How to use Management certificate based authentica

2019-08-06 04:17发布

问题:

I am trying to get the usage and rate card information from Microsoft Azure using a java application and I came to understand that I can use the Management certificate to authenticate for making calls to Microsoft Azure.

I got the Management Certificate from the .publishsettings file I got from here

However, in AuthenticationContext, I don't see any method that utilizes this certificate to get the access token required for making usage and rate API calls.

I tried referring to this answer, but I don't see any clients available for usage and rate card and the answer refers to ManagementClient, which isn't the one for my usecase. I referred to this blog as well, which makes a reference to ClientAssertionCertificate , which I don't see in the java library for adal.

NB: I am able to make REST API calls to Azure for getting usage and rate card information using the username, password & client ID based authentication mechanism, but I wanted to make use of this management certificate mechanism since the users of my application may not trust this application with their credentials and this certificate based mechanism seems more easier to use from a user-point of view.

回答1:

However, in AuthenticationContext, I don't see any method that utilizes this certificate to get the access token required for making usage and rate API calls.

I referred to this blog as well, which makes a reference to ClientAssertionCertificate , which I don't see in the java library for adal.

As Gaurav said, We just only can call Usage & Rate Card API using Azure Active Directory for authentication. You can use AuthenticationContext to acquire the the access_token as following code. You need provide client ID and Client Secret(key).

private AuthenticationResult getAccessTokenFromClientCredentials()
            throws Throwable {
        AuthenticationContext context = null;
        AuthenticationResult result = null;
        ExecutorService service = null;
        try {
            service = Executors.newFixedThreadPool(1);
            context = new AuthenticationContext(authority + tenant + "/", true,
                    service);
            Future<AuthenticationResult> future = context.acquireToken(
                    "https://graph.windows.net", new ClientCredential(clientId,
                            clientSecret), null);
            result = future.get();
        } catch (ExecutionException e) {
            throw e.getCause();
        } finally {
            service.shutdown();
        }

        if (result == null) {
            throw new ServiceUnavailableException(
                    "authentication result was null");
        }
        return result;
    }

NB: I am able to make REST API calls to Azure for getting usage and rate card information using the username, password & client ID based authentication mechanism,.....

It seems that we can't use Management certificate mechanism to call Usage & Rate Card API. Because these calling user or the service principal is a member of the Owner, Contributor or Reader role in the Azure AD tenant for the requested subscription (see this document). I recommend you refer to this document about how to authenticate Azure Resource Management.



回答2:

Simple answer is you can't use a management certificate to consume Billing API. Billing API are essentially part of newer APIs that make use of Azure AD tokens.

Management certificate can only be used for Service Management APIs.