This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
This article describes how to perform a REST API request in Azure using RBAC authentication with Postman. I will use as example the Get Blob (REST API) request.
Please see below how to perform a REST API request in Azure using RBAC authentication:
- Open the Azure Portal and go to Azure Active Directory.
- On left side, please create a new App registration by clicking on App registration (left side bar) and then New registration. Fill in the Name and all the information required.
- Inside the new app:
- Click on Overview and and collect the Application (client) ID value, and the Directory (tenant) ID value.
- Clink on Certificates & secrets and create a New Client Secret. Please collect the client secret value.
- Open your storage account and go to Access Control (IAM) and assign to this App the RBAC role required to call any data access operation in Azure Storage. Please note the role assignment could take some time to take effect.
- For the example presented here (Get Blob request), we need to assign to the app need the following permission "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read". The Storage Blob Data Reader RBAC role is the least privileged built-in role with this permission. This information can be found here: Get Blob (REST API) - Azure Storage
- Open Postman and:
- Create a new request.
- Select the Authorization tab in the request builder window and:
- In the "Type" dropdown, select "OAuth 2.0"
- On the right side, please fill in the following fields:
- Token Name: A name of your choosing
- Grant Type: Client Credentials
- Access Token URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token where <tenant-id> is the Directory (tenant) ID value collected on step 3.1 above.
- Client ID: The Application (client) ID value collected on step 3.1 above.
- Client Secret: The client secret value collected on step 3.2 above.
- Scope: For storage, use https://storage.azure.com/.default
- Client Authentication: Send as Basic Auth Header.
- Click in "Get New Access Token" and collect the Access Token.
- To be able to execute the get blob request, we need to select the Headers tab in the request builder window and:
- Select the GET method request.
- Add the GET method request URI (https://myaccount.blob.core.windows.net/mycontainer/myblob)
- Add the header "Authorization" with the value "Bearer <token>" where <token> is the value generated on the step 5.2.7 above.
- Add at least the two required headers x-ms-date and x-ms-version.
- Execute the request.
- These steps are provided for the purpose of illustration only.
- These steps and any related information are provided "as is" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
- We grant You a nonexclusive, royalty-free right to use and modify the Steps and to reproduce and distribute the steps, provided that. You agree:
- to not use Our name, logo, or trademarks to market Your software product in which the steps are embedded;
- to include a valid copyright notice on Your software product in which the steps are embedded; and
- to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of steps.