method to get an access token with only curl and jq (without az cli) for remote pipelines

[dejoost]

Is your feature request related to a problem? Please describe.
we have a Terraform Cloud setup with self hosted runners and we don't want to install az cli on them. This goes for all teams running this on remote agents (e.g. GH actions)

Describe the solution you'd like
providing a token to access IPAM engine without az cli dependency, only curl & jq

Additional context
code example:

token=$(curl -X POST https://login.microsoftonline.com/${tenantId}/oauth2/token \
  -d "client_id=${clientId}" \
  -d "client_secret=${clientSecret}" \
  -d "grant_type=client_credentials" \
  -d "resource=${apiGuid}" \
  -s \
  | jq -r .access_token)

[jeevanions]

@DCMattyG We are also looking for something like this. We use Service principal for all automation and in our case we allocate IP address block. Would like to see how access can be granted to an SP which can get the token and reserve the IP address. Is this possible with the current implementation?

[DCMattyG]

Thank you @dejoost for the example above (and thank you @jeevanions for confirming the need here).

I'm just looking for some clarification on the desired outcome from this open issue. Would you like me to add an official "example" with the above mechanism of retrieving a token via API (cURL or some other mechanism)? If so, is this something you'd like to see in the official docs, the examples folder, or both?

Always appreciate the feedback, keep it coming!

[jeevanions]

@DCMattyG I have gone through the documentation, and it is possible to get the token through CLI, but a user need to use their credentials to sign in to the CLI first to get the access token. Is there something like a Personal access token that we can generate from the IPAM application and use that to fire the IP reservation endpoint? It would make things simple in our automation script.

[jeevanions]

@DCMattyG I figured out this. We use a SP (we call it as master SP) to provision these App Reg. Though this SP is not allowed to access the frontend application, it can invoke the backend API.

Steps to do this

1. Login using Azure cli using the credentials for your SP
2. Get the resource URL from your app reg for IPAM engine. You can find it here. Find the App reg->Under manage -> "Expose an API" -> Application ID URI
3. Then run this command az account get-access-token --resource $resource_url | jq -r '.accessToken'
4. Then use the access token to fire the Ip reservation endpoint.

[DCMattyG]

Hi @jeevanions, I believe you have what you need for this particular issue (based on the above). Would it be alright if we closed this issue and added your provided steps to our public documentation for others to reference moving forward?

[jeevhub]

yes I have. Thank you

[dejoost]

Sorry for the delayed response. I'm actually hinting at extending the Terraform provider to not only work with an access token and also accept a service principal id and secret to authenticate against the API, similar to the azurerm provider. (and equally support this through env variables
export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000" export ARM_CLIENT_SECRET="12345678-0000-0000-0000-000000000000" export ARM_TENANT_ID="10000000-0000-0000-0000-000000000000" export ARM_SUBSCRIPTION_ID="20000000-0000-0000-0000-000000000000"

see here for examples: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret

In the meantime it would not hurt to include examples for retrieving the token through az cli or the curl command I provided (powershell should also be possible instead of curl, didn't investigated that option though)

[DCMattyG]

@dejoost, there is a customer whom is currently working on the "official" Terraform provider for Azure IPAM.

You can review the progress here

We'll work in integrating the finalized Terraform Provider into this project upon completion. Hopefully it will be ready to go relatively soon!

[DCMattyG]

And apologies @dejoost, I neglected to recognize that you were the one who created the issue, so definitely want to make sure you are satisfied before closing it out 😉

[DCMattyG]

As this issue is quite old now I'm going to close it out. Just for completeness the "official" Azure IPAM provider for Terraform is available to all and can be found here:

https://registry.terraform.io/providers/XtratusCloud/azureipam/latest/docs

We'll be adding some additional documentation with examples into the official Azure IPAM documentation in the near future as well.

Should you have any additional questions on this topic or need any additional support, please don't hesitate to re-open this issue or create or create a new one. We hope you're enjoying Azure IPAM!