英文:
How to access the Microsoft Resource Management API as a service using OAuth2.0
问题
我正在开发一个定时触发的服务,从各种API获取数据并将其写入数据库。
我需要访问的一个API是Microsoft资源管理API。然而,问题在于它的所有端点都提到了OAuth2.0明确授权流程,需要用户登录。由于我正在创建一个自动化服务,我无法使用该流程。
例如,列出资源组的端点(https://learn.microsoft.com/en-us/rest/api/resources/resource-groups/list)提到了带有user_impersonation范围的OAuth2隐式授权流程:
https://i.stack.imgur.com/0XmIW.png
作为一个服务,是否有可能从这个API获取数据,如果可以,我应该如何操作?是否有其他方法可以从Azure平台获取资源组和资源的列表?
我成功地使用OAuth2.0客户端凭据授权流程在Graph API中作为服务进行身份验证,但似乎在这里不可能。
英文:
I am developing a time-triggered service that fetches data from various API's and writes it to a database.
One of the API's I need to access is the Microsoft Resource Management API. However, the problem is that its endpoints all mention the OAuth2.0 explicit grant flow- which requires a user to log in. Since I am creating a automated service, I cannot use that flow.
For example, the list resource group endpoint (https://learn.microsoft.com/en-us/rest/api/resources/resource-groups/list) mentions the Oauth2 implicit grant flow with the user_impersonation scope:
https://i.stack.imgur.com/0XmIW.png
Is it even possible to get data from this API as a service, and if so, how would I go about doing that? Is there any other way I could get a list of resource groups and resources from the Azure platform?
I do succesfully utilize the OAuth2.0 client credientials grant flow to authenticate with the Graph API as a service, but that does not seem possible here.
答案1
得分: 0
要调用Azure管理REST API,您需要生成带有范围为**https://management.azure.com/.default
**的访问令牌。
我注册了一个Azure AD应用程序,并添加了以下API权限:
> 确保在订阅下为上述服务主体添加适当的RBAC角色。
在我的情况下,我将**Reader
**角色添加到了订阅下的服务主体,如下所示:
现在,我使用以下参数通过Postman生成了访问令牌,采用客户端凭据流程:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id:<appID>
client_secret:<secret>
scope: https://management.azure.com/.default
响应:
当我使用此访问令牌调用下面的管理API查询时,我成功地在响应中获得了资源组列表,如下所示:
GET https://management.azure.com/subscriptions/<subID>/resourcegroups?api-version=2021-04-01
响应:
英文:
To call Azure Management REST API, you need to generate access token with scope as https://management.azure.com/.default
.
I registered one Azure AD application and added API permission as below:
> Make sure to add proper RBAC role to above service principal under subscription.
In my case, I added Reader
role to the service principal under subscription like below:
Now, I generated access token using client credentials flow via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id:<appID>
client_secret:<secret>
scope: https://management.azure.com/.default
Response:
When I used this access token to call below Management API query, I got list of resource groups successfully in response like this:
GET https://management.azure.com/subscriptions/<subID>/resourcegroups?api-version=2021-04-01
Response:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论