I would like to follow up on a blog post I have read here. They talk about how you can interact directly with the Azure Resource Manager API with PowerShell or other programming / scripting languages. The advantage is I don’t need any Azure PowerShell modules in order to retrieve any data from Azure Stack. In the blog post they are talking about the TP1 configuration to use. But we might noticed that some things has been changed in TP2 and in the TP2 refresh bits. So lets see how we can kickstart to setup our environment and use PowerShell to talk to Azure Stack ARM API directly with the TP2 bits and the new Azure Portal experience.
First we need to login as service administrator in the Azure Portal to add a new Application in our Azure AD. Go to the App registrations in the new Azure Portal and choose Add, then specify a name and use for sign-on URL http://localhost
Click on create. In this newly created application go to settings, then select the Keys section and add a new key. Save the key for later use. I found a bug or a strange behavior. If you used 2 years or longer you might receive a “AADSTS50012: Invalid client secret is provided.” I solved it by selecting a key that is 1 year valid:
Now head over to the properties and take the application ID:
The next thing we need to do is to give this new application permissions to interact with the Azure Stack ARM API. Go to required permission in the portal and assign permissions to Azure Resource Manager by typing in the search bar AzureStack. It will list the available API’s. If you have like me more than 1 Azure Stack installs done in your AAD select all of them by repeating this next 2 steps for sake of simplicity. (I do recommend Microsoft to add a column in this list to add the app id so we can target correct API when we have multiple of them):
Next select the permission Access Azure Stack Resource Manager. Then select ‘Select’ and then ‘Done’ :
We need the App ID URI for the Azure Resource Manager API. So now head over to your Azure Resource Manager application and write down your App ID URI:
If you have multiple installs of Azure Stack please check the App ID URI with your installation by running this command:
|
1 |
(Invoke-RestMethod "https://api.azurestack.local/metadata/endpoints?api-version=2015-01-01").authentication.audiences[0] |
Then make sure the App ID URI and the result in your PowerShell result are the same:
The last thing we need is the tenant ID. A quick jumpstart, to get the tenant ID is go to the help button in the right top corner in the Azure Portal and click on Diagnostics:
You will find half way the new windows that is opened the tenant ID for your tenant:
If your collection of references we collected during the AAD App setup is correct we can construct the following code. Replace the first 6 line variables with your values:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
$azurestackdomain = 'azurestack.local' $ClientID = '1be74bfc-b780-49eb-97d3-7942f83451c3' $ClientKey = '<CLIENTSECRET>' $TenantID = 'da1dc6b1-c3ad-471f-be40-2b6e156a2909' $User = 'tenantuser@maslab3.onmicrosoft.com' $Password = '<PASSWORD>' $AppIdUri = ((Invoke-RestMethod "https://api.$azurestackdomain/metadata/endpoints?api-version=2015-01-01").authentication.audiences[0]) $AADURI = 'https://login.microsoftonline.com/{0}/oauth2/token' -f $TenantID $GrantBody = 'grant_type=password&scope=openid&resource={0}&client_id={1}&client_secret={2}&username={3}&password={4}' -f $AppIdUri, $ClientID, $ClientKey, $User, $Password $AADTokenResponse = Invoke-RestMethod -Uri $AADURI -ContentType "application/x-www-form-urlencoded" -Body $GrantBody -Method Post -Verbose $AADtoken = $AADTokenResponse.access_token $Headers = @{ 'Authorization' = "Bearer $AADtoken" 'Accept' = "application/json" 'x-ms-effective-locale' = "en.en-us" } $GetSubscriptionsURI = "https://api.$azurestackdomain/subscriptions?api-version=1.0&includeDetails=true" $Subscriptions = (Invoke-RestMethod -Uri $GetSubscriptionsURI -ContentType "application/json" -Headers $Headers -Method Get -Debug -Verbose).value $Subscriptions $subId = $Subscriptions.subscriptionId $URI = "https://api.$azurestackdomain/subscriptions/$subId/providers/Microsoft.Storage/usages?api-version=2016-01-01" $Storage = (Invoke-RestMethod -Uri $URI -ContentType "application/json" -Headers $Headers -Method Get -Debug -Verbose).value $Storage $URI = "https://api.$azurestackdomain/subscriptions/$subId/providers/Microsoft.Compute/locations/local/usages?api-version=2015-06-15" $Compute = (Invoke-RestMethod -Uri $URI -ContentType "application/json" -Headers $Headers -Method Get -Debug -Verbose).value $Compute $URI = "https://api.$azurestackdomain/subscriptions/$subId/resourcegroups/?api-version=2016-06-01" $ResourceGroups = (Invoke-RestMethod -Uri $URI -ContentType "application/json" -Headers $Headers -Method Get -Debug -Verbose).value $ResourceGroups |
To get started with more API REST calls please find here the reference to the API documentation. Do note, not all services are available in Azure Stack and you might encounter some errors that some specific API version is not available in Azure Stack. You will then get an error and it will tell you what API version are available in Azure Stack and you have to update these in your script. When I run some queries I get results from Azure Stack ARM API:
