azure-samples

## Managed Identity to access Azure Management REST API <!-- TABLE OF CONTENTS --> <details open="open"> <summary>Table of Contents</summary> <ol> <li> <a href="#about-the-sample" rel='nofollow' onclick='return false;'>About The Sample</a> <ul> <li><a href="#built-with" rel='nofollow' onclick='return false;'>Built With</a></li> </ul> </li> <li> <a href="#getting-started" rel='nofollow' onclick='return false;'>Getting Started</a> <ul> <li><a href="#developer-sandbox" rel='nofollow' onclick='return false;'>Developer Sandbox</a></li> <li><a href="#azure-environment" rel='nofollow' onclick='return false;'>Azure Environment</a></li> </ul> </li> </ol> </details> ## About The Sample This is a sample to demonstrate to call the Azure management rest api from an app service. The app service is using system assigned managed identity to read the resources under a resource group. ### Built With Following technologies, frameworks and tools are used * [ASP.NET Core MVC](https://dotnet.microsoft.com/apps/aspnet) * [Azure Managed Identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) * [Azure Management REST API](https://github.com/Azure/azure-sdk-for-net) * [Azure CLI for Azure App Service](https://docs.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest) ## Getting Started This is a sample to demonstrate to call the Azure management rest api from an app service. The app service is using system assigned managed identity to read the resources under a resource group. ### Developer Sandbox The application is built to run in the developer machine and in the Azure environment as well. The ```AzureCliCredential``` is used to take the identity context from the Azure cli to authenticate and receive the access token. It requires logging in to Azure via ```az login``` first, and uses the cli's currently logged in identity. Similarly the ```ManagedIdentityCredential``` is used for the Azure environment to take the identity context from the msi token endpoint. To know more about the available authentication modes, please refer [here](https://docs.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme) This is an example of how to run the application in the local development environment. 1. The application uses user-secret file in local development environment. Please change the ```{subscription-id}``` and ```{resource-group-name}``` in the user-secret file. The application will read the resources under this ```{resource-group-name}``` mentioned in the file. The content of the file looks like ```json { "SubscriptionId": "{subscription-id}", "ResourceGroup": "{resource-group-name}" } ``` 2. Please use ```az login``` to logging into Azure. This step is mandatory to read the identity context from Azure cli. 3. Run the following commands to build and run the asp.net core mvc application. ```sh <local-path>\webapp-msi-mgmtapi-dotnet> dotnet build .\webapp-msi-mgmtapi-dotnet.csproj -c Release <local-path>\webapp-msi-mgmtapi-dotnet> dotnet run .\webapp-msi-mgmtapi-dotnet.csproj -c Release ``` 4. Access the site ```https://localhost:5001/Home/Index```and it displays the list of resources with metadata. ### Azure Environment 1. Run the following scripts in windows command line ```bat set subscriptionid={subscription-id} set targetresourcegroup={target-resource-group-name} set appsvc=myappsvc%RANDOM% set webapp=mywebapp%RANDOM% set resourcegroup=IndiaDC1 set gitrepo=https://github.com/subhendu-de/azure-samples az group create --location southindia --name %resourcegroup% az appservice plan create --name %appsvc% --resource-group %resourcegroup% --sku FREE az webapp create --name %webapp% --resource-group %resourcegroup% --plan %appsvc% az webapp config appsettings set --resource-group %resourcegroup% --name %webapp% --settings SubscriptionId=%subscriptionid% ResourceGroup=%targetresourcegroup% az webapp identity assign --resource-group %resourcegroup% --name %webapp% --role reader --scope /subscriptions/%subscriptionid%/%targetresourcegroup% az webapp deployment source config --name %webapp% --resource-group %resourcegroup% --repo-url %gitrepo% --branch main --manual-integration ``` Please update the ```{subscription-id}``` and ```{target-resource-group-name}``` in the script. The application will read the resources under this ```{target-resource-group-name}``` mentioned in the script. 2. Access the site and it displays the list of resources with metadata.