1# autorest azure example
2
3## Usage (device mode)
4
5This shows how to use the example for device auth.
6
71. Execute this. It will save your token to /tmp/azure-example-token:
8
9    ```
10    ./example -tenantId "13de0a15-b5db-44b9-b682-b4ba82afbd29" -subscriptionId "aff271ee-e9be-4441-b9bb-42f5af4cbaeb" -mode "device" -tokenCachePath "/tmp/azure-example-token"
11    ```
12
132. Execute it again, it will load the token from cache and not prompt for auth again.
14
15## Usage (certificate mode)
16
17This example covers how to make an authenticated call to the Azure Resource Manager APIs, using certificate-based authentication.
18
190. Export some required variables
20
21    ```
22    export SUBSCRIPTION_ID="aff271ee-e9be-4441-b9bb-42f5af4cbaeb"
23    export TENANT_ID="13de0a15-b5db-44b9-b682-b4ba82afbd29"
24    export RESOURCE_GROUP="someresourcegroup"
25    ```
26
27    * replace both values with your own
28
291. Create a private key
30
31    ```
32    openssl genrsa -out "example.key" 2048
33    ```
34
35
36
372. Create the certificate
38
39    ```
40    openssl req -new -key "example.key" -subj "/CN=example" -out "example.csr"
41
42    openssl x509 -req -in "example.csr" -signkey "example.key" -out "example.crt" -days 10000
43    ```
44
45
46
473. Create the PKCS12 version of the certificate (with no password)
48
49    ```
50    openssl pkcs12 -export -out "example.pfx" -inkey "example.key" -in "example.crt" -passout pass:
51    ```
52
53
54
554. Register a new Azure AD Application with the certificate contents
56
57    ```
58    certificateContents="$(tail -n+2 "example.key" | head -n-1)"
59
60    azure ad app create \
61        --name "example-azuread-app" \
62        --home-page="http://example-azuread-app/home" \
63        --identifier-uris "http://example-azuread-app/app" \
64        --key-usage "Verify" \
65        --end-date "2020-01-01" \
66        --key-value "${certificateContents}"
67    ```
68
69
70
715. Create a new service principal using the "Application Id" from the previous step
72
73    ```
74    azure ad sp create "APPLICATION_ID"
75    ```
76
77    * Replace APPLICATION_ID with the "Application Id" returned in step 4
78
79
80
816. Grant your service principal necessary permissions
82
83    ```
84    azure role assignment create \
85        --resource-group "${RESOURCE_GROUP}" \
86        --roleName "Contributor" \
87        --subscription "${SUBSCRIPTION_ID}" \
88        --spn "http://example-azuread-app/app"
89    ```
90
91    * Replace SUBSCRIPTION_ID with your subscription id
92    * Replace RESOURCE_GROUP with the resource group for the assignment
93    * Ensure that the `spn` parameter matches an `identifier-url` from Step 4
94
95
96
977. Run this example app to see your resource groups
98
99    ```
100    go run main.go \
101        --tenantId="${TENANT_ID}" \
102        --subscriptionId="${SUBSCRIPTION_ID}" \
103        --applicationId="http://example-azuread-app/app" \
104        --certificatePath="certificate.pfx"
105    ```
106
107
108You should see something like this as output:
109
110```
1112015/11/08 18:28:39 Using these settings:
1122015/11/08 18:28:39 * certificatePath: certificate.pfx
1132015/11/08 18:28:39 * applicationID: http://example-azuread-app/app
1142015/11/08 18:28:39 * tenantID: 13de0a15-b5db-44b9-b682-b4ba82afbd29
1152015/11/08 18:28:39 * subscriptionID: aff271ee-e9be-4441-b9bb-42f5af4cbaeb
1162015/11/08 18:28:39 loading certificate...
1172015/11/08 18:28:39 retrieve oauth token...
1182015/11/08 18:28:39 querying the list of resource groups...
1192015/11/08 18:28:50
1202015/11/08 18:28:50 Groups: {"value":[{"id":"/subscriptions/aff271ee-e9be-4441-b9bb-42f5af4cbaeb/resourceGroups/kube-66f30810","name":"kube-66f30810","location":"westus","tags":{},"properties":{"provisioningState":"Succeeded"}}]}
121```
122
123
124
125## Notes
126
127You may need to wait sometime between executing step 4, step 5 and step 6. If you issue those requests too quickly, you might hit an AD server that is not consistent with the server where the resource was created.
128