In the recent past I have wanted to obtain details of an Azure resource from an application; and, on occasions be able to update or create resources too – securely, via HTTP request.
Here, i’m going to show you how you can make REST API calls to manipulate Azure, and other, Resources.
First of all, we need to create a Security Principal in order to obtain the appropriate permissions in which to query the resources within Azure. We use the associated credentials from the Security Principal in order to define the operations permitted, and to obtain an Access Token with which those operations can be made.
Creating a Security Principal
We create the Security Principal by running the following command:
az ad sp create-for-rbac --name markpatton-cloud
In the command-line response, you will notice the following:
{
"appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"displayName": "markpattoncloud",
"name": "http://markpattoncloud",
"password": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}Going forward, we will need the following details:
- AppID – this is the Client ID of the Service Principal which has been created
- Password – also known as the secret of the AppID
- Tenant – the ID of the Directory Tenant
- SubscriptionID – the ID of the subscription
The next step is to obtain an Access Token in order to run REST requests against our subscription.
Obtaining an Access Token
At this stage, in order to obtain an Access Token, we send a POST request to the Microsoft Online service, referencing our Tenant ID, in order to obtain an OAuth2 Access Token. We can do this via cURL:
$response = curl -X POST -d "grant_type=client_credentials&client_id=$app_id&client_secret=$secret&resource=https%3A%2F%2Fmanagement.azure.com%2F" https://login.microsoftonline.com/$tenant_id/oauth2/token | ConvertFrom-Json
$token = $response.access_tokenThe token will look something like this:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllNRUxIVDBndmIwbXhvU0RvWWZvbWpxZmpZVSIsImtpZCI6IllNRUxIVDBndmIwbXhvU0RvWWZvbWpxZmpZVSJ9.eyJhdWQpYXQiOjE1ODYyMTM1OTksIm5iZiI6MTU4NjIxMzU5OSwiZXhwIjoxNTg2MjE3NDk5LCJhaW8iOiI0MmRnWUZoMWhXbGFpWkZaN0ptN01TemJ0NW03QUFBPSIsImFwcGlkIjoiZGZkNDd
.
.
.
6vriCovGUjoF64FEmQSNntJQWv3nTcBJr65RWGhHlwYF1J3xjniSvvWwAPzDNSzTrI5XWtf-oHBfRsM70yNbfmuoON9CaOZw
At this stage, we are now in a position to make our API call. In this example, in order to demonstrate the concept, I will obtain a list of a Resource Groups in my Subscription:
url = "https://management.azure.com/subscriptions/$subscription_id/resourceGroups?api-version=2020-01-01"
curl -X GET --header "Authorization: Bearer $token" $urlNow you are able to proceed with making REST calls to Azure API’s.
The following are some resources you’ll find useful:
- Your one-stop shop for REST APIs from Microsoft. Start searching for any REST APIs – https://docs.microsoft.com/en-gb/rest/api/
- Browse for resources or providers currently deployed within your subscription, and obtain the API reference – https://resources.azure.com/
- Use Graph Explorer, with a new permissions helper and access token and code snippets copy – https://developer.microsoft.com/en-us/graph/graph-explorer
Mark Patton 