The problem
When using the Azure REST API from Ansible using the uri module you need to ensure you are authenticated towards Azure. The easiest way to do that is to set a Bearer token based on a Service Principal user on Azure.
This is the official Azure REST API documentation: https://docs.microsoft.com/en-us/rest/api/azure/
This is how you can create a service principal:
When you have created an Azure service principal you will have 4 necessary pieces of information:
- Tenant id (the protected resource)
- Client id (username)
- Client secret (password)
- Subscription id (you already had that from your user profile)
Make sure to save those values to an Ansible Vault. In my example I have called them:
- vault_az_tenant_id
- vault_az_client_id
- vault_az_client_secret
- vault_az_subscription_id
The solution
Create a playbook.yml with the following information:
---
- hosts: localhost
vars:
az_tenant_id: "{{ vault_az_tenant_id }}"
az_client_id: "{{ vault_az_client_id }}"
az_client_secret: "{{ vault_az_client_secret }}"
az_subscription_id: "{{ vault_az_subscription_id }}"
az_token_url: "https://login.microsoftonline.com/{{ az_tenant_id }}/oauth2/token"
az_token_body: >
resource=https://management.core.windows.net/
&client_id={{ az_client_id }}
&grant_type=client_credentials
&client_secret={{ az_client_secret }}
tasks:
- name: Login to Azure
uri:
url: "{{ az_token_url }}"
method: POST
body: "{{ az_token_body }}"
headers:
Content-Type: "application/x-www-form-urlencoded"
status_code: 200
register: login
- name: Setting Bearer token as fact
set_fact:
az_bearer: "{{ login.json.access_token }}"
That is how easy it is to authenticate with Azure from the Ansible uri module. Thanks to Vivek to helping out with the az_token_body.
Now every time you us the Ansible uri module in the same playbook, you just need to add the Bearer token to the request header, like this:
- uri:
url: "{{ whatever-azure-url }}"
method: POST
headers:
Authorization: "Bearer {{ az_bearer }}"
Many thaks
ReplyDelete