How to run make REST calls to Azure Resource Manager (ARM) inside Github Workflow?

Question

How to run make REST calls to Azure Resource Manager (ARM) inside Github Workflow?

Siegfried Heintze 1,906

I have a working powershell script inspired by https://techcommunity.microsoft.com/t5/azure-paas-blog/import-azure-function-app-to-azure-api-management/ba-p/2594810 and I would like to run it in a Github workflow.

I assume I would use https://github.com/marketplace/actions/powershell-script. Is this what you would use?
I see that Haily mixes azure cli with powershell commands. Is it possible to mix azure cli commands inside a github workflow? Can someone point me to an example? I suspect I'm going to have to convert that azure cli command to a powershell command.
To set up an Github workflow, I believe I will have to create an azure managed identity using the az ad sp create-for-rback and store that as a github secret called AZURE_CREDENTIALS and grant it the ability to make REST calls to the ARM. How do I grant it the ability to make ARM REST calls? Can you show me an example of granting this ability and the powershell command to make the REST call to fetch the function keys? Is there a way to do this with powerhell cmdlets instead of a REST call?
I also want to enhance Haily's script to fetch the function names from my azure function app and create GET operations for each function. I believe this only possible with a REST call to the ARM. How would I translate this azure cli code to use powershell inside a github workflow: $ops = az rest -m get --header "Accept=application/json" -u "https://management.azure.com/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.Web/sites/$functionApp/functions?api-version=2015-08-01" | jq .value[].properties.name | tr -d '\r' | tr '\n' ' ' | tr -d '"'

Thanks

Siegfried

MikeUrnun 9,777 Reputation points Moderator

2023-09-05T22:22:10.5733333+00:00

Hello @Siegfried Heintze - Following up to see if the answer below helps. Feel free to get back to us if you need any assistance.

Please "Accept Answer" if the answer is helpful so that it can help others in the community.

Accepted answer

1 additional answer

Your answer

MikeUrnun 9,777 Reputation points Moderator

2023-09-05T22:22:10.5733333+00:00

Hello @Siegfried Heintze - Following up to see if the answer below helps. Feel free to get back to us if you need any assistance.

Please "Accept Answer" if the answer is helpful so that it can help others in the community.

Answer 1

Konstantinos Passadis 19,591 MVP

Hello @Siegfried Heintze !

Allow me to try to answer one by one !

1.Yes, you use the PowerShell Script Action to run PowerShell scripts directly in your GitHub workflow.

2.You can use the Azure CLI directly in GitHub workflows. To run Azure CLI commands, first, you'd set up Azure login with a step like this, using the Azure Login action:

- name: Login to Azure

uses: azure/login@v1

with:

**creds: ${{ secrets.AZURE_CREDENTIALS }}**

And here is an example :

name: Azure Workflow

on:
  push:
    branches:
      - main

jobs:
  azure_operations:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2

    - name: Azure Login
      uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}

    # Run Azure CLI command
    - name: List Azure Resource Groups using Azure CLI
      run: az group list --output table

    # Run PowerShell command with Azure PowerShell Module
    - name: Get Azure VMs using PowerShell
      run: |
        Install-Module -Name Az -AllowClobber -Scope CurrentUser -Force
        Import-Module Az

        $rgs = az group list --query "[].name" --output tsv
        foreach ($rg in $rgs) {
          $vms = Get-AzVM -ResourceGroupName $rg
          $vms | ForEach-Object { Write-Output $_.Name }
        }

3.Creating a Service Principal and storing it in GitHub Secrets is the right approach. Once you've created the Service Principal with az ad sp create-for-rbac, you'll have the necessary permissions to make calls to the Azure Resource Manager (ARM). The ROLE is the permission bound to the Principal , it could be any role available on Azure IAM , usually the Contributor is set , but best practices instruct us to use the least privilege approach !

Additionally you can use Azure PowerShell to make REST calls with Invoke-RestMethod.

$uri = "https://management.azure.com/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.Web/sites/$functionApp/functions/$functionName/listkeys?api-version=2015-08-01"
$functionKeys = Invoke-RestMethod -Method Post -Uri $uri -Headers @{ Authorization = "Bearer $accessToken" }

Note: $accessToken should be the token you get after logging in to Azure with PowerShell.

In PowerShell, you don't need jq since it has native support for JSON. Here's how you can translate the Azure CLI command:

$uri = "https://management.azure.com/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.Web/sites/$functionApp/functions?api-version=2015-08-01"
$functions = Invoke-RestMethod -Method Get -Uri $uri -Headers @{ Authorization = "Bearer $accessToken" }
$functionNames = $functions.value.properties.name

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Siegfried Heintze 1,906 Reputation points

2023-09-06T22:20:50.1233333+00:00

Sorry for the delay ... I hope to try this out in the next couple of days.

I'm not clear on how to get the $accessToken from the login. Can you elaborate on how I do that inside a github workflow?
Konstantinos Passadis 19,591 Reputation points MVP

2023-09-06T23:32:25.5933333+00:00

Hello @Siegfried Heintze !

Sample :

$token = (Get-AzAccessToken -ResourceUrl https://management.azure.com).Token

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards
MikeUrnun 9,777 Reputation points Moderator

2023-09-07T23:24:40.6966667+00:00

@Siegfried Heintze Just checking in again, were you able to fetch the token?
Siegfried Heintze 1,906 Reputation points

2023-09-10T22:33:19.2633333+00:00
Konstantinos & Mike:

ChatGPT says I need to log in (a second time using "az login") as that managed identity before I get the token. Is this true? I wonder why I would need to execute "az login" after having used the azure/login@v1. Looks like ChatGPT is using the az cli counterpart of Get-AzAccesToken.

See my attempt here after consulting with ChatGPT. I'm dying on the "az login" attempt.

https://github.com/siegfried01/HelloAzureADAuthenticatedFunc/blob/master/.github/workflows/jac3sukjdrxzi-func-CrewTaskMgrAuthSvcs.yml#L40.

I'm getting an error here: https://github.com/siegfried01/HelloAzureADAuthenticatedFunc/actions/runs/6152589280/job/16694995123#step:4:21 (unable to resolve tenant).

Ok, let's try commenting out the "az login". Now I am getting the error on the "az rest" call.

ERROR: Unauthorized(***"error":***"code":"InvalidAuthenticationToken","message":"The access token is

So I guess I need to use the "az login" after all.

Now I am assuming that the secrets.AZURE_TENANT_ID was created when I created the AZURE_CREDENTIALS secret in GITHUB. Is this true?

If not, I manually created secrets for AZURE_CLIENT_ID, AZURE_CLIENT_SECRET & AZURE_TENANT_ID.

Let me try again: Looks like I fixed the problem with the tenantID I was having previously. Progress!

Is there a way to fetch the AZURE_CLIENT_ID, AZURE_CLIENT_SECRET & AZURE_TENANT_ID from the AZURE_CREDENTIALS so I don't have to make these additional secrets in github?

Well shucks! Now I'm logging in successfully with the "az login" command (twice!) but I'm still having the same unauthorized error I was getting before:

ERROR: Unauthorized(***"error":***"code":"InvalidAuthenticationToken","message":"The access token is invalid."***)

Here is the error: https://github.com/siegfried01/HelloAzureADAuthenticatedFunc/actions/runs/6154606635/job/16700215345#step:5:50

Note that I got this "az rest" command (to get the function keys) from https://techcommunity.microsoft.com/t5/azure-paas-blog/import-azure-function-app-to-azure-api-management/ba-p/2594810 and it works on my windows development laptop.

I tried an experiment: I logged in as my managed identity and I was able to run this powershell script on my development laptop and it worked (note the missing header for the bearer token):

$accountInfo = az account show $accountInfoObject = $accountInfo | ConvertFrom-Json $subscriptionId = $accountInfoObject.id $functionkeylist = az rest --method post --uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$rg/providers/Microsoft.Web/sites/$functionName/host/default/listKeys?api-version=2018-11-01" $keylistobject = $functionkeylist | ConvertFrom-Json $functionKey = $keylistobject.functionKeys.default $key = $functionKey.Substring(0,4) write-output "key = $key ..."

This same code running under the same managed identity does not work when running inside the Github workflow. Why not?

Also: is there a way I can have contributor access to the Azure API Mgr and read only access to the azure functions (to fetch their keys)?

Thanks

Siegfried
Siegfried Heintze 1,906 Reputation points

2023-09-17T13:16:21.43+00:00
Progress: The script that ChatGPT created had mistakenly included "Bearer" twice when creating the authorization header.

I am now getting this error:

The access token is invalid Interactive authentication is needed. Please run: az logout az login

See my workflow yaml here:

https://github.com/siegfried01/CrewTaskManagerTempPublic/blob/main/jac3sukjdrxzi-func-CrewTaskMgrAuthSvcs-Sat-Sep-16-2023-14.yml#L66

Answer 2

Siegfried Heintze 1,906

Problem solved: https://github.com/orgs/community/discussions/67346

Adding

        enable-AzPSSession: true

in the checkout action does the trick!

Konstantinos Passadis 19,591 Reputation points MVP

2023-09-20T23:17:55.35+00:00

Hello @Siegfried Heintze !

Thats great !

In case any answer above helped kindly mark it as Accepted , as others can benefit as well!

Regards!
Siegfried Heintze 1,906 Reputation points

2023-09-21T04:04:28.8433333+00:00

I have a follow up question here: https://github.com/orgs/community/discussions/67524

I'd love it you had time to take a look!
Konstantinos Passadis 19,591 Reputation points MVP

2023-09-21T08:31:51+00:00

Hello @Siegfried Heintze !

I cannot find this in the reader role :

And i cannot find it anywhere , so i came down to the conclusion if you need Least privilege to create a Custom Role to do that !

Regards!
Siegfried Heintze 1,906 Reputation points

2023-09-21T16:35:39.3766667+00:00
Please help me find this display in the portal. I'm looking at my Function app in the portal under the IAM (access control). I clicked on "Roles" and I see "Reader" and clicked on "View" was expecting to see your screen shot and I don't see it.

In addition to getting the function keys, I need to get the metadata using this command:

curl -X GET -H "Accept=application/json" -H "Authorization: Bearer $AZURE_HTTP_API_AUTH_TOKEN" "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.Web/sites/$AZURE_FUNCTIONAPP_NAME/functions?api-version=2015-08-01"

This is works from my laptop but fails inside my github workflow. What privs/roles do I need for this? I'm looking at the Details of the READ and I see "Gets Operations". When I look under "Contributor" I see "Read Read all API operations available for API Management" and "Read Get keys list or Get key details Get a list of keys or Get details of key"...

Since my Github service principal already has the contributor role, it should work for fetching both the function keys (which might be working because there is no error) and operations (meta data) .

When I fetch the operations (meta data) it is failing with the error message "Authorization failed" (but only in the github workflow).

Thanks!
Konstantinos Passadis 19,591 Reputation points MVP

2023-09-21T18:08:10.93+00:00

Hello @Siegfried Heintze !

I will make two suggestions for you

Either create a custom role and add this specific Permission in the Screenshot

OR try this ( i dont remember clearly i have a strong hunch that this has solved similar issues)

Find the ServPrincipal in Entra ID \ Azure AD, from Application Registrations

Go to API Permissions

Select Azure Service Management

User.Impersonation check box

Grant Consent

Retry

Kindly let us know , please try the 2nd one first !

Regards !
Konstantinos Passadis 19,591 Reputation points MVP

2023-09-21T18:38:24.81+00:00

Hello @Siegfried Heintze !

The role that has this Permissions is Website Contributor
Siegfried Heintze 1,906 Reputation points

2023-09-22T22:08:49.24+00:00

OK, I tried both (in the order you suggested) and same error.

Here is the result of the first one:

Here is the command I used for the second one:

New-AzRoleAssignment -ObjectId $spID -RoleDefinitionName "Website Contributor" -Scope "/subscriptions/$subscriptionId/resourceGroups/$rg/providers/Microsoft.Web/sites/$AZURE_FUNCTIONAPP_NAME"

I think I also want "Get Operations" to the meta data with the REST call I described above:

I went to the portal for the azure function overview and clicked on JSON view to get the resource ID and this is the same as the scope I used in the "New-AzRoleAssignment"

Shucks...

I hope you have some more ideas!

Siegfried
Konstantinos Passadis 19,591 Reputation points MVP

2023-09-23T00:21:04.41+00:00

Hello @Siegfried Heintze !

Ok let me re catch up !

I have another one but read ahead ,,,,,try the last suggestion before anything else!

On the API Permissions Again , find in the Tab "Apis My organization Uses"

Please activate Admin Consent !

Re apply the role Id

AND one Final that could save the day !!! try this one first thing!!!

On Azure Functions you can see a CORS Setting ....remove every thing and just add *

Strongly suspected since it runs from your Laptop!!!

It was also a saver on other occasions.....

I hope this helps !
Siegfried Heintze 1,906 Reputation points

2023-09-23T19:25:06.0466667+00:00

OK, I tried all of your suggestions.

Review:

(1) All this works fine from my laptop

(2) Getting the app function keys might be working: I'm not getting an error but I cannot print out the result. Let's assume this is working for now.

(3) Getting the list of operations has never worked inside the github workflow (even with contributor).

(4) The first goal is to make this work inside the workflow using any roles we can. We can worry about using minimal roles later in a future post.

What I have Done:

(1) Since I did not understand the last suggestion, I just clicked all the boxes and submitted it and tried again and it failed again with the same error (Not authorized).

(2) I also tried turning off CORS by deleting my existing entry of https://portal.azure.com/ and adding "*". This did not help: same error.

(3) I tried adding the role of "owner" to my service principal. This did not work. Same error. This is an important clue because this should have worked.

(4) I removed the 'Reader' role from the service principal and added it again using powershell and saved the result from the powershell command. The github workflow error message says "The client 'b3dc42a3-xxxx-xxxx-xxxx-e49d8534621d' with object id 'b3dc42a3-xxxx-xxxx-xxxx-e49d8534621d' does not have authorization to perform 'Microsoft.Resources/subscriptions/resourceGroups/Microsoft.Web/functions/read' over scope '/subscriptions/a.../RourceGroups/providers/Microsoft.Web/sites". The object Id in the powershell command (and results) matches the error message. The scope almost matches. This could be the problem. The scope in the error message does not include the name of the azure function and my powershell command (and results) does include the name of the azure function. When I try to add the Role 'Reader' with the exact scope given in the github workflow error message, I get this error from powershell: Scope '/subscriptions/acc26051-xxxx-xxxx-xxxx-64a187bc27db/resourceGroups/providers/Microsoft.Web/sites' should begin with '/subscriptions/<subid>/resourceGroups/<groupname>/providers'. Hmmm... I try again and add the resource group name but still leave off the azure function name and I get this error: Scope '/subscriptions/acc26051-xxxx-xxxx-xxxx-64a187bc27db/resourceGroups/rg_CrewTaskMgr/providers/Microsoft.Web/sites' should have even number of parts.

So I think this is the problem: Someone, maybe github, is confused about scopes. When I use powershell to add the 'Reader' role with the scope '/subscriptions/$subscriptionId/resourceGroups/$rg/providers/Microsoft.Web/sites/$AZURE_FUNCTIONAPP_NAME`' to my service principal powershell (and the portal) indicates that I was successful but my github workflow says "Not authorized" when I try to use the read access to fetch the operations.

Also: I tried logging in as the service principal and ran the script from my lap top and everything worked.

Please help me understand how to grant the github workflow and my service principal read access to get the operations from the azure function app.
Konstantinos Passadis 19,591 Reputation points MVP

2023-09-23T22:16:00.1+00:00

Hello @Siegfried Heintze !

Important ! Grant Admin Consent on the API Permissions!!!

Do that for starters , and i send you a message on Git

Regards !
Siegfried Heintze 1,906 Reputation points

2023-09-23T23:39:06.4966667+00:00

Ah hah! I can click on Grant Admin Consent even though it is not required. OK.

Shucks! No luck. Same old error message: "Not Authorized".

Konstantinos Passadis 19,591 MVP

Hello !

Would you mind testing this ?

There have been some cleaning here so if the code fits your objective give it a go please

name: Build and deploy .NET Core application to Function App

on:
  workflow_dispatch:
    branches:
    - master

env:
  RG: rg_CrewTaskMgr
  FUNCTIONAPP: jac3sukjdrxzi-func-CrewTaskMgrAuthSvcs

jobs:
  configure-apim:
    runs-on: windows-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v2
    
    - name: Set up Azure CLI
      uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}
    
    - name: Acquire Azure AD token (bash)
      id: azure-token
      run: |
        token=$(az account get-access-token --query 'accessToken' -o tsv)
        echo "::set-output name=token::$token"
      shell: bash
    
    - name: Use Bearer Token to Make REST Call (Powershell)
      uses: azure/powershell@v1
      with:
        inlineScript: |
          $subscriptionId = (az account show --query 'id' -o tsv)
          $token = "${{ steps.azure-token.outputs.token }}"
          $uri = "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$env:RG/providers/Microsoft.Web/sites/$env:FUNCTIONAPP/host/default/listKeys?api-version=2018-11-01"
          $functionkeylist = az rest --headers "Authorization=Bearer $token" --method post --uri $uri
          $keylistobject = $functionkeylist | ConvertFrom-Json
          $functionKey = $keylistobject.functionKeys.default
          Write-Output "Function Key: $functionKey"
        azPSVersion: "latest"

Siegfried Heintze 1,906 Reputation points

2023-09-25T23:26:19.85+00:00

When I added interactive login, it worked (after several additional hours of futzing and fussing around)!

Yahoo! Thank you Konstantinos! How do I mark that last comment as the answer!
Konstantinos Passadis 19,591 Reputation points MVP

2023-09-26T07:29:54.9366667+00:00

Hello @Siegfried Heintze !

That is so great !

No worries you have already set the Accepted Answer !

I am very happy for you !

Keep it up man !

Regards!

Share via

How to run make REST calls to Azure Resource Manager (ARM) inside Github Workflow?

1 additional answer

Your answer