Building an Azure Event Grid app. Part 4: Adding a service principal to the Event Grid Topic.

For my scenario I created the Azure Event Grid Topic in my subscription but I’d like clients outside of my Azure subscription to be able to subscribe to the Topic.

The way to do that is to use a service principal. This creates an App in Azure Active Directory that you can then permit to access to your entire subscription, a resource group or any individual resource. In this case I want to just provide sufficient access to my Event Grid Topic for subscribers.

Read and follow this excellent step by step how to for creating a service principal, including checking permissions and assigning the AAD app to the resource:

/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal.

This breaks down into:

Create the AAD application.

In the Portal in the Azure Active Directory service go to the App Registrations blade and New application registration:

Just give the AAD App a name, and remember it as you'll need to use it when you assign the app to the Event Grid Topic. The URL doesn't matter and can be anything.

After you click create select the AAD app and take a note of the keys for this app:

  • Application ID from the application overview blade. This will also be referred to as the Client ID. It can be found again in the AAD app afterwards.
  • Get the Key from Settings | Keys and save a new key . This will also be referred to as the Client Secret. This can only be viewed when you save it. If you don’t make a note you’ll need to create a new key (easy, but just be aware).
  • Tenant ID from the AAD properties blade. This will also be referred to as the Directory ID. It can be found again in the AAD service afterwards.

Assign the AAD application to a role.

As I only want to provide access to this specific Event Grid Topic (and not the whole subscription or a resource group) navigate in the Portal to Event Grid and select the Topic. Then in the Topic select Access control (IAM) and Add:

Search for the AAD app that you created above, select it and Add permissions, choosing the appropriate Role:

It’s straightforward and doesn’t take long. Having done this you can then access the Topic from another Azure subscription.

For the Logic App in part 2, for example, the initial trigger action of Azure Event Grid can then use the Connect with Service Principal option:

Enter the Service Principal connection details that you made a note of above:

And then you can select the Resource Type (Microsoft.EventGrid.Topics) and you will see the relevant Topic from another subscription:

Cheers,
Giles

Building an Azure Event Grid app. Part 1: Event Grid Topic and a .NET Core custom app event publisher.

Building an Azure Event Grid app. Part 2: Adding a Logic App subscriber to the Event Grid Topic.

Building an Azure Event Grid app. Part 3: Turning the publisher app into a Docker image.

Building an Azure Event Grid app. Part 4: Adding a Service Principal to the Event Grid Topic.

Building an Azure Event Grid app. Part 5: CI and pushing to DockerHub with VSTS.