如何使用OAuth2.0作为服务访问Microsoft资源管理API

huangapple go评论108阅读模式
英文:

How to access the Microsoft Resource Management API as a service using OAuth2.0

问题

我正在开发一个定时触发的服务,从各种API获取数据并将其写入数据库。
我需要访问的一个API是Microsoft资源管理API。然而,问题在于它的所有端点都提到了OAuth2.0明确授权流程,需要用户登录。由于我正在创建一个自动化服务,我无法使用该流程。

例如,列出资源组的端点(https://learn.microsoft.com/en-us/rest/api/resources/resource-groups/list)提到了带有user_impersonation范围的OAuth2隐式授权流程:

https://i.stack.imgur.com/0XmIW.png

作为一个服务,是否有可能从这个API获取数据,如果可以,我应该如何操作?是否有其他方法可以从Azure平台获取资源组和资源的列表?

我成功地使用OAuth2.0客户端凭据授权流程在Graph API中作为服务进行身份验证,但似乎在这里不可能。

英文:

I am developing a time-triggered service that fetches data from various API's and writes it to a database.
One of the API's I need to access is the Microsoft Resource Management API. However, the problem is that its endpoints all mention the OAuth2.0 explicit grant flow- which requires a user to log in. Since I am creating a automated service, I cannot use that flow.

For example, the list resource group endpoint (https://learn.microsoft.com/en-us/rest/api/resources/resource-groups/list) mentions the Oauth2 implicit grant flow with the user_impersonation scope:

https://i.stack.imgur.com/0XmIW.png

Is it even possible to get data from this API as a service, and if so, how would I go about doing that? Is there any other way I could get a list of resource groups and resources from the Azure platform?

I do succesfully utilize the OAuth2.0 client credientials grant flow to authenticate with the Graph API as a service, but that does not seem possible here.

答案1

得分: 0

要调用Azure管理REST API,您需要生成带有范围为**https://management.azure.com/.default**的访问令牌。

我注册了一个Azure AD应用程序,并添加了以下API权限

如何使用OAuth2.0作为服务访问Microsoft资源管理API

> 确保在订阅下为上述服务主体添加适当的RBAC角色

在我的情况下,我将**Reader**角色添加到了订阅下的服务主体,如下所示:

如何使用OAuth2.0作为服务访问Microsoft资源管理API

现在,我使用以下参数通过Postman生成了访问令牌,采用客户端凭据流程:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id:<appID>
client_secret:<secret>
scope: https://management.azure.com/.default

响应:

如何使用OAuth2.0作为服务访问Microsoft资源管理API

当我使用此访问令牌调用下面的管理API查询时,我成功地在响应中获得了资源组列表,如下所示:

GET https://management.azure.com/subscriptions/<subID>/resourcegroups?api-version=2021-04-01

响应:

如何使用OAuth2.0作为服务访问Microsoft资源管理API

英文:

To call Azure Management REST API, you need to generate access token with scope as https://management.azure.com/.default.

I registered one Azure AD application and added API permission as below:

如何使用OAuth2.0作为服务访问Microsoft资源管理API

> Make sure to add proper RBAC role to above service principal under subscription.

In my case, I added Reader role to the service principal under subscription like below:

如何使用OAuth2.0作为服务访问Microsoft资源管理API

Now, I generated access token using client credentials flow via Postman with below parameters:

POST https://login.microsoftonline.com/&lt;tenantID&gt;/oauth2/v2.0/token
grant_type:client_credentials
client_id:&lt;appID&gt;
client_secret:&lt;secret&gt;
scope: https://management.azure.com/.default

Response:

如何使用OAuth2.0作为服务访问Microsoft资源管理API

When I used this access token to call below Management API query, I got list of resource groups successfully in response like this:

GET https://management.azure.com/subscriptions/&lt;subID&gt;/resourcegroups?api-version=2021-04-01

Response:
如何使用OAuth2.0作为服务访问Microsoft资源管理API

huangapple
  • 本文由 发表于 2023年6月12日 22:44:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/76457783.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定