I would like to follow up on a blog post I have read here. They talk about how you can interact directly with the Azure Resource Manager API with PowerShell or other programming / scripting languages. The advantage is I don’t need any Azure PowerShell modules in order to retrieve any data from Azure Stack. In the blog post they are talking about the TP1 configuration to use. But we might noticed that some things has been changed in the RTM bits. So lets see how we can kickstart to setup our environment and use PowerShell to talk to Azure Stack ARM API directly with the ASDK bits and the new Azure Portal experience.
First we need to login as service administrator in the Azure Portal to add a new Application in our Azure AD. Go to the App registrations in the new Azure Portal and choose Add, then specify a name and use for sign-on URL http://localhost
Click on create. In this newly created application go to settings, then select the Keys section and add a new key. Save the key for later use. I found a bug or a strange behavior. If you used 2 years or longer you might receive a “AADSTS50012: Invalid client secret is provided.” I solved it by selecting a key that is 1 year valid, lately I also found that with key selected for a year, just try generating another key again then:
Now head over to the properties and take the application ID:
The next thing we need to do is to give this new application permissions to interact with the Azure Stack ARM API. Go to required permission in the portal and assign permissions to ‘Azure Stack – Administration’ by typing in the search bar ‘Azure Stack – ‘. It will list the available API’s. If you have like me more than 1 Azure Stack installs done in your AAD select all of them by repeating this next 2 steps for sake of simplicity. (I do recommend Microsoft to add a column in this list to add the app id so we can target correct API when we have multiple of them):
Next select the permission Access Azure Stack Resource Manager. Then select ‘Select’ and then ‘Done’ :
Once that is done I had to click on the assign permissions button in the ‘required permissions’ overview pane.
We need the App ID URI for the Azure Resource Manager API. So now head over to your Azure Stack node and run this command to retrieve the App ID URI
|
1 |
(Invoke-RestMethod "https://adminmanagement.local.azurestack.external/metadata/endpoints?api-version=2015-01-01").authentication.audiences[0] |
The last thing we need is the tenant ID. A quick jumpstart, to get the tenant ID is go to the help button in the right top corner in the Azure Portal and click on Diagnostics:
You will find half way the new windows that is opened the tenant ID for your tenant:
If your collection of references we collected during the AAD App setup is correct we can construct the following code. Replace the first 6 line variables with your values:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
$azurestackFqdn = 'azurestack.external' $regionName = 'local' $ClientID = '1be74bfc-b780-49eb-97d3-7942f83451c3' $ClientKey = '<CLIENTSECRET>' $TenantID = 'da1dc6b1-c3ad-471f-be40-2b6e156a2909' $User = 'tenantuser@maslab3.onmicrosoft.com' $Password = '<PASSWORD>' $AppIdUri = ((Invoke-RestMethod "https://adminmanagement.$regionName.$azurestackFqdn/metadata/endpoints?api-version=2015-01-01").authentication.audiences[0]) $AADURI = 'https://login.microsoftonline.com/{0}/oauth2/token' -f $TenantID $GrantBody = 'grant_type=password&scope=openid&resource={0}&client_id={1}&client_secret={2}&username={3}&password={4}' -f $AppIdUri, $ClientID, $ClientKey, $User, $Password $AADTokenResponse = Invoke-RestMethod -Uri $AADURI -ContentType "application/x-www-form-urlencoded" -Body $GrantBody -Method Post -Verbose $AADtoken = $AADTokenResponse.access_token $Headers = @{ 'Authorization' = "Bearer $AADtoken" 'Accept' = "application/json" 'x-ms-effective-locale' = "en.en-us" } $GetSubscriptionsURI = "https://adminmanagement.$regionName.$azurestackFqdn/subscriptions?api-version=1.0&includeDetails=true" $Subscriptions = (Invoke-RestMethod -Uri $GetSubscriptionsURI -ContentType "application/json" -Headers $Headers -Method Get -Debug -Verbose).value $Subscriptions $subId = $Subscriptions.subscriptionId $URI = "https://adminmanagement.$regionName.$azurestackFqdn/subscriptions/$subId/providers/Microsoft.Storage/usages?api-version=2016-01-01" $Storage = (Invoke-RestMethod -Uri $URI -ContentType "application/json" -Headers $Headers -Method Get -Debug -Verbose).value $Storage $URI = "https://adminmanagement.$regionName.$azurestackFqdn/subscriptions/$subId/providers/Microsoft.Compute/locations/local/usages?api-version=2015-06-15" $Compute = (Invoke-RestMethod -Uri $URI -ContentType "application/json" -Headers $Headers -Method Get -Debug -Verbose).value $Compute $URI = "https://adminmanagement.$regionName.$azurestackFqdn/subscriptions/$subId/resourcegroups/?api-version=2016-06-01" $ResourceGroups = (Invoke-RestMethod -Uri $URI -ContentType "application/json" -Headers $Headers -Method Get -Debug -Verbose).value $ResourceGroups |
To get started with more API REST calls please find here the reference to the API documentation. Do note, not all services are available in Azure Stack and you might encounter some errors that some specific API version is not available in Azure Stack. You will then get an error and it will tell you what API version are available in Azure Stack and you have to update these in your script. When I run some queries I get results from Azure Stack ARM API:
