1# autorest azure example
2
3## Usage (device mode)
4
5This shows how to use the example for device auth.
6
71. Execute this. It will save your token to /tmp/azure-example-token:
8
9 ```
10 ./example -tenantId "13de0a15-b5db-44b9-b682-b4ba82afbd29" -subscriptionId "aff271ee-e9be-4441-b9bb-42f5af4cbaeb" -mode "device" -tokenCachePath "/tmp/azure-example-token"
11 ```
12
132. Execute it again, it will load the token from cache and not prompt for auth again.
14
15## Usage (certificate mode)
16
17This example covers how to make an authenticated call to the Azure Resource Manager APIs, using certificate-based authentication.
18
190. Export some required variables
20
21 ```
22 export SUBSCRIPTION_ID="aff271ee-e9be-4441-b9bb-42f5af4cbaeb"
23 export TENANT_ID="13de0a15-b5db-44b9-b682-b4ba82afbd29"
24 export RESOURCE_GROUP="someresourcegroup"
25 ```
26
27 * replace both values with your own
28
291. Create a private key
30
31 ```
32 openssl genrsa -out "example.key" 2048
33 ```
34
35
36
372. Create the certificate
38
39 ```
40 openssl req -new -key "example.key" -subj "/CN=example" -out "example.csr"
41
42 openssl x509 -req -in "example.csr" -signkey "example.key" -out "example.crt" -days 10000
43 ```
44
45
46
473. Create the PKCS12 version of the certificate (with no password)
48
49 ```
50 openssl pkcs12 -export -out "example.pfx" -inkey "example.key" -in "example.crt" -passout pass:
51 ```
52
53
54
554. Register a new Azure AD Application with the certificate contents
56
57 ```
58 certificateContents="$(tail -n+2 "example.key" | head -n-1)"
59
60 azure ad app create \
61 --name "example-azuread-app" \
62 --home-page="http://example-azuread-app/home" \
63 --identifier-uris "http://example-azuread-app/app" \
64 --key-usage "Verify" \
65 --end-date "2020-01-01" \
66 --key-value "${certificateContents}"
67 ```
68
69
70
715. Create a new service principal using the "Application Id" from the previous step
72
73 ```
74 azure ad sp create "APPLICATION_ID"
75 ```
76
77 * Replace APPLICATION_ID with the "Application Id" returned in step 4
78
79
80
816. Grant your service principal necessary permissions
82
83 ```
84 azure role assignment create \
85 --resource-group "${RESOURCE_GROUP}" \
86 --roleName "Contributor" \
87 --subscription "${SUBSCRIPTION_ID}" \
88 --spn "http://example-azuread-app/app"
89 ```
90
91 * Replace SUBSCRIPTION_ID with your subscription id
92 * Replace RESOURCE_GROUP with the resource group for the assignment
93 * Ensure that the `spn` parameter matches an `identifier-url` from Step 4
94
95
96
977. Run this example app to see your resource groups
98
99 ```
100 go run main.go \
101 --tenantId="${TENANT_ID}" \
102 --subscriptionId="${SUBSCRIPTION_ID}" \
103 --applicationId="http://example-azuread-app/app" \
104 --certificatePath="certificate.pfx"
105 ```
106
107
108You should see something like this as output:
109
110```
1112015/11/08 18:28:39 Using these settings:
1122015/11/08 18:28:39 * certificatePath: certificate.pfx
1132015/11/08 18:28:39 * applicationID: http://example-azuread-app/app
1142015/11/08 18:28:39 * tenantID: 13de0a15-b5db-44b9-b682-b4ba82afbd29
1152015/11/08 18:28:39 * subscriptionID: aff271ee-e9be-4441-b9bb-42f5af4cbaeb
1162015/11/08 18:28:39 loading certificate...
1172015/11/08 18:28:39 retrieve oauth token...
1182015/11/08 18:28:39 querying the list of resource groups...
1192015/11/08 18:28:50
1202015/11/08 18:28:50 Groups: {"value":[{"id":"/subscriptions/aff271ee-e9be-4441-b9bb-42f5af4cbaeb/resourceGroups/kube-66f30810","name":"kube-66f30810","location":"westus","tags":{},"properties":{"provisioningState":"Succeeded"}}]}
121```
122
123
124
125## Notes
126
127You may need to wait sometime between executing step 4, step 5 and step 6. If you issue those requests too quickly, you might hit an AD server that is not consistent with the server where the resource was created.
View as plain text