Skip to content

Add Secret or Certificate to Service Principal

Go to Automation: (Add Job Template URL here)

View in GitLab

Description

Adds a credential (client secret or certificate) to an existing Entra ID Application / Service Principal. After adding: - For secrets: Updates (or creates) a PasswordState entry with the new secret value. - For certificates: Generates/renews a certificate via the d09.certificates.pki_certificate role and documents it in PasswordState.

Credential Source

Service Principal credentials (for Graph access) are pulled from PasswordState: - Production: Sys_Azure_AppRegs_PR - Onderwijs: Sys_Azure_OND_Admin

Inputs

Variable Description
AppDisplayName Display name of the App Registration to modify.
AppID (Optional) Explicit AppId; if provided, lookup uses this after resolving by display name.
SecretType One of Secret, Certificaat, or None (case-insensitive usage note: play uses lowercase checks secret / certificaat).
onderwijs 'yes' to target onderwijs tenant; default 'no'.
task External task / ticket reference (not directly used in logic).
azure_tenant Default tenant ID (auto-overridden for onderwijs).
tenant_name Primary domain of tenant (overridden for onderwijs).
subscription_id Azure subscription ID (changes for onderwijs).

Operation Flow

  1. Resolve App Registration by AppDisplayName.
  2. Resolve Service Principal by AppId.
  3. Branch based on SecretType:
  4. secret: Create azure_rm_adpassword, store new secret in PasswordState list 1010 with title = AppDisplayName and username = AppId.
  5. certificaat: Retrieve (or infer) certificate template, execute PKI role, run PowerShell to attach certificate (script body truncated in source), update PasswordState certificate list (6691) under Certificaat <DisplayName>.
  6. Output variable secret_renewal when certificate flow executed (contains script results).

Outputs

Output Description
app_secret.secret_text Newly generated secret (masked in logs due to no_log).
pws_password_update Result of PasswordState update for secrets.
cert_renew PowerShell result set for certificate path.
secret_renewal First element of cert_renew.output (parsed details).

Dependencies / Modules

Component Purpose
azure.azcollection.azure_rm_adapplication_info Lookup App Registration.
azure.azcollection.azure_rm_adserviceprincipal_info Lookup Service Principal.
azure.azcollection.azure_rm_adpassword Create secret credential.
d09.passwordstate.passwordstate_password_fact Retrieve credentials / existing entries.
d09.passwordstate.passwordstate_password Create/update PasswordState entries.
d09.certificates.pki_certificate Generate/renew certificate (for certificaat).
ansible.windows.win_powershell Attach or renew certificate logic (script truncated).

Example (Add Secret)

AppDisplayName: Sys_Azure_MyApp_PR
SecretType: Secret
onderwijs: 'no'

Example (Add Certificate)

AppDisplayName: Sys_Azure_MyApp_PR
SecretType: Certificaat
onderwijs: 'no'

Notes

  • Ensure consistent casing: the play checks SecretType == 'secret' or SecretType == 'certificaat' (lowercase). Provide lowercase values or adjust playbook for case-insensitive comparison.
  • no_log: true hides sensitive data—review controller job output only if necessary.