Last Updated: 2024-02-26

Background

Azure service principals are service identities used by applications and automation tools to access Azure resources securely. They have a number of different characteristics.

Role-based permissions

Service principals do not control individual user logins. Instead, they are used by applications, services, or automation tools to access Azure resources on behalf of users by providing the specific permissions needed to access resources in Azure. The roles assigned to service principals define which actions those applications or services can perform using Azure resources.

Automation

Service principals are primarily used to automate tasks. This typically includes several key automation use cases:

Secure connection

Service principals ensure secure interaction between applications and Azure resources without manual intervention. Starburst Galaxy supports using Azure service principal as a means of securely connecting to your Azure Data Lake Storage (ADLS).

In this tutorial, you will learn how to use Starburst Galaxy, ADLS, and Azure service principals together. .

Scope of tutorial

In this tutorial, you will learn how to configure an Azure service principal. You will work in both the Azure portal and Starburst Galaxy UI.

Learning objectives

Once you've completed this tutorial, you will be able to:

Prerequisites

About Starburst tutorials

Starburst tutorials are designed to get you up and running quickly by providing bite-sized, hands-on educational resources. Each tutorial explores a single feature or topic through a series of guided, step-by-step instructions.

As you navigate through the tutorial you should follow along using your own Starburst Galaxy account. This will help consolidate the learning process by mixing theory and practice.

Background

Azure allows you to to register your application or service, integrating it with Microsoft Entra ID. This is the first step towards using Azure Service Principals.

After registration, your application will be able to sign in users, request access to Microsoft Entra ID-protected resources like APIs, and perform other authentication-related tasks. This will be used to allow Azure Service Principals.

Step 1: Sign in to Azure portal

You'll begin in the Azure portal. If you use multiple Azure accounts, make sure to log in to the account that has access to the ADLS that you want to use for this tutorial.

Step 2: Create a new application registration

Now it's time to create a new Application registration using the Azure portal.

Step 3: Register an application

To register a new application, you must provide a name and supported account type.

Step 4: Record application registration details

Now it's time to capture some details about your application registration. Later in this tutorial, you'll need these to set up your Azure Service Principal.

At this point, you should be on the Overview page for your new app registration. In the Essentials section, copy the following details, and save them for future use.

Background

An Azure client secret is a credential used by an application to authenticate its identity when requesting access to resources from Microsoft Entra ID. Similar to a user's username and password, it serves as a form of authentication for the application.

In this section, you'll create a client secret for authentication between Azure and Starburst Galaxy. Later in the tutorial, this will be used to help set up your Azure Service Principal.

Step 1: Create a new client secret

You're going to start by creating a new client secret in the Azure portal.

Step 2: Configure secret

It's time to begin configuring the new secret. To do this, you're going to add a description and expiration date.

Step 3: Copy and store secret

Azure will have created a new secret. Next, you need to save it and use it to configure the Azure service principal authentication in Starburst Galaxy.

Background

It's time to switch over to the Starburst Galaxy UI. In this next section you will configure a new Azure service principal using the information you just obtained from your application registration.

Step 1: Sign into Starburst Galaxy

Step 2: Set your role

Starburst Galaxy separates users by role. Your current role is listed in the top right-hand corner of the screen.

Setting up Azure Service Principal authentication will require access to a role with appropriate privileges. Today, you'll be using the accountadmin role.

Step 3: Select Azure cloud settings

Starburst Galaxy supports all three major cloud providers: AWS, Azure, and Google Cloud. The Starburst Galaxy web UI lets you configure access to each cloud provider using the Cloud settings menu.

Step 4: Configure Azure service principal

Now it's time to use the information that you copied from the Azure portal to configure the Azure service principal. To do this, you're going to use the Starburst Galaxy web UI.

Background

Azure data lake storage (ADLS) requires sufficient permissions to allow Starburst Galaxy to access your data sources in Azure. In particular, you will need to grant both the Contributor and Storage Blob Data Owner roles to the service principal you're using for authentication.

This section will walk you through the process of granting these roles in the Azure portal. You'll begin by navigating to the Storage accounts section.

Step 1: Access Azure storage accounts service

You're going to begin in the Azure portal. To grant permissions to your ADLS account, you need to locate it from a list of storage accounts.

Step 2: Locate storage account

Now it's time to locate the ADLS account that you'd like to connect to Starburst Galaxy.

Step 3: Add first role assignment

It's time to add the first of two new role assignments to your ADLS account. This one will allow your service principal to have Contributor permissions to your storage account.

Step 4: Select role members

Now you need to add your Azure service principal as a member of this role. This will complete the connection between the two.

Step 5: Confirm role assignment

Now that you've added the new role, it's time to confirm that it has been assigned properly.

Step 6: Add second role assignment

Next, it's time to add the second role assignment. This one will allow your service principal to have Storage Blob Data Owner permissions to access your storage account.

Step 7: Select role members

Now it's time to add your Azure service principal as a member of this role. This will complete the connection between the two.

Step 8: Confirm role assignment

Now that you've added the second role, it's time to confirm that it has been assigned properly. This step is similar to the check you did on the first role.

Tutorial complete

Congratulations! You have reached the end of this tutorial, and the end of this stage of your journey.

You're all set! Now you can use your Azure service principal to configure access to data in your ADLS catalogs.

Continuous learning

At Starburst, we believe in continuous learning. This tutorial provides the foundation for further training available on this platform, and you can return to it as many times as you like. Future tutorials will make use of the concepts used here.

Next steps

Starburst has lots of other tutorials to help you get up and running quickly. Each one breaks down an individual problem and guides you to a solution using a step-by-step approach to learning.

Tutorials available

Visit the Tutorials section to view the full list of tutorials and keep moving forward on your journey!

Start Free with
Starburst Galaxy

Up to $500 in usage credits included

  • Query your data lake fast with Starburst's best-in-class MPP SQL query engine
  • Get up and running in less than 5 minutes
  • Easily deploy clusters in AWS, Azure and Google Cloud
For more deployment options:
Download Starburst Enterprise

Please fill in all required fields and ensure you are using a valid email address.