Azure-docs: How to get password for service principle after creating time and how I can reset it?

@typik89 Thank you for the valuable feedback,we are investigating the issue.

@typik89 have you reviewed this article to see if it helps?

yes, but havn't found answer

What does the az acr credential show --name <acrName> --query "passwords[0].value" give you?

it gives me nothing( empty string)

and to confirm, have you first enabled the admin account?
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#admin-account

@neilpeterson would you happen to have any feedback on this?

@typik89 - in the AKS > ACR authentication doc, two methods are provided for establishing authentication between an AKS Cluster and and ACR registry.

• Grant the AKS service principle access to the ACR resource
• Create a new service principle for the ACR resource, and then use a Kubernetes image pull secret to establish the access.

I'm assuming because you are trying to gather the password, you are also trying to use image pull secrets, is this correct?

When running this script (from the doc), both the user name (service principle id) and password should be returned. Is this not the case for you?

#!/bin/bash

ACR_NAME=myacrinstance
SERVICE_PRINCIPAL_NAME=acr-service-principal

# Populate the ACR login server and resource id. 
ACR_LOGIN_SERVER=$(az acr show --name $ACR_NAME --query loginServer --output tsv)
ACR_REGISTRY_ID=$(az acr show --name $ACR_NAME --query id --output tsv)

# Create a contributor role assignment with a scope of the ACR resource. 
SP_PASSWD=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME --role Reader --scopes $ACR_REGISTRY_ID --query password --output tsv)

# Get the service principle client id.
CLIENT_ID=$(az ad sp show --id http://$SERVICE_PRINCIPAL_NAME --query appId --output tsv)

# Output used when creating Kubernetes secret.
echo "Service principal ID: $CLIENT_ID"
echo "Service principal password: $SP_PASSWD"

If not, can you tell me what platform you are running on (Mac, Linux, Windows) and what terminal is being used?

another thing to verify is that you have access to create a service principle in the Azure subscription. The az ad sp create-for-rbac command should complain if you do not.

@MicahMcKittrick-MSFT thanks for working this issue this far. The authentication between AKS and ACR is something that the team is working to improve :).

Feel free to assign this issue to me and I can support.

thanks Neil!

Hi, Neil! The script works and shows me password. But what should I do if I would like to reset password because there are situations when it must be done for security reasons? I can forget a password or password can be leaked. Do I have only one way in these cases and is this creating new service principal?

@typik89 via the Azure CLI you can use the az ad sp reset-credentials command. I'm assuming there are similar for PowerShell.

$ az ad sp reset-credentials --help

Command
    az ad sp reset-credentials: Reset a service principal credential.
        Use upon expiration of the service principal's credentials, or in the event that login
        credentials are lost.

Arguments
    --name -n [Required]: Name or app URI for the credential.
    --append            : Append the new credential instead of overwriting.

Credential Arguments
    --cert              : Certificate to use for credentials.
        When using `--keyvault,` indicates the name of the cert to use or create. Otherwise, supply
        a PEM or DER formatted public certificate string. Use `@{file}` to load from a file. Do not
        include private key info.
    --create-cert       : Create a self-signed certificate to use for the credential.
        Use with `--keyvault` to create the certificate in Key Vault. Otherwise, a certificate will
        be created locally.
    --keyvault          : Name or ID of a KeyVault to use for creating or retrieving certificates.
    --password -p       : The password used to log in.
        If not present and `--cert` is not specified, a random password will be generated.
    --years             : Number of years for which the credentials will be valid. Default: 1 year.

Global Arguments
    --debug             : Increase logging verbosity to show all debug logs.
    --help -h           : Show this help message and exit.
    --output -o         : Output format.  Allowed values: json, jsonc, table, tsv.  Default: json.
    --query             : JMESPath query string. See http://jmespath.org/ for more information and
                          examples.
    --verbose           : Increase logging verbosity. Use --debug for full debug logs.

Does this help?

PowerShell - docs

PS Azure:\> get-help New-AzureRmADSpCredential

NAME
    New-AzureRmADSpCredential

SYNOPSIS
    Adds a credential to an existing service principal.


SYNTAX
    New-AzureRmADSpCredential -CertValue <String> [-DefaultProfile <IAzureContextContainer>] [-EndDate <DateTime>] -ObjectId <String> [-StartDate <DateTime>] [-Confirm] [-WhatIf]
    [<CommonParameters>]

    New-AzureRmADSpCredential -CertValue <String> [-DefaultProfile <IAzureContextContainer>] [-EndDate <DateTime>] -ServicePrincipalName <String> [-StartDate <DateTime>] [-Confirm] [-WhatIf]
    [<CommonParameters>]

    New-AzureRmADSpCredential [-DefaultProfile <IAzureContextContainer>] [-EndDate <DateTime>] -ObjectId <String> -Password <SecureString> [-StartDate <DateTime>] [-Confirm] [-WhatIf]
    [<CommonParameters>]

    New-AzureRmADSpCredential [-DefaultProfile <IAzureContextContainer>] [-EndDate <DateTime>] -Password <SecureString> -ServicePrincipalName <String> [-StartDate <DateTime>] [-Confirm] [-WhatIf]
    [<CommonParameters>]


DESCRIPTION
    The New-AzureRmADSpCredential cmdlet can be used to add a new credential or to roll credentials for a service principal. The service principal is identified by supplying either the object id
    or service principal name.


RELATED LINKS
    Online Version: https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermadspcredential
    Get-AzureRmADSpCredential
    Remove-AzureRmADSpCredential
    Get-AzureRmADServicePrincipal

REMARKS
    To see the examples, type: "get-help New-AzureRmADSpCredential -examples".
    For more information, type: "get-help New-AzureRmADSpCredential -detailed".
    For technical information, type: "get-help New-AzureRmADSpCredential -full".
    For online help, type: "get-help New-AzureRmADSpCredential -online"

I think it's worth mentioning that the password of a service principal can only be retrieved when it's created, as stated by the docs here https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest#create-a-service-principal

Ran into this issue working with Azure Kubernetes Service(AKS) and it automatically created a service principal for me as I was creating my AKS Cluster. However there was no way for me to retrieve the password so I had to reset the credentials with this guide for AKS https://docs.microsoft.com/en-us/azure/aks/update-credentials. This allowed me retrieve the password immediately after resetting the credentials.