stackoom
  简体   繁体   中英

Access Azure PIM api in azure pipelines via service principal

 原文  2021-02-10 12:56:22       azure/ azure-pipelines/ azure-authentication

Question

I'm trying to call the azure privileged identity management api ( https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess ) in an azure pipeline. I have the following code to call the register method, but it is not working, but I can't figure out what is wrong. Let me show the code first:

install-module azureadpreview -Force
import-module azureadpreview

$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$pimToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "<what do i enter here?>").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken

Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id -MsAccessToken $graphToken

Write-Output "Create PIM role"
$Group = New-AzureADMSGroup -DisplayName "TestPIMGroup" -Description "TestForPim" -MailEnabled $false -SecurityEnabled $true -MailNickName "NOTUSED" -IsAssignableToRole $true

Write-Output "Test api call"
$Headers = @{
  "Accept" = "*/*"
  "Accept-Language" = "en"
  "Authorization" = "Bearer {0}" -f $pimToken
  "Content-Type" = "application/json"
}
$Body = @{
  externalId = $Group.Id
} | ConvertTo-Json
$URL = 'https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/aadGroups/resources/register'

Write-Output "Body: $Body"

$HeaderJson = $Headers | ConvertTo-Json
Write-Output "Headers: $HeaderJson"

try {
  $QueryResponse = Invoke-RestMethod -Uri $URL -Headers $Headers -Method POST -Body $Body
}
catch {
  $_.Exception.Response
  $result = $_.Exception.Response.GetResponseStream()
  $reader = New-Object System.IO.StreamReader($result)
  $reader.BaseStream.Position = 0
  $reader.DiscardBufferedData()
  $responseBody = $reader.ReadToEnd();
  $responseBody
  exit 1
}
$QueryResponse.value

So what I'm trying to accomplish, it to create a PIM group, and enable privileged access on it. The azureadpreview module has functionality to create a PIM group, so I use that. This works perfectly. The method of getting the token for the service principal I got from this post .

Now to enable privileged access on it, I need to directly call the API, because there doesn't seem to be any powershell command for it. This where things get tricky. The API call returns a 500 internal server error, with the only error in the body being an error has occurred . So that doesn't really tell me anything. So I started investigating:

  • When I don't pass a token, I get an unauthorized exception
  • When I pass nonsense as a token, I get an internal server error. So this pointed me in the direction that something is wrong with the token. I think there is something wrong with the audience tag in the token.
  • I tried all kinds of URL's in the token, which all show me a 500 as response.
  • I recorded the api call the browser did in azure portal when doing the same call. I read the token from this request, and it got me some guid as aud. When I use this guid, it given me a Unauthorized response

Can anyone help me with my situation?

answer restriction:

I need to be able to access the pim api by reusing the service principal I'm already using in my azure pipeline via my service connection. So I'm not looking for answers about creating certificates in azure an authenticating using it.

Edit: Some background info:

1 answers

solution1
 0  2021-02-11 02:53:27

The guid you get from token in browser in azure portal should be correct.

But this API endpoint looks like to be not exposed for external usage.

We can not generate an application token for this resource currently.

As you see there are several user voice posts are requiring this feature.

Keep voting up the posts will be helpful.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to force user to access via pim in azure Login Via service principal in Azure Azure Service Principal cannot access Service Management API azure - how to integrate azure advanced App Service Authentication / Authorization to access azure devops API (tasks, pipelines) How to fetch token for azure storage account access via azure active directory using service principal or oauth2? How to access Azure storage account Via Azure Key Vault by service principal Authorize access to Azure using Service Principal Using service principal to access Azure blob storage Azure UI access with puppeteer: login with service principal Create service principal programmatically in Azure Python API
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM