1# autorest azure example 2 3## Usage (device mode) 4 5This shows how to use the example for device auth. 6 71. Execute this. It will save your token to /tmp/azure-example-token: 8 9 ``` 10 ./example -tenantId "13de0a15-b5db-44b9-b682-b4ba82afbd29" -subscriptionId "aff271ee-e9be-4441-b9bb-42f5af4cbaeb" -mode "device" -tokenCachePath "/tmp/azure-example-token" 11 ``` 12 132. Execute it again, it will load the token from cache and not prompt for auth again. 14 15## Usage (certificate mode) 16 17This example covers how to make an authenticated call to the Azure Resource Manager APIs, using certificate-based authentication. 18 190. Export some required variables 20 21 ``` 22 export SUBSCRIPTION_ID="aff271ee-e9be-4441-b9bb-42f5af4cbaeb" 23 export TENANT_ID="13de0a15-b5db-44b9-b682-b4ba82afbd29" 24 export RESOURCE_GROUP="someresourcegroup" 25 ``` 26 27 * replace both values with your own 28 291. Create a private key 30 31 ``` 32 openssl genrsa -out "example.key" 2048 33 ``` 34 35 36 372. Create the certificate 38 39 ``` 40 openssl req -new -key "example.key" -subj "/CN=example" -out "example.csr" 41 42 openssl x509 -req -in "example.csr" -signkey "example.key" -out "example.crt" -days 10000 43 ``` 44 45 46 473. Create the PKCS12 version of the certificate (with no password) 48 49 ``` 50 openssl pkcs12 -export -out "example.pfx" -inkey "example.key" -in "example.crt" -passout pass: 51 ``` 52 53 54 554. Register a new Azure AD Application with the certificate contents 56 57 ``` 58 certificateContents="$(tail -n+2 "example.key" | head -n-1)" 59 60 azure ad app create \ 61 --name "example-azuread-app" \ 62 --home-page="http://example-azuread-app/home" \ 63 --identifier-uris "http://example-azuread-app/app" \ 64 --key-usage "Verify" \ 65 --end-date "2020-01-01" \ 66 --key-value "${certificateContents}" 67 ``` 68 69 70 715. Create a new service principal using the "Application Id" from the previous step 72 73 ``` 74 azure ad sp create "APPLICATION_ID" 75 ``` 76 77 * Replace APPLICATION_ID with the "Application Id" returned in step 4 78 79 80 816. Grant your service principal necessary permissions 82 83 ``` 84 azure role assignment create \ 85 --resource-group "${RESOURCE_GROUP}" \ 86 --roleName "Contributor" \ 87 --subscription "${SUBSCRIPTION_ID}" \ 88 --spn "http://example-azuread-app/app" 89 ``` 90 91 * Replace SUBSCRIPTION_ID with your subscription id 92 * Replace RESOURCE_GROUP with the resource group for the assignment 93 * Ensure that the `spn` parameter matches an `identifier-url` from Step 4 94 95 96 977. Run this example app to see your resource groups 98 99 ``` 100 go run main.go \ 101 --tenantId="${TENANT_ID}" \ 102 --subscriptionId="${SUBSCRIPTION_ID}" \ 103 --applicationId="http://example-azuread-app/app" \ 104 --certificatePath="certificate.pfx" 105 ``` 106 107 108You should see something like this as output: 109 110``` 1112015/11/08 18:28:39 Using these settings: 1122015/11/08 18:28:39 * certificatePath: certificate.pfx 1132015/11/08 18:28:39 * applicationID: http://example-azuread-app/app 1142015/11/08 18:28:39 * tenantID: 13de0a15-b5db-44b9-b682-b4ba82afbd29 1152015/11/08 18:28:39 * subscriptionID: aff271ee-e9be-4441-b9bb-42f5af4cbaeb 1162015/11/08 18:28:39 loading certificate... 1172015/11/08 18:28:39 retrieve oauth token... 1182015/11/08 18:28:39 querying the list of resource groups... 1192015/11/08 18:28:50 1202015/11/08 18:28:50 Groups: {"value":[{"id":"/subscriptions/aff271ee-e9be-4441-b9bb-42f5af4cbaeb/resourceGroups/kube-66f30810","name":"kube-66f30810","location":"westus","tags":{},"properties":{"provisioningState":"Succeeded"}}]} 121``` 122 123 124 125## Notes 126 127You may need to wait sometime between executing step 4, step 5 and step 6. If you issue those requests too quickly, you might hit an AD server that is not consistent with the server where the resource was created. 128