Set Up and Manage Azure Service Principal Access
On this page
Overview
Some Atlas features such as Data Federation require access to resources in your Azure Blob Storage environment. To grant access in a secure manner, create or update an Azure Service Principal with access policy.
Required Access
To configure customer key management, you must have Project Owner
access to the project.
Users with Organization Owner
access must add themselves to the
project as a Project Owner
.
Prerequisites
An Atlas account.
The Azure PowerShell or the Azure CLI.
Set Up Azure Service Principal Access
You can set up an Azure service principal with access policy for your Atlas project from the Atlas Administration API or Atlas UI.
You can use the Azure PowerShell or CLI to set up the Service Principal.
In Atlas, go to the Project Integrations page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Integrations.
The Project Integrations page displays.
Assign Atlas a relationship to your Azure account.
The Add Atlas to your Azure Service Principal section displays the AppId that you can use with your command to create your new or add to existing Service Principal for Atlas. You can use either Azure PowerShell or CLI to create or update the Service Principal. To create a new Service Principal, you can follow the step in the Authorize Azure Service Principal window.
In a terminal, log into PowerShell and get the tenant ID using the commands displayed in the UI.
Enter the ID of your Azure Active Directory tenant in the UI text field.
Copy and run the PowerShell command displayed in the UI in your PowerShell to create a new Service Principal for Atlas.
Atlas automatically uses the AppId displayed in the Add Atlas to your Azure Service Principal section as the value for the
-AppId
option.Enter the ID of the service principal that you created.
The service principal ID is the value of the
ObjectId
field in your PowerShell command output.
Get the ID of your Azure Active Directory tenant using the displayed command and enter the tenant ID returned by the command in the text field in the UI.
Copy and run the displayed command in the Azure CLI to create a new Service Principal for Atlas.
Atlas automatically uses the AppId displayed in the Add Atlas to your Azure Service Principal section as the value for
--id
option.Enter the ID of the service principal that you created.
The service principal ID is the value of the
id
field in the command output.
To create an Azure service principal with access policy for your
Atlas project through the API, send POST
requests to
the cloudProviderAccess
endpoint first with the ID of the project for which you wish to
create a service principal and then with the ID of the project and
service principal for which you set up access. To learn more about
the request path and body parameters, see Create
One Cloud Provider Access Role
and Authorize One Cloud Provider Access Role.
View Authorized Azure Service Principals
You can view all Azure service principals for your Atlas project from the Atlas Administration API or Atlas UI.
In Atlas, go to the Project Integrations page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Integrations.
The Project Integrations page displays.
View the authorized Azure service principals.
The Azure Service Principal Access page displays. The page displays the list of services principals configured for your project. For each service principal, the page displays the following:
Field Name | Description |
---|---|
Service Principal | The ID of the service principal. |
Created Date | The date when you created and associated the service principal with Atlas. |
Actions |
To view all the Azure service principals with access policy for
your Atlas project through the API, send a GET
request to
the cloudProviderAccess
endpoint with the ID of the project. To learn more about the
syntax and parameters to include in the request, see
Return All Cloud Provider Access Roles.
View Authorized Azure Service Principal Details
You can view the details of an authorized Azure Service Principal from the Atlas Administration API or Atlas UI.
In Atlas, go to the Project Integrations page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Integrations.
The Project Integrations page displays.
Click the ellipsis () for the Service Principal and select View Service Principal Details from the dropdown.
Atlas displays the Service Principal Details window. You can view and copy the following information about the authorized Service Principal:
Field Name | Description |
---|---|
Atlas Azure AppID | The ID of the Atlas Azure application. |
Tenant ID | The ID of of your Azure Active Directory tenant |
Service Principal ID | The ID of the service principal. |
To view an Azure service principal with access policy for your
Atlas project through the API, send a GET
request to
the cloudProviderAccess
endpoint with the ID of the project. To learn more about the
syntax and parameters to include in the request, see
Return specified Cloud Provider Access Role.
Remove Authorized Azure Service Principal
You can't remove a Service Principal that is currently in use. You can remove unused Azure Service Principals from the Atlas Administration API or Atlas UI.
In Atlas, go to the Project Integrations page.
If it's not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
Next to the Projects menu, expand the Options menu, then click Integrations.
The Project Integrations page displays.
To remove an Azure service principal with access policy for your
Atlas project through the API, send a DELETE
request to
the cloudProviderAccess
endpoint with the ID of the project, the name of the cloud
provider, and the ID of the service principal that you wish to
remove. To learn more about the syntax and parameters to include
in the request, see
Deauthorize One Cloud Provider Access Role.