Azure Service Principal
Manage and use Azure service principal credentials in AutoSSL.
Overview
Azure service principal credentials are required to authenticate requests from AutoSSL to Azure services via Microsoft Entra ID. By adding a service principal, you authorize AutoSSL to perform specific actions on your behalf, such as uploading SSL certificate files to Azure Blob Storage.
Configuration Parameters
| Parameter | Description |
|---|---|
| Tenant ID | Your Microsoft Entra ID (Azure AD) tenant ID. |
| Client ID | The application (client) ID of the service principal. |
| Client Secret | The client secret of the service principal. This value is securely encrypted before being stored in AutoSSL. |
Important
If you need to modify the Client Secret field later, you must provide the full secret again.
How to Create a Service Principal
- Log in to the Azure Portal.
- Navigate to Microsoft Entra ID > App registrations > New registration.
- Enter a name (e.g.,
AutoSSL) and click Register. - Copy the Application (client) ID and Directory (tenant) ID from the overview page.
- Go to Certificates & secrets > New client secret, create a secret, and copy its value immediately.
- Paste the Tenant ID, Client ID, and Client Secret into AutoSSL.
For more detailed instructions, please refer to the Azure documentation on creating a service principal.
Security Recommendations
- Principle of Least Privilege: Only grant the service principal the exact RBAC roles needed for the target resources (e.g.,
Storage Blob Data Contributoron a specific storage account or container). - Regular Rotation: Periodically rotate client secrets and update them in AutoSSL.
- Dedicated Service Principal: Create a separate service principal for AutoSSL rather than reusing credentials from other applications.
Supported Deployment Targets
The Azure service principal is used by the following deployment providers in AutoSSL:
- Azure Blob Storage: Uploads certificate files to a blob container with versioned and latest paths.