Access the Azure Resource Manager Virtual Machine resources using ARM APIs and the new Azure Portal
In an earlier post , I explained how Resource VMs can be accessed using ARM APIs. We used the classic Azure portal along with the native application approach to implementing this.
We had to use the classic portal as the new portal was in preview mode and Azure Active Directory (AAD) was not fully integrated into the new portal.
Now that AAD is integrated into the new portal, I'll explain how we can achieve the same use case of accessing ARM APIs using this new Azure portal.
For the sake of this demo, I have created a new VM as part of my Azure subscription.
Next, we'll create a native application in the Azure Active Directory.
Step 1: Create a Native application in AAD
In the Azure portal, navigate to Azure Active Directory
and click on the App Registrations
section. Next click on the Add
an option at the top.
This will open up a new blade towards the right. As shown in the screenshot below provide a Name
for the application, select the Native
application option in the Application Type
dropdown and provide a Redirect URI
in the third input option. This URL need not be an actual endpoint, it just needs to be a valid URI.
Click on the Create
button at the bottom and with this, the new native application would be created.
Next, we'll delegate permission to this application to access the Windows Azure Service Management APIs
. This will help us access the ARM APIs later on.
Step 2: Delegate permission to the Native application to access Azure Service Management APIs
Click on the newly created application, in this case SKApp
, and click on the Settings
option. This will open up a blade on the right. Click on Required permissions
option and then the Add
an option at the top.
Now for the Select an API
option to select the option Windows Azure Service Management API
on the right.
Once selected, grant delegation rights
to the application to access this API as follows.
Once permission is granted, the assigned permission list would look like this...
Step 3: Create a Secret Key for this Native application
We'll now create a secret key
and associate it with this application. Click on the Keys
section in Settings
blade.
Add a key description
and select an expiry
as per your requirement.
Now click on the Save
option at the top and a key would be generated. Store this key safely and securely with you, as this would be required later on when we try to access the ARM APIs.
Step 4: Save the Application ID and Directory ID
Now that we have generated a secret key
and saved it, we need to also save the Application ID
of our Native application and Directory ID
of the Active Directory instance.
You'll find the Application ID
in the Native application details blade.
The Directory ID
is also known as the Tenant ID
is the unique id for the AAD instance. You will find it at the following location.
In addition to these, we’ll also require the following additional parameters.
Service resource id The value of this id is https://management.core.windows.net/
OAuth endpoint This URL is used for authorization and its value is https://login.microsoftonline.com/<Directory ID>/oauth2/authorize
As shown above, the authorization URL requires the Directory ID
.
With this, we now have all the details to go ahead and implement a REST client to consume ARM APIs.
However, before we do that we need to carry out an additional step of granting rights to our native application on the subscription. Note: These rights can be granted at the Subscription, Resource Group or Resource level (in this case virtual machine level).
Granting rights at the Subscription or Resource Group level would get inherited by all resources under them.
Step 5: Grant permission to the Native application at the subscription level
To grant rights, drill down to the relevant subscription on which we wish to assign the rights to the application.
Click on the Add
the option as shown above, and select the Reader
role option.
Once done, select the native application we created earlier by typing its name in the Add Users
input box. Select the application once it shows up and click on the Select
the button below.
Thats it!! We are done. Now we can proceed towards consuming the ARM Rest APIs using a REST Client.
Step 6: Consume the ARM API using the REST client and dependent parameters
Let's create a simple C#.Net Console application to implement this. You'll need to install the NuGet package for Microsoft.IdentityModel.Clients.ActiveDirectory
. At the time of this post, I used v3.13.8
.
We'll create a class AzureAD.cs
to authenticate our user and get an access token which can later be used to call the ARM-based REST APIs.
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
namespace AzureNewPortalResourceVMIntegration
{
public class AzureAD
{
internal static string Authenticate(string authority,
string serviceResourceId, string clientId, string secretKey)
{
AuthenticationContext authContext = new AuthenticationContext(authority, true);
AuthenticationResult authResult = null;
try
{
authResult = authContext
.AcquireTokenAsync(serviceResourceId,
new ClientCredential(clientId, secretKey)).Result;
if (authResult != null)
Console.WriteLine("Auth Token: {0}", authResult.AccessToken);
else
throw new Exception("Azure AD authentication failed.");
}
catch (AdalException adEx)
{
Console.WriteLine("Exception: {0}", adEx);
}
return authResult.AccessToken;
}
}
}
We’ll also need a class to place REST API calls using this access token. We’ll create a class AzureRestClient.cs
for this.
using System.Net.Http;
using System.Net.Http.Headers;
using System.Threading.Tasks;
namespace AzureNewPortalResourceVMIntegration
{
internal class AzureRestClient
{
internal static async Task<string> ExecuteRequest(string accessToken, string url)
{
string serviceBaseAddress = url;
string responseMessage = null;
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", accessToken);
HttpResponseMessage response =
await httpClient.GetAsync(serviceBaseAddress);
if (response.IsSuccessStatusCode)
{
responseMessage = await response.Content.ReadAsStringAsync();
return responseMessage;
}
else
{
responseMessage = await response.Content.ReadAsStringAsync();
if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
{
return "Access denied.";
}
return responseMessage;
}
}
}
}
With this, we can now fetch details of our VM SK-Lin-1
as follows…
using System;
namespace AzureNewPortalResourceVMIntegration
{
class Program
{
static void Main(string[] args)
{
string tenantId = "<Enter Directory Id>";
string clientId = "<Enter Application Id>";
string secretKey = "<Enter Secret Key>";
string subscriptionId = "<Enter Subscription Id>";
string resourceGroupName = "<Enter Resource group name>";
string virtualMachineName = "<Enter Virtual Machine name>";
string oauthUrl = "https://login.microsoftonline.com/{0}/oauth2/authorize";
string serviceResourceId = "https://management.core.windows.net/";
string authority = string.Format(oauthUrl, tenantId);
string vmDetailsURL = $"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{virtualMachineName}?api-version=2015-06-15";
string accessToken = AzureAD.Authenticate(authority, serviceResourceId, clientId, secretKey);
if (accessToken != null)
{
AzureRestClient.ExecuteRequest(accessToken, vmDetailsURL)
.ContinueWith((task) =>
{
Console.WriteLine(task.Result);
});
}
Console.ReadLine();
}
}
}
For more details on the REST API used to fetch VM details refer to the Azure reference guide.
Once you get the response, you can parse the JSON result and extract the relevant data from it. You may also download the source code for this from my GitHub repository.
Do explore the Azure Reference documentation which lists several other APIs that can be used. In all cases the code remains the same, only the REST API URL and its dependent parameters would change.
Hope this was useful!
References: