid-tenant-id 

You are now logged in the Second account and you can run commands you want. For example to create new VM:

az vm create -n MyVm -g my-group-name --image UbuntuLTS

Hope this solution helps you. leave your comments.


About the author

Yuli Stremovsky
Yuli StremovskyCloud Security & Blockchain Architect
For the past 15 years I’ve been leading the evolution of startups and enterprises to achieve the highest level of security and compliance. Throughout my career I’ve been a Cyber Security expert and advanced solutions architect with many years of hands on experience both on offensive and defensive side. Knowledgeable at the highest level in application development, networking, data and databases, web applications, large scale Software as a Service solutions, cloud security and blockchain technologies.

I’ve been working with CISO’s of international enterprises, helping them set Information Security strategy, and overseeing the implementation of these recommendations. As part of these projects, I’ve been assisting companies to achieve compliance in GDPR, PCI, HIPAA and SOX.

Among my credits, I was a founder of a database security company GreenSQL/Hexatier which was acquired by Huawei and I’ve co-founded, Secure multi-signature Crypto wallet.

Specialties: Software and cloud architecture, Compliance (GDPR, HIPAA, PCI, SOX), blockchain technologies, software development, secure architectures, project management and low level research.