When you call the Azure Rest API, if you are an API that is part of Azure Resource Manager, you need to use Azure Active Directory (Azure AD) authentication to obtain the token (token) before you can access it.
Here are the steps to create an Azure AD app and authorize it to access resources that manage Azure:
For a better reading experience, you can also click here.
Note
The following authentication methods apply only to the Azure Resource Manager API. The endpoint API management.chinacloudapi.cn
, which does not apply to the Azure Service Manager API (endpoint as management.core.chinacloudapi.cn
the API).
Sign in to your Azure account (PowerShell)
Records the acquired TenantID for use by subsequent programs.
Select the current subscription ID
To set up the current subscription, you need to perform this step in a multi-subscription environment:
Set-azurermcontext-subscriptionid <subscription id>
Create an AD app
View the newly created App object, Properties ApplicationID, later used to create service vouchers, role settings, and Access tokens.
$azureAdApplication = New-azurermadapplication-displayname "Exampleapp"-homepage "https://www.contoso.org"- Identifieruris "Https://www.contoso.org/example"-password "<Your_Password>"
Create service voucher
Azure AD App creates service voucher:
New-azurermadserviceprincipal-applicationid $azureAdApplication. ApplicationID
When the service credential is created, the initial permission is not granted, and we need to set a permission range for it.
Authorized
Add a role setting for your service voucher, in which you set access to read permissions for all resources under your subscription for your service credentials. For more information, please refer to: Azure role-based Access Control.
New-azurermroleassignment-roledefinitionname contributor-serviceprincipalname $azureAdApplication. ApplicationId
RoleDefinitionName
There are three kinds of permission settings:
Reader has read access to the Azure resource.
Contributor has administrative privileges on azure resources, but cannot authorize others.
Owner has administrative privileges on azure resources and can also authorize others to manage them.
Call the Oauth2 API for Token
This allows Azure AD application to be created, and we can use the following three information to obtain a certified Token.
Telent-id corresponds to the Telentid used on the subscription information.
Application-id Create the ApplicationID returned by the app.
App password The password that was filled in when the app was created.
Get Token by using the authentication interface of Azure login oauth2, if you want to learn more, refer to this document: Using the Azure Resource Manager REST API.
Please refer to the following code:
$tenlent _id = ' Your Sub tenlent id '; $client _id = ' Application id '; $client _secret = ' Application Password '; $auth _url = ' htt ps://login.chinacloudapi.cn/'. $tenlent _id. ' /oauth2/token?api-version=1.0 '; $auth = Curl_init ($auth _url); $post _data= ' grant_type=client_credentials& Resource=https://management.chinacloudapi.cn/&client_id= '. $client _id. ' &client_secret= '. UrlEncode ($client _secret); Curl_setopt_array ($auth, array (curlopt_verbose = 1,curlopt_ POST = 1,curlopt_postfields = $post _data,curlopt_ssl_verifypeer = False,curlopt_ssl_verifyhost = False , Curlopt_httpheader = = Array (' content-type:application/x-www-form-urlencoded ')); curl_exec ($ATUH); echo "\ n";
The token data is obtained when the query is executed, and Access_token is the token access.
{"Token_type": "Bearer", "expires_in": "3600", "expires_on": "1455680701", "Not_before": "1455676801", "Resource": " https://management.azure.com/"," Access_token ":" Eyj0exaioi ... "}
Then add the header of the Authorization to the API request headers you want to access and set its value to:
Add Bearer before Token.
Invocation Example:
$token = ' Eyj0exa ... '; $host = ' management.chinacloudapi.cn '; $version = ' 2015-09-01 '; $url = ' https://'. $host. ' /subscriptions/5bbf0cbb-647d-4bd8-b4e6-26629f109bd7/resourcegroups/default-mysql-chinanorth/providers/ Microsoft.mysql/servers/poddbtest/databases/kevintest?api-version= '. $version; $ch = Curl_init ($url); $data = Array (' Properties ' = = Array (' charset ' = ' utf8 ', ' collation ' = ' utf8_general_ci '), $json = Json_encode ($data); curl_ Setopt_array ($ch, array (curlopt_verbose = 1,curlopt_customrequest = ' PUT ', curlopt_postfields = $json, Curlopt_ssl_verifypeer = False,curlopt_ssl_verifyhost = False,curlopt_httpheader = Array (' Content-type: Application/json ', ' authorization:bearer '. $token)), $ret =curl_exec ($ch), if (Empty ($ret)) {//Some kind of an error ha ppened Echo ' Curl error: '. Curl_error ($ch);} else {$info = Curl_getinfo ($ch);} echo "\ n";