Calling Azure REST API via curl

A straightforward post to invoke Azure REST API via simple HTTP calls

In these days I needed to call Azure REST API directly, without having the possibility to use some nice wrapper like AZ CLI or .NET SDK or Python SDK or whatever, since the REST API I needed to call was not included in any of the mentioned tools.

Make sure you check out the latest updates at the bottom of the article!

I decided to use curl since it is one of the easiest way to issue HTTP requests. But it turned out to be a little more complex that I what I could have expected at the beginning, especially while dealing with the authentication phase. The entire process is pretty simple as you’ll see, documentation is just a bit scattered all around...so it may be difficult to quickly understand the path you must follow to get everything working nicely.

Azure API security, and thus authentication (which is based on OAuth2) is a pretty broad topic as you can see from the long documentation available here:

Azure REST API Reference

I read throughout all the documentation, hyperlinks included and at the end I was still confused. There are so many options and each one have quite a number of prerequisites that requires even more reading. So, for my future reference and for all those who just need a straightforward way to solve the problem, here’s the list of all steps required.

Create a Service Principal

In order to access resources a Service Principal needs to be created in your Tenant. It is really convenient to do it via AZ CLI:

az ad sp create-for-rbac --name [APP_NAME] --password [CLIENT_SECRET]

for much more details and options see the documentation:

Use Azure service principals with Azure CLI 2.0

What is happening here is that you’re registering your application in order to be able to be recognized by Azure (more precisely: from the AD tenant that is taking care of your subscription). Exactly like when you register your application to access Twitter or Facebook in order to be able to read and write posts/tweets/user data and so on.

Request the Access Token

As said before authentication used the OAuth2 protocol, and this means that we have to obtain a token in order to authenticate all subsequent request. We need to use the client_credential flow:

curl -X POST -d 'grant_type=client_credentials&client_id=[APP_ID]&client_secret=[PASSWORD]&resource=https%3A%2F%2Fmanagement.azure.com%2F' https://login.microsoftonline.com/[TENANT_ID]/oauth2/token

all the three required information:

• APP_ID
• PASSWORD
• TENANT_ID

can be obtained from the previous step. You already have the PASSWORD since you used it to create the Service Principal. The TENANT_ID and the APP_ID will be returned by the az ad sp create-for-rbac command you executed before. Otherwise you can execute the following az command to find it the tenant id:

az account list --output table --query '[].{Name:name, SubscriptionId:id, TenantId:tenantId}'

And the following to get the APP_ID:

az ad sp list

The result of the curl call will be an Authorization Token that looks like the following:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayIsImtpZCI6ImlCakwxUmNxemhpeTRmcHhJeGRac
[...]
hkSFwruPWvkE15zzleYir_SsSVveaRlMUq9q7GOEr87aGvOVB3QManIn_jIo1cnDCUJZ3WX7hcMvq0dLE8Ap1ZL_HQqOzLbJfpnSCDfs2X2pBmqB3JH5rzrCAzeL1mYL5TOgC8k3s1Z_vvTqxD2XrO7QOGhGfxqxxDWJAXiblUtafHg

Call Azure REST API

The obtained token that needs to be used in the Authorization HTTP header as the Bearer Token to make sure your HTTP call will be authorized:

curl -X GET -H "Authorization: Bearer [TOKEN]" -H "Content-Type: application/json" https://management.azure.com/subscriptions/[SUBSCRIPTION_ID]/providers/Microsoft.Web/sites?api-version=2016-08-01

And that’s it. Is really easy at the end. And once you have the token it is also easy to use it in your preferred REST client tool, be it Postman or Insomnia.

If you want learn more on how to use the OAuth2 authentication protocol to access Azure, just go here:

Use Azure AD v2.0 to access secure resources without user interaction

July 2019 — Update 1: Just three steps

If you need a token just to run some test and you don’t want to go through Service Principal creation I just discovered that now you can just do

az account get-access-token

and you’re good to go, you’ll get your access token with a maximum validity of 1 hour, which is more than enough to do tests. Using curl is really easy now:

Step 1 : Get Your Subscription Id

declare subid=$(az account list | jq ".[] | select (.name == \"your-subscription-name\") | .id" -r)

Step 2: Get The Token

declare response=$(az account get-access-token)
declare token=$(echo $response | jq ".accessToken" -r)

Step 3: Invoke curl

curl -X GET -H "Authorization: Bearer $token" -H "Content-Type:application/json" -H "Accept:application/json" https://management.azure.com/subscriptions/$subid/providers/Microsoft.Web/sites\?api-version\=2016-08-01 | jq .

July 2019 — Update 2: Just ONE step

In the latest version of AZ (2.0.67, at moment of writing) there is new command rest that allows to call any azure REST API with just one command:

az rest -m get --header "Accept=application/json" -u ‘https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Web/sites?api-version=2016-08-01'

the {subscriptionId} will be automatically replaced with your active subscription Id. Great! Can’t be easier that this now :)