func (b *Builder) createServicePrincipalToken() (*azure.ServicePrincipalToken, error) { spt, err := azure.NewServicePrincipalToken( b.config.ClientID, b.config.ClientSecret, b.config.TenantID, azure.AzureResourceManagerScope) return spt, err }
// AuthenticateForARM uses LoadCredentials to load user credentials and uses them to authenticate // and create a auth token that can be used by subsequent calls to ARM-based APIs. // // Note: Storing crendentials in a local file must be secured and not shared. It is used here // simply to reduce code in the examples, but it is not suggested as a best (or even good) // practice. func AuthenticateForARM() (client arm.Client, err error) { c, err := LoadCredentials() if err != nil { return } sid := c["subscriptionID"] tid := c["tenantID"] cid := c["clientID"] secret := c["clientSecret"] spt, err := azure.NewServicePrincipalToken(cid, secret, tid, azure.AzureResourceManagerScope) if err != nil { return } client = arm.NewClient(sid, spt) return }
func main() { name := "storage-account-name" c, err := helpers.LoadCredentials() if err != nil { log.Fatalf("Error: %v", err) } sid := c["subscriptionID"] tid := c["tenantID"] cid := c["clientID"] secret := c["clientSecret"] spt, err := azure.NewServicePrincipalToken(cid, secret, tid, azure.AzureResourceManagerScope) if err != nil { log.Fatalf("Error: %v", err) } arm := arm.NewClient(sid, spt) arm.RequestInspector = helpers.WithInspection() arm.ResponseInspector = helpers.ByInspecting() ac := arm.StorageAccounts() cna, err := ac.CheckNameAvailability( storage.AccountCheckNameAvailabilityParameters{ Name: to.StringPtr(name), Type: to.StringPtr("Microsoft.Storage/storageAccounts")}) if err != nil { log.Fatalf("Error: %v", err) } else { if to.Bool(cna.NameAvailable) { fmt.Printf("The name '%s' is available\n", name) } else { fmt.Printf("The name '%s' is unavailable because %s\n", name, to.String(cna.Message)) } } }
// getArmClient is a helper method which returns a fully instantiated // *ArmClient based on the Config's current settings. func (c *Config) getArmClient() (*ArmClient, error) { spt, err := azure.NewServicePrincipalToken(c.ClientID, c.ClientSecret, c.TenantID, azure.AzureResourceManagerScope) if err != nil { return nil, err } // client declarations: client := ArmClient{} // NOTE: these declarations should be left separate for clarity should the // clients be wished to be configured with custom Responders/PollingModess etc... asc := compute.NewAvailabilitySetsClient(c.SubscriptionID) setUserAgent(&asc.Client) asc.Authorizer = spt asc.Sender = autorest.CreateSender(withRequestLogging()) client.availSetClient = asc uoc := compute.NewUsageOperationsClient(c.SubscriptionID) setUserAgent(&uoc.Client) uoc.Authorizer = spt uoc.Sender = autorest.CreateSender(withRequestLogging()) client.usageOpsClient = uoc vmeic := compute.NewVirtualMachineExtensionImagesClient(c.SubscriptionID) setUserAgent(&vmeic.Client) vmeic.Authorizer = spt vmeic.Sender = autorest.CreateSender(withRequestLogging()) client.vmExtensionImageClient = vmeic vmec := compute.NewVirtualMachineExtensionsClient(c.SubscriptionID) setUserAgent(&vmec.Client) vmec.Authorizer = spt vmec.Sender = autorest.CreateSender(withRequestLogging()) client.vmExtensionClient = vmec vmic := compute.NewVirtualMachineImagesClient(c.SubscriptionID) setUserAgent(&vmic.Client) vmic.Authorizer = spt vmic.Sender = autorest.CreateSender(withRequestLogging()) client.vmImageClient = vmic vmc := compute.NewVirtualMachinesClient(c.SubscriptionID) setUserAgent(&vmc.Client) vmc.Authorizer = spt vmc.Sender = autorest.CreateSender(withRequestLogging()) client.vmClient = vmc agc := network.NewApplicationGatewaysClient(c.SubscriptionID) setUserAgent(&agc.Client) agc.Authorizer = spt agc.Sender = autorest.CreateSender(withRequestLogging()) client.appGatewayClient = agc ifc := network.NewInterfacesClient(c.SubscriptionID) setUserAgent(&ifc.Client) ifc.Authorizer = spt ifc.Sender = autorest.CreateSender(withRequestLogging()) client.ifaceClient = ifc lbc := network.NewLoadBalancersClient(c.SubscriptionID) setUserAgent(&lbc.Client) lbc.Authorizer = spt lbc.Sender = autorest.CreateSender(withRequestLogging()) client.loadBalancerClient = lbc lgc := network.NewLocalNetworkGatewaysClient(c.SubscriptionID) setUserAgent(&lgc.Client) lgc.Authorizer = spt lgc.Sender = autorest.CreateSender(withRequestLogging()) client.localNetConnClient = lgc pipc := network.NewPublicIPAddressesClient(c.SubscriptionID) setUserAgent(&pipc.Client) pipc.Authorizer = spt pipc.Sender = autorest.CreateSender(withRequestLogging()) client.publicIPClient = pipc sgc := network.NewSecurityGroupsClient(c.SubscriptionID) setUserAgent(&sgc.Client) sgc.Authorizer = spt sgc.Sender = autorest.CreateSender(withRequestLogging()) client.secGroupClient = sgc src := network.NewSecurityRulesClient(c.SubscriptionID) setUserAgent(&src.Client) src.Authorizer = spt src.Sender = autorest.CreateSender(withRequestLogging()) client.secRuleClient = src snc := network.NewSubnetsClient(c.SubscriptionID) setUserAgent(&snc.Client) snc.Authorizer = spt snc.Sender = autorest.CreateSender(withRequestLogging()) client.subnetClient = snc vgcc := network.NewVirtualNetworkGatewayConnectionsClient(c.SubscriptionID) setUserAgent(&vgcc.Client) vgcc.Authorizer = spt vgcc.Sender = autorest.CreateSender(withRequestLogging()) client.vnetGatewayConnectionsClient = vgcc vgc := network.NewVirtualNetworkGatewaysClient(c.SubscriptionID) setUserAgent(&vgc.Client) vgc.Authorizer = spt vgc.Sender = autorest.CreateSender(withRequestLogging()) client.vnetGatewayClient = vgc vnc := network.NewVirtualNetworksClient(c.SubscriptionID) setUserAgent(&vnc.Client) vnc.Authorizer = spt vnc.Sender = autorest.CreateSender(withRequestLogging()) client.vnetClient = vnc rtc := network.NewRouteTablesClient(c.SubscriptionID) setUserAgent(&rtc.Client) rtc.Authorizer = spt rtc.Sender = autorest.CreateSender(withRequestLogging()) client.routeTablesClient = rtc rc := network.NewRoutesClient(c.SubscriptionID) setUserAgent(&rc.Client) rc.Authorizer = spt rc.Sender = autorest.CreateSender(withRequestLogging()) client.routesClient = rc rgc := resources.NewGroupsClient(c.SubscriptionID) setUserAgent(&rgc.Client) rgc.Authorizer = spt rgc.Sender = autorest.CreateSender(withRequestLogging()) client.resourceGroupClient = rgc pc := resources.NewProvidersClient(c.SubscriptionID) setUserAgent(&pc.Client) pc.Authorizer = spt pc.Sender = autorest.CreateSender(withRequestLogging()) client.providers = pc tc := resources.NewTagsClient(c.SubscriptionID) setUserAgent(&tc.Client) tc.Authorizer = spt tc.Sender = autorest.CreateSender(withRequestLogging()) client.tagsClient = tc jc := scheduler.NewJobsClient(c.SubscriptionID) setUserAgent(&jc.Client) jc.Authorizer = spt jc.Sender = autorest.CreateSender(withRequestLogging()) client.jobsClient = jc jcc := scheduler.NewJobCollectionsClient(c.SubscriptionID) setUserAgent(&jcc.Client) jcc.Authorizer = spt jcc.Sender = autorest.CreateSender(withRequestLogging()) client.jobsCollectionsClient = jcc ssc := storage.NewAccountsClient(c.SubscriptionID) setUserAgent(&ssc.Client) ssc.Authorizer = spt ssc.Sender = autorest.CreateSender(withRequestLogging()) client.storageServiceClient = ssc suc := storage.NewUsageOperationsClient(c.SubscriptionID) setUserAgent(&suc.Client) suc.Authorizer = spt suc.Sender = autorest.CreateSender(withRequestLogging()) client.storageUsageClient = suc cpc := cdn.NewProfilesClient(c.SubscriptionID) setUserAgent(&cpc.Client) cpc.Authorizer = spt cpc.Sender = autorest.CreateSender(withRequestLogging()) client.cdnProfilesClient = cpc cec := cdn.NewEndpointsClient(c.SubscriptionID) setUserAgent(&cec.Client) cec.Authorizer = spt cec.Sender = autorest.CreateSender(withRequestLogging()) client.cdnEndpointsClient = cec return &client, nil }
// getArmClient is a helper method which returns a fully instantiated // *ArmClient based on the Config's current settings. func (c *Config) getArmClient() (*ArmClient, error) { // client declarations: client := ArmClient{} rivieraClient, err := riviera.NewClient(&riviera.AzureResourceManagerCredentials{ ClientID: c.ClientID, ClientSecret: c.ClientSecret, TenantID: c.TenantID, SubscriptionID: c.SubscriptionID, }) if err != nil { return nil, fmt.Errorf("Error creating Riviera client: %s", err) } // validate that the credentials are correct using Riviera. Note that this must be // done _before_ using the Microsoft SDK, because Riviera handles errors. Using a // namespace registration instead of a simple OAuth token refresh guarantees that // service delegation is correct. This has the effect of registering Microsoft.Compute // which is neccessary anyway. if err := registerProviderWithSubscription("Microsoft.Compute", rivieraClient); err != nil { return nil, err } client.rivieraClient = rivieraClient spt, err := azure.NewServicePrincipalToken(c.ClientID, c.ClientSecret, c.TenantID, azure.AzureResourceManagerScope) if err != nil { return nil, err } // NOTE: these declarations should be left separate for clarity should the // clients be wished to be configured with custom Responders/PollingModess etc... asc := compute.NewAvailabilitySetsClient(c.SubscriptionID) setUserAgent(&asc.Client) asc.Authorizer = spt asc.Sender = autorest.CreateSender(withRequestLogging()) client.availSetClient = asc uoc := compute.NewUsageOperationsClient(c.SubscriptionID) setUserAgent(&uoc.Client) uoc.Authorizer = spt uoc.Sender = autorest.CreateSender(withRequestLogging()) client.usageOpsClient = uoc vmeic := compute.NewVirtualMachineExtensionImagesClient(c.SubscriptionID) setUserAgent(&vmeic.Client) vmeic.Authorizer = spt vmeic.Sender = autorest.CreateSender(withRequestLogging()) client.vmExtensionImageClient = vmeic vmec := compute.NewVirtualMachineExtensionsClient(c.SubscriptionID) setUserAgent(&vmec.Client) vmec.Authorizer = spt vmec.Sender = autorest.CreateSender(withRequestLogging()) client.vmExtensionClient = vmec vmic := compute.NewVirtualMachineImagesClient(c.SubscriptionID) setUserAgent(&vmic.Client) vmic.Authorizer = spt vmic.Sender = autorest.CreateSender(withRequestLogging()) client.vmImageClient = vmic vmc := compute.NewVirtualMachinesClient(c.SubscriptionID) setUserAgent(&vmc.Client) vmc.Authorizer = spt vmc.Sender = autorest.CreateSender(withRequestLogging()) client.vmClient = vmc agc := network.NewApplicationGatewaysClient(c.SubscriptionID) setUserAgent(&agc.Client) agc.Authorizer = spt agc.Sender = autorest.CreateSender(withRequestLogging()) client.appGatewayClient = agc ifc := network.NewInterfacesClient(c.SubscriptionID) setUserAgent(&ifc.Client) ifc.Authorizer = spt ifc.Sender = autorest.CreateSender(withRequestLogging()) client.ifaceClient = ifc lbc := network.NewLoadBalancersClient(c.SubscriptionID) setUserAgent(&lbc.Client) lbc.Authorizer = spt lbc.Sender = autorest.CreateSender(withRequestLogging()) client.loadBalancerClient = lbc lgc := network.NewLocalNetworkGatewaysClient(c.SubscriptionID) setUserAgent(&lgc.Client) lgc.Authorizer = spt lgc.Sender = autorest.CreateSender(withRequestLogging()) client.localNetConnClient = lgc pipc := network.NewPublicIPAddressesClient(c.SubscriptionID) setUserAgent(&pipc.Client) pipc.Authorizer = spt pipc.Sender = autorest.CreateSender(withRequestLogging()) client.publicIPClient = pipc sgc := network.NewSecurityGroupsClient(c.SubscriptionID) setUserAgent(&sgc.Client) sgc.Authorizer = spt sgc.Sender = autorest.CreateSender(withRequestLogging()) client.secGroupClient = sgc src := network.NewSecurityRulesClient(c.SubscriptionID) setUserAgent(&src.Client) src.Authorizer = spt src.Sender = autorest.CreateSender(withRequestLogging()) client.secRuleClient = src snc := network.NewSubnetsClient(c.SubscriptionID) setUserAgent(&snc.Client) snc.Authorizer = spt snc.Sender = autorest.CreateSender(withRequestLogging()) client.subnetClient = snc vgcc := network.NewVirtualNetworkGatewayConnectionsClient(c.SubscriptionID) setUserAgent(&vgcc.Client) vgcc.Authorizer = spt vgcc.Sender = autorest.CreateSender(withRequestLogging()) client.vnetGatewayConnectionsClient = vgcc vgc := network.NewVirtualNetworkGatewaysClient(c.SubscriptionID) setUserAgent(&vgc.Client) vgc.Authorizer = spt vgc.Sender = autorest.CreateSender(withRequestLogging()) client.vnetGatewayClient = vgc vnc := network.NewVirtualNetworksClient(c.SubscriptionID) setUserAgent(&vnc.Client) vnc.Authorizer = spt vnc.Sender = autorest.CreateSender(withRequestLogging()) client.vnetClient = vnc rtc := network.NewRouteTablesClient(c.SubscriptionID) setUserAgent(&rtc.Client) rtc.Authorizer = spt rtc.Sender = autorest.CreateSender(withRequestLogging()) client.routeTablesClient = rtc rc := network.NewRoutesClient(c.SubscriptionID) setUserAgent(&rc.Client) rc.Authorizer = spt rc.Sender = autorest.CreateSender(withRequestLogging()) client.routesClient = rc rgc := resources.NewGroupsClient(c.SubscriptionID) setUserAgent(&rgc.Client) rgc.Authorizer = spt rgc.Sender = autorest.CreateSender(withRequestLogging()) client.resourceGroupClient = rgc pc := resources.NewProvidersClient(c.SubscriptionID) setUserAgent(&pc.Client) pc.Authorizer = spt pc.Sender = autorest.CreateSender(withRequestLogging()) client.providers = pc tc := resources.NewTagsClient(c.SubscriptionID) setUserAgent(&tc.Client) tc.Authorizer = spt tc.Sender = autorest.CreateSender(withRequestLogging()) client.tagsClient = tc jc := scheduler.NewJobsClient(c.SubscriptionID) setUserAgent(&jc.Client) jc.Authorizer = spt jc.Sender = autorest.CreateSender(withRequestLogging()) client.jobsClient = jc jcc := scheduler.NewJobCollectionsClient(c.SubscriptionID) setUserAgent(&jcc.Client) jcc.Authorizer = spt jcc.Sender = autorest.CreateSender(withRequestLogging()) client.jobsCollectionsClient = jcc ssc := storage.NewAccountsClient(c.SubscriptionID) setUserAgent(&ssc.Client) ssc.Authorizer = spt ssc.Sender = autorest.CreateSender(withRequestLogging(), withPollWatcher()) client.storageServiceClient = ssc suc := storage.NewUsageOperationsClient(c.SubscriptionID) setUserAgent(&suc.Client) suc.Authorizer = spt suc.Sender = autorest.CreateSender(withRequestLogging()) client.storageUsageClient = suc cpc := cdn.NewProfilesClient(c.SubscriptionID) setUserAgent(&cpc.Client) cpc.Authorizer = spt cpc.Sender = autorest.CreateSender(withRequestLogging()) client.cdnProfilesClient = cpc cec := cdn.NewEndpointsClient(c.SubscriptionID) setUserAgent(&cec.Client) cec.Authorizer = spt cec.Sender = autorest.CreateSender(withRequestLogging()) client.cdnEndpointsClient = cec dc := resources.NewDeploymentsClient(c.SubscriptionID) setUserAgent(&dc.Client) dc.Authorizer = spt dc.Sender = autorest.CreateSender(withRequestLogging()) client.deploymentsClient = dc return &client, nil }
func validateConfig(newCfg, oldCfg *config.Config) (*azureModelConfig, error) { err := config.Validate(newCfg, oldCfg) if err != nil { return nil, err } validated, err := newCfg.ValidateUnknownAttrs(configFields, configDefaults) if err != nil { return nil, err } // Ensure required configuration is provided. for _, key := range requiredConfigAttributes { if value, ok := validated[key].(string); !ok || value == "" { return nil, errors.Errorf("%q config not specified", key) } } if oldCfg != nil { // Ensure immutable configuration isn't changed. oldUnknownAttrs := oldCfg.UnknownAttrs() for _, key := range immutableConfigAttributes { oldValue, hadValue := oldUnknownAttrs[key].(string) if hadValue { newValue, haveValue := validated[key].(string) if !haveValue { return nil, errors.Errorf( "cannot remove immutable %q config", key, ) } if newValue != oldValue { return nil, errors.Errorf( "cannot change immutable %q config (%v -> %v)", key, oldValue, newValue, ) } } // It's valid to go from not having to having. } // TODO(axw) figure out how we intend to handle changing // secrets, such as application key } location := canonicalLocation(validated[configAttrLocation].(string)) appId := validated[configAttrAppId].(string) subscriptionId := validated[configAttrSubscriptionId].(string) tenantId := validated[configAttrTenantId].(string) appPassword := validated[configAttrAppPassword].(string) storageAccount, _ := validated[configAttrStorageAccount].(string) storageAccountKey, _ := validated[configAttrStorageAccountKey].(string) storageAccountType := validated[configAttrStorageAccountType].(string) controllerResourceGroup := validated[configAttrControllerResourceGroup].(string) if newCfg.FirewallMode() == config.FwGlobal { // We do not currently support the "global" firewall mode. return nil, errNoFwGlobal } if !isKnownStorageAccountType(storageAccountType) { return nil, errors.Errorf( "invalid storage account type %q, expected one of: %q", storageAccountType, knownStorageAccountTypes, ) } token, err := azure.NewServicePrincipalToken( appId, appPassword, tenantId, azure.AzureResourceManagerScope, ) if err != nil { return nil, errors.Annotate(err, "constructing service principal token") } azureConfig := &azureModelConfig{ newCfg, token, subscriptionId, location, storageAccount, storageAccountKey, storage.AccountType(storageAccountType), controllerResourceGroup, } return azureConfig, nil }
func validateConfig(newCfg, oldCfg *config.Config) (*azureModelConfig, error) { err := config.Validate(newCfg, oldCfg) if err != nil { return nil, err } validated, err := newCfg.ValidateUnknownAttrs(configFields, configDefaults) if err != nil { return nil, err } // Ensure required configuration is provided. for _, key := range requiredConfigAttributes { if value, ok := validated[key].(string); !ok || value == "" { return nil, errors.Errorf("%q config not specified", key) } } if oldCfg != nil { // Ensure immutable configuration isn't changed. oldUnknownAttrs := oldCfg.UnknownAttrs() for _, key := range immutableConfigAttributes { oldValue, hadValue := oldUnknownAttrs[key].(string) if hadValue { newValue, haveValue := validated[key].(string) if !haveValue { return nil, errors.Errorf( "cannot remove immutable %q config", key, ) } if newValue != oldValue { return nil, errors.Errorf( "cannot change immutable %q config (%v -> %v)", key, oldValue, newValue, ) } } // It's valid to go from not having to having. } // TODO(axw) figure out how we intend to handle changing // secrets, such as application key } // Resource group names must not exceed 80 characters. Resource group // names are based on the model UUID and model name, the latter of // which the model creator controls. modelTag := names.NewModelTag(newCfg.UUID()) resourceGroup := resourceGroupName(modelTag, newCfg.Name()) if n := len(resourceGroup); n > resourceNameLengthMax { smallestResourceGroup := resourceGroupName(modelTag, "") return nil, errors.Errorf(`resource group name %q is too long Please choose a model name of no more than %d characters.`, resourceGroup, resourceNameLengthMax-len(smallestResourceGroup), ) } location := canonicalLocation(validated[configAttrLocation].(string)) endpoint := validated[configAttrEndpoint].(string) storageEndpoint := validated[configAttrStorageEndpoint].(string) appId := validated[configAttrAppId].(string) subscriptionId := validated[configAttrSubscriptionId].(string) tenantId := validated[configAttrTenantId].(string) appPassword := validated[configAttrAppPassword].(string) storageAccount, _ := validated[configAttrStorageAccount].(string) storageAccountKey, _ := validated[configAttrStorageAccountKey].(string) storageAccountType := validated[configAttrStorageAccountType].(string) controllerResourceGroup := validated[configAttrControllerResourceGroup].(string) if newCfg.FirewallMode() == config.FwGlobal { // We do not currently support the "global" firewall mode. return nil, errNoFwGlobal } if !isKnownStorageAccountType(storageAccountType) { return nil, errors.Errorf( "invalid storage account type %q, expected one of: %q", storageAccountType, knownStorageAccountTypes, ) } // The Azure storage code wants the endpoint host only, not the URL. storageEndpointURL, err := url.Parse(storageEndpoint) if err != nil { return nil, errors.Annotate(err, "parsing storage endpoint URL") } token, err := azure.NewServicePrincipalToken( appId, appPassword, tenantId, azure.AzureResourceManagerScope, ) if err != nil { return nil, errors.Annotate(err, "constructing service principal token") } azureConfig := &azureModelConfig{ newCfg, token, subscriptionId, location, endpoint, storageEndpointURL.Host, storageAccount, storageAccountKey, storage.AccountType(storageAccountType), controllerResourceGroup, } return azureConfig, nil }
// NewServicePrincipalTokenFromCredentials creates a new ServicePrincipalToken using values of the // passed credentials map. func NewServicePrincipalTokenFromCredentials(c map[string]string, scope string) (*azure.ServicePrincipalToken, error) { return azure.NewServicePrincipalToken(c["clientID"], c["clientSecret"], c["tenantID"], scope) }