Share via


Using the Azure ARM REST API – Get Access Token

This week I’ve been busy with trying to figure out how you can ‘directly’ talk to the Azure ARM REST API instead of using PowerShell or the Azure CLI. Because I could not find a lot of information about this topic online I thought it would nice to share some of learnings.

But why would you even want to directly talk to the Azure ARM REST API? Good question Smile Most of the time I would recommend using tools like PowerShell or the Azure CLI to communicate with the Azure ARM REST API because that’s often way easier. In this case the customer wanted to have all the workflow logic centralized in the tooling which was used for the deployment of the Azure Resources. The deployment tooling could deploy an ARM Template but for the complete configuration of the Azure Resource (WebApp) there was also a need for some pre- and post-activities like configuration of the Diagnostic Logging which preferably should be done using ‘simple’ web service calls to the Azure ARM REST API.

In this firs blog post I’m going to describe how you could get the AccessToken needed for the further Authentication against the Azure ARM REST API.

Azure ARM REST API

Azure Resource Manager provides a new way for you to deploy and manage the services that make up your applications. For an introduction to deploying and managing resources with Resource Manager, see Azure Resource Manager Overview. Most, but not all, services support Resource Manager, and some services support Resource Manager only partially. Microsoft will enable Resource Manager for every service that is important for future solutions, but until the support is consistent, you need to know the current status for each service. For information about the available services and how to work with them, see Resource Manager providers, regions, API versions and schemas. [*from Azure Resource Manager REST API Reference]

Authentication

So how does the authentication work when you want to to do a web request call against the Azure ARM REST API? You need to supply a bearer Access Token in the request Header of the web request. But how do you get that AccessToken? You can retrieve the AccessToken by creating an Active Directory application and service principal and use a ClientID and ClientSecret to retrieve the AccessToken. We will use PowerShell to create the Service Principal to access resources in Azure.

Create a service principal to access resources

  1. Create the AD application with a password
  2. Create the service principal
  3. Assign the Contributor role to the service principal

I used the following PowerShell code:

 [sourcecode language='powershell'  padlinenumbers='true']
#Login to Azure
Add-AzureRmAccount
 
#Select Azure Subscription
$subscription = 
    (Get-AzureRmSubscription |
        Out-GridView `
        -Title 'Select an Azure Subscription ...' `
    -PassThru)
 
Set-AzureRmContext -SubscriptionId $subscription.subscriptionId -TenantId $subscription.TenantID

#create SPN with Password
New-AzureRmADApplication -DisplayName "demowebrequest" -HomePage "https://www.stranger.nl/demowebrequest" -IdentifierUris "https://www.stranger.nl/demowebrequest" -Password "P@ssw0rd!" -OutVariable app
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId.Guid

Get-AzureRmADApplication -DisplayNameStartWith 'demowebrequest' -OutVariable app
Get-AzureRmADServicePrincipal -ServicePrincipalName $app.ApplicationId.Guid -OutVariable SPN

image

If you now go to App Registrations in the Azure Portal you see the demowebrequest application being created.

image

We now need to create a new Service Principal Name and assign the correct Contributor Role.

image

If everything goes ok you see the following in the Azure Portal under App Registrations –> demorequest –> Settings.

image

Next we need to set the correct Required permissions and create a Key.

Set required permissions. Go to Required Permissions and click on Add.

image

Select the Access Azure Service Management as organization users (preview) API

image

And finally select the following permissions.

image

We have now configured the correct permissions for the application..

image

The last step in this process is to create a new Key.

Select Keys under App registrations –> [appname] –> Settings pane in the Azure Portal and create a new key.

image

Enter a Key description and save the value on save.

image

We now have the following information available to get an AccessToken:

  • ClientId: this is application id which can be found in the Azure Portal
    image
  • ClientSecret: this is the key value which we created earlier.

Use ClientId and ClientSecret to retrieve AccessToken

Now we have the ClientID and ClientSecret we can do web call to receive an AccessToken which can be used for authentication against the Azure ARM REST API.

Let’s use CURL to retrieve the AccessToken. You also need to enter the tennantid in the request url. You can find the tennantid if you have use the PowerShell script I showed earlier by returning the $subscription.tennantid value in PowerShell.

 [sourcecode language='bash' ]
curl --request POST "https://login.windows.net/[tennantid]/oauth2/token" --data-urlencode "resource=https://management.core.windows.net" --data-urlencode "client_id=[clientid]" --data-urlencode "grant_type=client_credentials" --data-urlencode "client_secret=[clientsecret]"

image

If you would rather use PowerShell to retrieve this AccesToken you can use the following PowerShell code:

 [sourcecode language='powershell' ]
#Azure Authtentication Token

#requires -Version 3
#SPN ClientId and Secret
$ClientID       = "clientid" #ApplicationID
$ClientSecret   = "ClientSecret"  #key from Application
$tennantid      = "TennantID"
 

$TokenEndpoint = {https://login.windows.net/{0}/oauth2/token} -f $tennantid 
$ARMResource = "https://management.core.windows.net/";

$Body = @{
        'resource'= $ARMResource
        'client_id' = $ClientID
        'grant_type' = 'client_credentials'
        'client_secret' = $ClientSecret
}

$params = @{
    ContentType = 'application/x-www-form-urlencoded'
    Headers = @{'accept'='application/json'}
    Body = $Body
    Method = 'Post'
    URI = $TokenEndpoint
}

$token = Invoke-RestMethod @params

$token | select access_token, @{L='Expires';E={[timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds($_.expires_on))}} | fl *
 [sourcecode language='powershell' ]

image

In the next blog post we are going to use this AccessToken to authenticate against the Azure ARM REST API and do some more web requests.

Hope you like it.

 

References:

Comments

  • Anonymous
    November 03, 2016
    You should take a look at the ARMClient tool from david ebbo.
    • Anonymous
      November 05, 2016
      Hi Simon,Thanks for your comment. I know the ARMClient tool and also have used the tool before. But I wanted to show you don't need any tool to communicate with Azure. With the info from my blog I was hoping to demo you don't need any tooling if you don't want that./Stefan
  • Anonymous
    November 24, 2016
    This is really cool. Thanks for this!One strange thing: I am not able to select the Access Azure Service Management as organization users (preview) API and then select permissions. The select button is grayed out. I am however able to use the 'old' portal. And from then on everything works and I can happily fetch my access token. Any idea?
    • Anonymous
      February 17, 2017
      Hi Jacqueline,No I'm sorry I have no idea. I have no resource in the 'old' ASM Azure Portal :-) to test.Regards,Stefan
  • Anonymous
    February 16, 2017
    Hi Stefan,good blog post, thanks!Just a little note, in the begin you are saying to use the Reader Role, but the examples are setting the Contributor Role. Ciao,Marco
  • Anonymous
    February 16, 2017
    Hi Stefan,thank you for this blog post, really useful. A little note: in the beginning you are saying that you want to use the Reader role, but the script examples are using the Contributor role.Ciao,Marco
    • Anonymous
      February 17, 2017
      Hi Marco,Thanks for the feedback. You are correct I updated the blog post according to what I used in the script. Regards,Stefan Stranger
  • Anonymous
    April 08, 2017
    Hi Stefan,Very useful content to get Access Token,but, it will expire in 60 minutes,can you provide the way to use access token for longer time ?
    • Anonymous
      April 10, 2017
      Hi Imran,I've not tried to extend the lifetime of the access token yet. But you can have a look here:http://stackoverflow.com/questions/22043128/windows-azure-active-directory-expiration-of-refreshtokenBut why do you want to extend the lifetime of the token?/Stefan