How to access Azure Resources using Azure REST API | Tutorial with Postman and Service Principals

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi all mab Joseph in this video let us look at how we can access our Verizon resources using SRS apis we lecture this by creating service principles in Azure active directory to authenticate the SEO management endpoint here as an example we have an Azure Resource Group that we need to access jpr for this first build register an application in Azure active directory when we register an application as your ad a service principle object is created which serves as the identity of the application the service principle will then provide us the means to authenticate and authorize access to SEO resources in our case while the user rest apis along with this we'll also need to generate a client ID and a client secret for the application that we have registered once we have the service principle in place we will provide access to the resource Group why the service principle object we will see how to do this by assigning our role to the service principle using our back and then applying that role to the resource that we want to access via the rest API also we will quickly see how we can achieve all the previous steps why signal command using secli without navigating through the portal after that we'll test our access to the resource by using Postman SRS client to generate an access token using which we can access the assume management endpoints finally we'll explore some common issues that can occur during the setup and how we can troubleshoot that to get started in our Azure portal let's go ahead and search for Azure active directory or as your ad first we need to register an application so let's go to add app registration let's give it a suitable name and head register there are four values that we need to note the tenant ID the subscription ID the client ID and the client Secret we can get the subscription ID by going back into Azure subscriptions and within the overview page we can get the subscription ID in order to get the other details let's go back it with your ad again let's open up the application that we have just registered within this page we'll be able to get the application ID or the client ID and we can also get the tenant ID we did not yet have a client secret so let's go ahead and generate one we can do this by going into certificates and secrets new client Secret let's enter suitable client secret name I'll keep it to a minimum and hit on ADD and within this page we now have our client secret displayed one thing to bear in mind is that if you navigate away from this page this client secret value will not be displayed again so do copy it and store it in a second location typically we store it in an Azure keyword but for this demo I'll keep it in my sticky notes now back in the portal let's assume that this is a resource Group that we want to access via the rest API it also does have a virtual Network that I've deployed that doesn't do anything at all we need to give the resource Group a role-based Access Control based on the service principle object in this case it will be at the resource Group level for this let's open the resource Group and go to access control I am add role assignment ideally we should be giving it access with the least amount of privilege to get the job done but I'm going ahead and giving it a contributor level access to demo so let's go ahead then select contributor next ensure that user group or service principle is selected select members by default the service principle will not be displayed we need to search for it so let's go ahead and search for it rest select and select let's head next and as you can see the scope is now defined at the resource Group level review this and review and assign to ensure this is indeed correctly applied back in the same page let's go to role assignments and within this page we can see that the service principle does have a contributor level access to this Resource Group recap we register an application in Azure ad generated a client ID and a client secret and also did a role assignment to the resource Group by the service principal object called and why the SEO port we can do all the same steps for icsclr in a single line as well without having to navigate through the portal back in the portal open Azure Cloud shell we can use Azure CLI as well copy the command that you see on the screen and replace the values where appropriate I've already done this so I'm going ahead and pasting it here we can see that the name of the service principle is mentioned here and also the name of the resource Group and it also does have the contributed level access that we're trying to get so let me go ahead and press enter and there we have it we have the subscription ID we have the tenant ID we have the client ID and we have even got the client secret generated all in one single command in addition to that it has also assigned the contributor level access to that particular Resource Group that we mentioned so let's go ahead and ensure that this is actually created there was only one before now if you go to refresh we also have got the one that we have generated by tclr if that seemed much easier and a helpful tip do consider giving this video a thumbs up I will also add the command down in the description we have now done all the prerequisites setup required Let's test if we can access the SEO management API endpoint and update the resource Group for this we need to first get the auth token by hitting Microsoft azure's auth token endpoint let's go back to our Azure ID and open the application that we had registered before so let's go to Applications this is the application that we had registered go to end points and in this page we can see that we have the token endpoint enlisted and do ensure that we are selecting the token endpoint within the URL I have my tenant ID that is listed you will have your tenant ID that would be displayed here do copy this URL let us now open Postman to send a request and get the authorization token let's create a new request ensure that this is changed to post paste the URL that we had copied before that is the token endpoint go to the body tab ensure that the URL encoded is selected and for key we need to type the grand type the grant type would be client underscore credentials the next one would be client ID so applied ID I already have my client ID defined as a variable within Postman so the next one would be client secret again the client secret is also defined as a variable within postmat so I'll use the same one there is also one more key that we need to add which is the resource and the value would be the management endpoint let's go ahead and send the request and we have got the access token within the response note that there is also an expiry type this is the token that we need to send to the next endpoint so let's create a copy of this now let's try getting the list of all the resources that are present in a resource Group why is your honest API Azure does have detailed documentation on the endpoints and the various operations it supports and payload request this is one such documentation in relation to resources if you navigate down the list we have list by Resource Group if you were to open it this endpoint does require a subscription ID and we need to pass in the name of the resource Group name whose resources we want to list so let's copy this this is a get request so let's go back to postman create plus this already get so let's paste it we need the subscription ID So within my environment variables I've already given the subscription ID of my Azure so let me go to environments tab as your Dev and within that I have listed all the different variables already so subscription ID is the name of the variable let me go back and replace it so that is now picked up as a variable we need the name of the resource Group this is the name of the resource Group that we had created that does have a v-net within it I've already listed the name of the resource Group so copy the name of the variable get choose group if you were to send a request directly it wouldn't work because we have not provided the auth token so let's go back to the previous endpoint the auth token endpoint where we had the access token let's copy this again we only need the value of the access token so we have copied this let's go to the get endpoint authorization it is an auth 2.0 so we have selected all 2.0 and within the token let's paste the token let's now send the request and we have got the response back as a 200 okay meaning we were able to authenticate and access the details and within it we have got the name of the v-net that is present within that Resource Group let us now try another example and try updating the tax of a resource Group this was the documentation for the resources so let's go to Resource groups now overview and we need to create or update we are trying to update the tags so let's go to this URL and copy this endpoint back in Postman let's create a new request note that this was a put request so let's select put paste the URL let me substitute the values with the details that I have so that would be subscription [Music] request it would require a body to be set so let me go to the body tab Raw Json let me paste a sample payload here I've given within tax to update a key value pair the key is owner and the value is a b juices so send it wouldn't work as expected because we have not given the auth token to authorize so let me go back to the previous endpoint the auth endpoint let me generate a new set of token I've got the token so let me copy it now [Music] going back to the put request tab authorization auth 2.0 and let me pass in this token and now if I were to set and now we have got a response back mentioning 200 okay and within the response I can see that the tag was updated and it was succeeded now let me confirm by going back to the portal resource groups this was the resource that we asked to update so expanding the essential strap we can see that the tag is now updated so as an exercise let's try to add another attack to this so I will go back to the same port body and I will try to add another tag environment would be let's say it's a QA environment [Music] and let's send it we have got a 200 okay success response and an additional tag was added and it will succeed let us go back to the portal and ensure this was actually done so back in the portal the resource groups this is the resource Group that we asked to update the tag so let's open it Essentials and we can see a second tag is now added why the rest API next we will see some common issues that we can encounter and how we can resolve that the authorization field is a combination that we are likely to hit if we have not done the role assignment correctly so in this example we have tried to send a request and we have got the authorization field issue and it says that this particular client does not have enough access or authorization to perform the action right over the scope so in order to fix this let's go back to our portal and see if the access control is correctly provided so in order to do that let's go to access control a role assignment and if we look there is no service principle that is assigned in order to fix this let's go to add this did have a role assignment of the service principle but in order to repeat this issue I had removed it so let me go ahead and add it back add add role assignment let me give it a contributor access back again next is a group select the member it is rest so selected review and assign review and assign it back it is now listed within the role assignment the meaning it should now have access so let me go back to post map I need to regenerate the authorization token so let me go to the Post endpoint the token endpoint set a request again I've got a new set of token so copy this this was the issue before so let me give the new token again and now we are able to access it back again another common issue is the invalid client error even though the error does mention that the client is sent valid it could be that the client ID or the client secret that we passed in the header is not exactly right so in order to fix this we have to ensure that the correct client ID and the client secret is provided so I had introduced some additional characters into the client secret to reproduce this issue so let me go ahead and fix that now back into my environments tab I had added three additional characters one two three one two three and Save let me go back to the Token endpoint and now this will be fixed hitting send and I got a successive response back with the authorization took and that's it for our first video I hope you enjoyed watching and learn something new if you did consider giving this video a thumbs up and subscribing to the channel I'm just getting started so if you have any feedback or suggestions do let me know in the comments thanks again and I'll see in the next one

Info

Channel: Aby T Joseph

Views: 4,401

Rating: undefined out of 5

Keywords: azure rest api tutorial, azure rest api with postman, azure rest api authentication, azure service principal authentication, azure service principal, service principals, Accessing Azure Resources, Azure Resource Management, azure spn credentials, AzureAuthorization, azure postman authentication, azure postman api, AzureServicePrincipal, AzureAPI, AzureRESTAPI

Id: CtamReatfmg

Channel Id: undefined

Length: 14min 47sec (887 seconds)

Published: Tue May 16 2023