本文档仅为测试目的提供参考文档以及设计脚本范例,如您在生产环境中部署,请勿直接使用
Ø Get token
方法一(通过service principle即SPN):
请参开如下文档:
内中有很详细的步骤,其中基本是分步执行的,即分解脚本逐步执行。
其中,
Set-AzureRmContext -SubscriptionId $subscription.subscriptionId -TenantId $subscription.TenantID
这一步中的TenantID可以在portal中,AAD->Properties中的directoryID中找到:
其次,请将其中提到的Assign the Contributor role to the service principal给位reader role:
New-AzureRmRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId.Guid
Contributor->reader
另外,注意请将如下两个URL略作改动:
1.如果您使用第三方类curl工具,请将
curl --request POST "https://login.windows.net/[tennantid]/oauth2/token" --data-urlencode "resource=https://management.core.windows.net" --data-urlencode "client_id=[clientid]" --data-urlencode "grant_type=client_credentials" --data-urlencode "client_secret=[clientsecret]"
[/sourcecode]
这一步中的login URL改为:
https://login.chinacloudapi.cn/common/oauth2/token
2. 如果您使用power shell,请将
[sourcecode language='powershell' ]
#Azure Authtentication Token
#requires -Version 3
#SPN ClientId and Secret
$ClientID = "clientid" #ApplicationID
$ClientSecret = "ClientSecret" #key from Application
$tennantid = "TennantID"
$TokenEndpoint = {https://login.windows.net/{0}/oauth2/token} -f $tennantid
$ARMResource = "https://management.core.windows.net/";
$Body = @{
'resource'= $ARMResource
'client_id' = $ClientID
'grant_type' = 'client_credentials'
'client_secret' = $ClientSecret
}
$params = @{
ContentType = 'application/x-www-form-urlencoded'
Headers = @{'accept'='application/json'}
Body = $Body
Method = 'Post'
URI = $TokenEndpoint
}
$token = Invoke-RestMethod @params
$token | select access_token, @{L='Expires';E={[timezone]::CurrentTimeZone.ToLocalTime(([datetime]'1/1/1970').AddSeconds($_.expires_on))}} | fl *
这一步中的
$TokenEndpoint = {https://login.windows.net/{0}/oauth2/token} -f $tennantid
URL改为https://login.chinacloudapi.cn/common/oauth2/token
结尾的-f $tenantid不变
$ARMResource =URL改为:
https://management.chinacloudapi.cn/
=====================================================================================
方法二(AAD用户名密码方式):
通过如下函数:
## get-token 函数会获取应用的安全口令
function get-token {
$username = "[email protected]"; ## 订阅账号
$password = "xxxxx"; ## 订阅密码
$client_id = "1950a258-227b-4e31-a9cf-717495945fc2"
$resource = "https://management.chinacloudapi.cn/"
$creds = @{
grant_type = "password"
username = $username
password = $password
client_id = $client_id
resource = $resource
};
$headers = $null
try
{
$response = Invoke-RestMethod "https://login.chinacloudapi.cn/common/oauth2/token" -Method Post -Body $creds -Headers $headers;
$token = $response.access_token;
return $token;
}
catch
{
$result = $_.Exception.Response.GetResponseStream();
$reader = New-Object System.IO.StreamReader($result);
$reader.BaseStream.Position = 0;
$reader.DiscardBufferedData();
$responseBody = $reader.ReadToEnd() | ConvertFrom-Json
Write-Host "ERROR: $($responseBody.error)"
return;
}
}
$bearer = get-token
$header = @{
Authorization = "Bearer " + $bearer
}
======================================================================================
Ø 通过token从metric api中获取需要的监控数值:
##How to
## 通过powershell,或者登陆portal查看应用程序网关的属性,获取虚拟机的resource uri,并替换如下命令中的高亮显示部分
$uri = "https://management.chinacloudapi.cn/<resource uri>/providers/microsoft.insights/metrics?api-version=2018-01-01&metricnames=TotalRequests"
## 调用Rest API,获取虚拟机的历史状态数据
$result = Invoke-RestMethod -Method GET -Uri $uri -Headers $header -Body $null
## 打印虚拟机的历史状态数据
$result.value
## 范例
以我的测试环境资源ID为例:
https://management.chinacloudapi.cn/subscriptions/test-fbfe-4f11-9af2-b81f0ee26453/resourceGroups/testresourcegroup-E/providers/Microsoft.Network/applicationGateways/TESTAPPGW/providers/microsoft.insights/metrics?api-version=2018-01-01&metricnames=TotalRequests
可以替换高亮部分为其他metric:
$result = Invoke-RestMethod -Method GET -Uri $uri -Headers $header -Body $null
$result.value