Calling Azure REST API via curl
A straightforward post to invoke Azure REST API via simple HTTP calls
In these days I needed to call Azure REST API directly, without having the possibility to use some nice wrapper like AZ CLI or .NET SDK or Python SDK or whatever, since the REST API I needed to call was not included in any of the mentioned tools.
Make sure you check out the latest updates at the bottom of the article!
I decided to use curl since it is one of the easiest way to issue HTTP requests. But it turned out to be a little more complex that I what I could have expected at the beginning, especially while dealing with the authentication phase. The entire process is pretty simple as you’ll see, documentation is just a bit scattered all around...so it may be difficult to quickly understand the path you must follow to get everything working nicely.
Azure API security, and thus authentication (which is based on OAuth2) is a pretty broad topic as you can see from the long documentation available here:
I read throughout all the documentation, hyperlinks included and at the end I was still confused. There are so many options and each one have quite a number of prerequisites that requires even more reading. So, for my future reference and for all those who just need a straightforward way to solve the problem, here’s the list of all steps required.
Create a Service Principal
In order to access resources a Service Principal needs to be created in your Tenant. It is really convenient to do it via AZ CLI:
az ad sp create-for-rbac --name [APP_NAME] --password [CLIENT_SECRET]
for much more details and options see the documentation:
What is happening here is that you’re registering your application in order to be able to be recognized by Azure (more precisely: from the AD tenant that is taking care of your subscription). Exactly like when you register your application to access Twitter or Facebook in order to be able to read and write posts/tweets/user data and so on.
Request the Access Token
As said before authentication used the OAuth2 protocol, and this means that we have to obtain a token in order to authenticate all subsequent request. We need to use the client_credential flow:
curl -X POST -d 'grant_type=client_credentials&client_id=[APP_ID]&client_secret=[PASSWORD]&resource=https%3A%2F%2Fmanagement.azure.com%2F' https://login.microsoftonline.com/[TENANT_ID]/oauth2/token
all the three required information:
- APP_ID
- PASSWORD
- TENANT_ID
can be obtained from the previous step. You already have the PASSWORD
since you used it to create the Service Principal. The TENANT_ID
and the APP_ID
will be returned by the az ad sp create-for-rbac
command you executed before. Otherwise you can execute the following az
command to find it the tenant id:
az account list --output table --query '[].{Name:name, SubscriptionId:id, TenantId:tenantId}'
And the following to get the APP_ID
:
az ad sp list
The result of the curl call will be an Authorization Token that looks like the following:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImlCakwxUmNxemhpeTRmcHhJeGRacW9oTTJZayIsImtpZCI6ImlCakwxUmNxemhpeTRmcHhJeGRac
[...]
hkSFwruPWvkE15zzleYir_SsSVveaRlMUq9q7GOEr87aGvOVB3QManIn_jIo1cnDCUJZ3WX7hcMvq0dLE8Ap1ZL_HQqOzLbJfpnSCDfs2X2pBmqB3JH5rzrCAzeL1mYL5TOgC8k3s1Z_vvTqxD2XrO7QOGhGfxqxxDWJAXiblUtafHg
Call Azure REST API
The obtained token that needs to be used in the Authorization HTTP header as the Bearer Token
to make sure your HTTP call will be authorized:
curl -X GET -H "Authorization: Bearer [TOKEN]" -H "Content-Type: application/json" https://management.azure.com/subscriptions/[SUBSCRIPTION_ID]/providers/Microsoft.Web/sites?api-version=2016-08-01
And that’s it. Is really easy at the end. And once you have the token it is also easy to use it in your preferred REST client tool, be it Postman or Insomnia.
If you want learn more on how to use the OAuth2 authentication protocol to access Azure, just go here:
July 2019 — Update 1: Just three steps
If you need a token just to run some test and you don’t want to go through Service Principal creation I just discovered that now you can just do
az account get-access-token
and you’re good to go, you’ll get your access token with a maximum validity of 1 hour, which is more than enough to do tests. Using curl is really easy now:
Step 1 : Get Your Subscription Id
declare subid=$(az account list | jq ".[] | select (.name == \"your-subscription-name\") | .id" -r)
Step 2: Get The Token
declare response=$(az account get-access-token)
declare token=$(echo $response | jq ".accessToken" -r)
Step 3: Invoke curl
curl -X GET -H "Authorization: Bearer $token" -H "Content-Type:application/json" -H "Accept:application/json" https://management.azure.com/subscriptions/$subid/providers/Microsoft.Web/sites\?api-version\=2016-08-01 | jq .
July 2019 — Update 2: Just ONE step
In the latest version of AZ (2.0.67, at moment of writing) there is new command rest
that allows to call any azure REST API with just one command:
az rest -m get --header "Accept=application/json" -u ‘https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Web/sites?api-version=2016-08-01'
the {subscriptionId}
will be automatically replaced with your active subscription Id. Great! Can’t be easier that this now :)