Calling Azure REST API via curl

In these days I needed to call Azure REST API directly, without having the possibility to use some nice wrapper like AZ CLI or .NET SDK or Python SDK or whatever, since the REST API I needed to call was not included in any of the mentioned tools.

Make sure you check out the latest updates at the bottom of the article!

I decided to use curl since it is one of the easiest way to issue HTTP requests. But it turned out to be a little more complex that I what I could have expected at the beginning, especially while dealing with the authentication phase. The entire process is pretty simple as you’ll see, documentation is just a bit scattered all around...so it may be difficult to quickly understand the path you must follow to get everything working nicely.

Azure API security, and thus authentication (which is based on OAuth2) is a pretty broad topic as you can see from the long documentation available here:

I read throughout all the documentation, hyperlinks included and at the end I was still confused. There are so many options and each one have quite a number of prerequisites that requires even more reading. So, for my future reference and for all those who just need a straightforward way to solve the problem, here’s the list of all steps required.

Create a Service Principal

In order to access resources a Service Principal needs to be created in your Tenant. It is really convenient to do it via AZ CLI:

az ad sp create-for-rbac --name [APP_NAME] --password [CLIENT_SECRET]

for much more details and options see the documentation:

What is happening here is that you’re registering your application in order to be able to be recognized by Azure (more precisely: from the AD tenant that is taking care of your subscription). Exactly like when you register your application to access Twitter or Facebook in order to be able to read and write posts/tweets/user data and so on.

Request the Access Token

As said before authentication used the OAuth2 protocol, and this means that we have to obtain a token in order to authenticate all subsequent request. We need to use the client_credential flow:

curl -X POST -d 'grant_type=client_credentials&client_id=[APP_ID]&client_secret=[PASSWORD]&resource=https%3A%2F%2Fmanagement.azure.com%2F' https://login.microsoftonline.com/[TENANT_ID]/oauth2/token

all the three required information:

  • APP_ID
  • PASSWORD
  • TENANT_ID

can be obtained from the previous step. You already have the PASSWORD since you used it to create the Service Principal. The TENANT_ID and the APP_ID will be returned by the az ad sp create-for-rbac command you executed before. Otherwise you can execute the following az command to find it the tenant id:

az account list --output table --query '[].{Name:name, SubscriptionId:id, TenantId:tenantId}'

And the following to get the APP_ID:

az ad sp list

The result of the curl call will be an Authorization Token that looks like the following:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayIsImtpZCI6ImlCakwxUmNxemhpeTRmcHhJeGRac
[...]
hkSFwruPWvkE15zzleYir_SsSVveaRlMUq9q7GOEr87aGvOVB3QManIn_jIo1cnDCUJZ3WX7hcMvq0dLE8Ap1ZL_HQqOzLbJfpnSCDfs2X2pBmqB3JH5rzrCAzeL1mYL5TOgC8k3s1Z_vvTqxD2XrO7QOGhGfxqxxDWJAXiblUtafHg

Call Azure REST API

The obtained token that needs to be used in the Authorization HTTP header as the Bearer Token to make sure your HTTP call will be authorized:

curl -X GET -H "Authorization: Bearer [TOKEN]" -H "Content-Type: application/json" https://management.azure.com/subscriptions/[SUBSCRIPTION_ID]/providers/Microsoft.Web/sites?api-version=2016-08-01

And that’s it. Is really easy at the end. And once you have the token it is also easy to use it in your preferred REST client tool, be it Postman or Insomnia.

If you want learn more on how to use the OAuth2 authentication protocol to access Azure, just go here:

July 2019 — Update 1: Just three steps

If you need a token just to run some test and you don’t want to go through Service Principal creation I just discovered that now you can just do

az account get-access-token

and you’re good to go, you’ll get your access token with a maximum validity of 1 hour, which is more than enough to do tests. Using curl is really easy now:

Step 1 : Get Your Subscription Id

declare subid=$(az account list | jq ".[] | select (.name == \"your-subscription-name\") | .id" -r)

Step 2: Get The Token

declare response=$(az account get-access-token)
declare token=$(echo $response | jq ".accessToken" -r)

Step 3: Invoke curl

curl -X GET -H "Authorization: Bearer $token" -H "Content-Type:application/json" -H "Accept:application/json" https://management.azure.com/subscriptions/$subid/providers/Microsoft.Web/sites\?api-version\=2016-08-01 | jq .

July 2019 — Update 2: Just ONE step

In the latest version of AZ (2.0.67, at moment of writing) there is new command rest that allows to call any azure REST API with just one command:

az rest -m get --header "Accept=application/json" -u ‘https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Web/sites?api-version=2016-08-01'

the {subscriptionId} will be automatically replaced with your active subscription Id. Great! Can’t be easier that this now :)

--

--

--

Data Geek, Storyteller, Developer at heart, now infiltrated in Azure SQL product group to make sure developers voice is heard loud and clear. Heavy Metal fan.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Fixing Unicode for Ruby Developers

How Terraform and GitHub Actions can be used for Continuous Validation

Generate QR Code in 4 Lines of Code

🎁WIN 650'000 PEAK🎁

Can Docker Replace VM

Another day of stupendous progress.

Get upto 20$ - 200$ Chainge token 🎁Get upto 20$ - 200$ Chainge token 📊Market- Soon…

Scaling properly a stateful app like Wordpress with Kubernetes Engine and Cloud SQL in Google Cloud

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Davide Mauri

Davide Mauri

Data Geek, Storyteller, Developer at heart, now infiltrated in Azure SQL product group to make sure developers voice is heard loud and clear. Heavy Metal fan.

More from Medium

Hosting static websites in Azure Storage

DB migrate from on-premise to Azure MySQL(1)

Use Azure AD workload identity to securely access Azure services or resource from your Kubernetes…

JMeter on Azure Kubernetes Service Cluster (AKS Cluster)