Service Principal for ADLS RRS feed

  • Question

  • Hi Team, 

    I understand that we need to have service principal in place for hdinsight cluster to access ADLS.

    My requirement is to use service principal information in the powershell script.

    I am trying to pass parameters from powershell script to ARM template and create an hdinsight cluster with access to adls.

    • I'd like to know how to generate the below the below in order to pass it from powershell script to ARM ????
    • clusterIdentity.applicationId
    • clusterIdentity.certificate

    • clusterIdentity.certificatePassword

    PLease let me know in the steps as its not clear in the documentation. Appreciate your help.


    Wednesday, May 6, 2020 10:34 AM

All replies

  • Hi Rahul,

    Could you please share the document which you are referring too?

    Wednesday, May 6, 2020 12:24 PM
  • Hi Pradeep,

    Here in our project scenario, we are using a powershell script through which we are invoking an ARM template in blob storage for HDI cluster creation. In order to assign cluster identity for adls we are passing service principal information such as applicationId, Identity.certificate & Identity.certificatePassword from powershell to arm template.

    I'd like to understand from on how to generate certificate and password.

    $servicePrincipal = Get-AzureKeyVaultSecret -VaultName $KeyVaultName -Name "${clusterName}-AppId"
     $identityApplicationId = $servicePrincipal.secretValueText
     $serviceCertificate = Get-AzureKeyVaultSecret -VaultName $KeyVaultName -Name "${clusterName}-Cert"
     $identityCertificate = $serviceCertificate.secretValue
     $servicePwdCert = Get-AzureKeyVaultSecret -VaultName $KeyVaultName -Name "${clusterName}-CertPwd"
     $identityCertificatePassword = $servicePwdCert.secretValue


    "clusterIdentity": {
                                "clusterIdentity.applicationId": "[parameters('identityApplicationId')]",
                                "clusterIdentity.certificate": "[parameters('identityCertificate')]",
                                "clusterIdentity.aadTenantId": "https://login.windows.net/*****",
                                "clusterIdentity.resourceUri": "https://datalake.azure.net/",
                                "clusterIdentity.certificatePassword": "[parameters('identityCertificatePassword')]"


    Wednesday, May 6, 2020 12:29 PM
  • Hi Rahul,

    I would suggest you to follow this article Create HDInsight clusters with Azure Data Lake Storage Gen1 as default storage by using PowerShell, which clearly explains on the spefic topics:

    • How to create a self-signed certificate and password
    • Create an Azure AD and a service principal
    • Create an HDInsight Linux cluster with Data Lake Storage Gen1 as the default storage

    Hope this helps. Do let us know if you any further queries.


    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Wednesday, May 6, 2020 12:47 PM
  • Can i create this way using below commands ?

    openssl req -newkey rsa:4096 -nodes -keyout "service-principal.key" -out "service-principal.csr"

    Finally we can generate a PFX file which can be used to authenticate with Azure :

    openssl x509 -signkey "service-principal.key" -in "service-principal.csr" -req -days 365 -out "service-principal.crt"

    My question is while doing the above steps, does it prompt for password ??

    I do not have an free tier account in place, hence asking so many questions.


    Wednesday, May 6, 2020 1:05 PM
  • Hi Rahul,

    This will not prompt for password.

    If you want to get prompt for password, use the below command in the powershell script.

    $password = Read-Host -Prompt "Enter the password"
    # This is the password you specified for the .pfx file

    Hope this helps.

    Thursday, May 14, 2020 11:55 AM