Created
December 10, 2024 15:10
-
-
Save Exchizz/9ee94d08f469acd8a8f86f816fe92514 to your computer and use it in GitHub Desktop.
Assign Service Principal (application registration) subscription creator on enrollment account
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| from azure.identity import DefaultAzureCredential | |
| # If you are trying to create a subscription in terraform running as a Service Principal, you might run into the following error: | |
| # subscription.AliasClient#Create: Failure sending request: StatusCode=401 – Original Error: Code="UserNotAuthorized" Message="User is not authorized to create subscriptions on this enrollment account" | |
| # Most help you'll find online will send you to this link: | |
| # https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/assign-roles-azure-service-principals | |
| # This script grants a service principal access to a billing account using the Azure Management API | |
| # This script assumes you are logged in locally (with az login) as a user with proper permissions. | |
| # To verify who has what access to the billing account, you can use the following command: | |
| # az rest --method "get" --url 'https://management.azure.com/providers/Microsoft.Billing/billingAccounts/<billing account id>/enrollmentAccounts/<enrollment account>/billingRoleAssignments?api-version=2024-04-01' -o json | |
| # Billingaccount/enrollment account to grant access to | |
| # ID of the billing account and enrollment account can be found in the Azure portal | |
| billing_account_name = '' | |
| # API version | |
| api_version = '2019-10-01-preview' | |
| # Enrollment account ID (called account in the portal) | |
| enrollmentAccountId = '' | |
| # Name of the role assignment (random uuid), change this when you create a new role assignment | |
| billingRoleAssignmentName = '798115B3-340B-44FC-A46B-36CEB7805CA7' | |
| # Service principal to grant access | |
| # Object id of the service principal (not application registration) | |
| principalId = "" | |
| # Tenant id of the service principal | |
| principalTenantId = "" | |
| # azure role definition id can be found here: https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/assign-roles-azure-service-principals#permissions-that-can-be-assigned-to-the-service-principal | |
| roleDefinitionId = f"/providers/Microsoft.Billing/billingAccounts/{billing_account_name}/enrollmentAccounts/{enrollmentAccountId}/billingRoleDefinitions/a0bcee42-bf30-4d1b-926a-48d21664ef71" | |
| # Construct the URL | |
| url = f"https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{billing_account_name}/enrollmentAccounts/{enrollmentAccountId}/billingRoleAssignments/{billingRoleAssignmentName}?api-version={api_version}" | |
| # Authenticate using DefaultAzureCredential | |
| credential = DefaultAzureCredential() | |
| token = credential.get_token("https://management.azure.com/.default").token | |
| # Headers | |
| headers = { | |
| "Authorization": f"Bearer {token}", | |
| "Content-Type": "application/json" | |
| } | |
| # Define the payload | |
| payload = { | |
| "properties": { | |
| "principalId": principalId, | |
| "principalTenantId": principalTenantId, | |
| "roleDefinitionId": roleDefinitionId | |
| } | |
| } | |
| # Make the request | |
| response = requests.put(url, headers=headers, json=payload) | |
| # Check the response | |
| if response.status_code == 200: | |
| print('Success:', response.json()) | |
| else: | |
| print('Error:', response.status_code, response.text) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment