README.md
1# autorest azure example
2
3## Usage (device mode)
4
5This shows how to use the example for device auth.
6
71. Execute this. It will save your token to /tmp/azure-example-token:
8
9 ```
10 ./example -tenantId "13de0a15-b5db-44b9-b682-b4ba82afbd29" -subscriptionId "aff271ee-e9be-4441-b9bb-42f5af4cbaeb" -mode "device" -tokenCachePath "/tmp/azure-example-token"
11 ```
12
132. Execute it again, it will load the token from cache and not prompt for auth again.
14
15## Usage (certificate mode)
16
17This example covers how to make an authenticated call to the Azure Resource Manager APIs, using certificate-based authentication.
18
190. Export some required variables
20
21 ```
22 export SUBSCRIPTION_ID="aff271ee-e9be-4441-b9bb-42f5af4cbaeb"
23 export TENANT_ID="13de0a15-b5db-44b9-b682-b4ba82afbd29"
24 export RESOURCE_GROUP="someresourcegroup"
25 ```
26
27 * replace both values with your own
28
291. Create a private key
30
31 ```
32 openssl genrsa -out "example.key" 2048
33 ```
34
35
36
372. Create the certificate
38
39 ```
40 openssl req -new -key "example.key" -subj "/CN=example" -out "example.csr"
41
42 openssl x509 -req -in "example.csr" -signkey "example.key" -out "example.crt" -days 10000
43 ```
44
45
46
473. Create the PKCS12 version of the certificate (with no password)
48
49 ```
50 openssl pkcs12 -export -out "example.pfx" -inkey "example.key" -in "example.crt" -passout pass:
51 ```
52
53
54
554. Register a new Azure AD Application with the certificate contents
56
57 ```
58 certificateContents="$(tail -n+2 "example.key" | head -n-1)"
59
60 azure ad app create \
61 --name "example-azuread-app" \
62 --home-page="http://example-azuread-app/home" \
63 --identifier-uris "http://example-azuread-app/app" \
64 --key-usage "Verify" \
65 --end-date "2020-01-01" \
66 --key-value "${certificateContents}"
67 ```
68
69
70
715. Create a new service principal using the "Application Id" from the previous step
72
73 ```
74 azure ad sp create "APPLICATION_ID"
75 ```
76
77 * Replace APPLICATION_ID with the "Application Id" returned in step 4
78
79
80
816. Grant your service principal necessary permissions
82
83 ```
84 azure role assignment create \
85 --resource-group "${RESOURCE_GROUP}" \
86 --roleName "Contributor" \
87 --subscription "${SUBSCRIPTION_ID}" \
88 --spn "http://example-azuread-app/app"
89 ```
90
91 * Replace SUBSCRIPTION_ID with your subscription id
92 * Replace RESOURCE_GROUP with the resource group for the assignment
93 * Ensure that the `spn` parameter matches an `identifier-url` from Step 4
94
95
96
977. Run this example app to see your resource groups
98
99 ```
100 go run main.go \
101 --tenantId="${TENANT_ID}" \
102 --subscriptionId="${SUBSCRIPTION_ID}" \
103 --applicationId="http://example-azuread-app/app" \
104 --certificatePath="certificate.pfx"
105 ```
106
107
108You should see something like this as output:
109
110```
1112015/11/08 18:28:39 Using these settings:
1122015/11/08 18:28:39 * certificatePath: certificate.pfx
1132015/11/08 18:28:39 * applicationID: http://example-azuread-app/app
1142015/11/08 18:28:39 * tenantID: 13de0a15-b5db-44b9-b682-b4ba82afbd29
1152015/11/08 18:28:39 * subscriptionID: aff271ee-e9be-4441-b9bb-42f5af4cbaeb
1162015/11/08 18:28:39 loading certificate...
1172015/11/08 18:28:39 retrieve oauth token...
1182015/11/08 18:28:39 querying the list of resource groups...
1192015/11/08 18:28:50
1202015/11/08 18:28:50 Groups: {"value":[{"id":"/subscriptions/aff271ee-e9be-4441-b9bb-42f5af4cbaeb/resourceGroups/kube-66f30810","name":"kube-66f30810","location":"westus","tags":{},"properties":{"provisioningState":"Succeeded"}}]}
121```
122
123
124
125## Notes
126
127You may need to wait sometime between executing step 4, step 5 and step 6. If you issue those requests too quickly, you might hit an AD server that is not consistent with the server where the resource was created.
128