# README
maz
This is a Go library package module for managing Microsoft Azure resource and security objects. Please review https://que.tips/azure/ to better understand what is meant here by resource and security objects. Essentially this is a library that provides basic MSAL authentication and token creation to allow principals to call the two primary Azure APIs, the Azure Resource Managment (ARM) API and the MS Graph API. Other APIs could be added in the future.
Getting Started
- Any program wanting to use this library module can simply import it, then instantiate a variable
of type
maz.Bundleto manage the interaction. For example:
import (
"github.com/queone/maz"
)
z := maz.Bundle{
ConfDir: "", // Set up later, see example below
CredsFile: "credentials.yaml",
TokenFile: "accessTokens.json",
TenantId: "",
ClientId: "",
ClientSecret: "",
Interactive: false,
Username: "",
AuthorityUrl: "", // Set up later with maz.ConstAuthUrl + z.TenantId (see const block in maz.go)
MgToken: "", // Set up below 4 later with function maz.SetupApiTokens()
MgHeaders: map[string]string{},
AzToken: "",
AzHeaders: map[string]string{},
}
// Then update the variables within the Bundle, to set up configuration directory
z.ConfDir = filepath.Join(os.Getenv("HOME"), "." + prgname)
if utl.FileNotExist(z.ConfDir) {
if err := os.Mkdir(z.ConfDir, 0700); err != nil {
panic(err.Error())
}
}
- Then call
maz.SetupInterativeLogin(z)ormaz.SetupAutomatedLogin(z)to setup the credentials file accordingly. - Then call
z := maz.SetupApiTokens(*z)to acquire the respective API tokens, web headers, and other variables. - Now call whatever MS Graph and Azure Resource API functions you want by passing and using the
zvariables, with itsz.mgHeadersand/orz.azHeadersattributes, and so on.
Login Credentials
There are four (4) different ways to set up the login credentials to use this library module. All four ways required three (3) special attributes:
| # | Type | Method | Details |
|---|---|---|---|
| 1 | Interactive | Config file | Set up attributes via ~/.maz/credentials.yaml file |
| 2 | Interactive | Environment variables | Set up attributes via environment variables (OVERIDES config file) |
| 3 | Automated | Config file | Set up attributes via ~/.maz/credentials.yaml file |
| 4 | Automated | Environment variables | Set up attributes via environment variables (OVERIDES config file) |
- Interactive via config file: The calling utility sets up a way to allow setting up the
~/.maz/credentials.yamlfile with the 3 special attributes. For example, the azm CLI utility does this via the-idswitch, to Set up MSAL interactive browser popup login:
Above will populate theazm -id 3f050090-20b0-40a0-a060-c05060104010 [email protected]~/.maz/credentials.yamlfile as follows:
From then on thetenant_id: 3f050090-20b0-40a0-a060-c05060104010 username: [email protected] interactive: trueazmutility will use above credentials to interact with themazlibrary to perform all its functions. - Interactive via environment variables: The calling utility will instead use the
os.Getenv("VAR")function to look for the following 3 special environment variables:
Above values take precedence and OVERIDE any existing configMAZ_TENANT_ID=3f050090-20b0-40a0-a060-c05060104010 [email protected] MAZ_INTERACTIVE=true~/.maz/credentials.yamlfile values. - Automated via config file: The calling utility sets up a way to allow setting up the
~/.maz/credentials.yamlfile with the 3 special attributes. For example, the azm CLI utility does this via the-idswitch, to Set up MSAL automated ClientId + Secret login:
Above will populate theazm -id 3f050090-20b0-40a0-a060-c05060104010 f1110121-7111-4171-a181-e1614131e181 ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_i~/.maz/credentials.yamlfile as follows:
From then on thetenant_id: 3f050090-20b0-40a0-a060-c05060104010 client_id: f1110121-7111-4171-a181-e1614131e181 client_secret: ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_iazmutility will use above credentials to interact with themazlibrary to perform all its functions. - Automated via environment variables: The calling utility will instead use the
os.Getenv("VAR")function to look for the following 3 special environment variables
Above values take precedence and OVERIDE any existing configMAZ_TENANT_ID=3f050090-20b0-40a0-a060-c05060104010 MAZ_CLIENT_ID=f1110121-7111-4171-a181-e1614131e181 MAZ_CLIENT_SECRET=ACB8c~HdLejfQGiHeI9LUKgNOODPQRISNTmVLX_i~/.maz/credentials.yamlfile values.
The benefit of using environment variables is to be able to override an existing credentials.yaml file, and to specify different credentials, as well as being able to use different credentials from different shell sessions on the same host. They also allow utilities written with this library to be used in continuous delivery and other types of automation.
NOTE: If all four MAZ_USERNAME, MAZ_INTERACTIVE, MAZ_CLIENT_ID, and MAZ_CLIENT_SECRET are properly define, then precedence is given to the Username Interactive login. To force a ClientID ClientSecret login via environment variables, you must ensure the first two are unset in the current shell.
Functions
TODO: List of all available functions?
- maz.SetupInterativeLogin: This functions allows you to set up the
~/.maz/credentials.yamlfile for interactive Azure login. - ...
# Functions
Creates/adds a secret to the given application.
Creates/adds a secret to the given SP.
Returns count of Azure AD directory role entries in current tenant.
Returns count of Azure AD directory role entries in local cache file.
Makes API calls and returns JSON object, Response StatusCode, and error.
ApiCall alias to do a DELETE.
ApiCall alias to do a DELETE with debugging on.
Prints useful error information if they occur.
ApiCall alias to do a GET.
ApiCall alias to do a GET with debugging on.
ApiCall alias to do a POST.
ApiCall alias to do a POST with debugging on.
ApiCall alias to do a PUT.
ApiCall alias to do a PUT with debugging on.
Retrieves count of all applications in Azure tenant.
Retrieves count of all applications in local cache file.
Compares specification file to what is in Azure.
Creates an RBAC role assignment as defined by give x object.
Creates specfile skeleton/scaffold files.
Decode and dump token string, trusting without formaly verification and validation.
Deletes object based on string specifier (currently only supports roleDefinitions or Assignments) String specifier can be either of 3: UUID, specfile, or displaName (only for roleDefinition) 1) Search Azure by given identifier; 2) Grab object's Fully Qualified Id string; 3) Print and prompt for confirmation; 4) Delete or abort.
Deletes an RBAC role assignment by its fully qualified object Id Example of a fully qualified Id string (note it's one long line):
/providers/Microsoft.Management/managementGroups/33550b0b-2929-4b4b-adad-cccc66664444 \ /providers/Microsoft.Authorization/roleAssignments/5d586a7b-3f4b-4b5c-844a-3fa8efe49ab3.
Deletes an RBAC role definition object by its fully qualified object Id Example of a fully qualified Id string:
"/providers/Microsoft.Authorization/roleDefinitions/50a6ff7c-3ac5-4acc-b4f4-9a43aee0c80f".
Compares two list of strings and returns added and removed items, and whether or not the lists are the same.
Prints differences between role definition in Specfile (a) vs what is in Azure (b).
Dumps configured login values.
Returns list of Azure objects with this UUID.
Gets Azure AD role definition by Object UUID, with all attributes.
Gets all directory role definitions from Azure and sync to local cache.
Returns all Azure pages for given API URL call.
Gets application by its Object UUID or by its appId, with all attributes.
Gets all applications from Azure and sync to local cache.
Gets Azure AD group by Object UUID, with all attributes.
Gets all groups from Azure and sync to local cache.
Gets all management groups in current Azure tenant, and saves them to local cache file.
Retrieves Azure object by Object UUID.
Generic Azure object deltaSet retriever function.
Gets all scopes in the Azure tenant RBAC hierarchy: Tenant Root Group and all management groups, plus all subscription scopes.
Gets Azure resource RBAC role assignment object by matching given objects: roleId, principalId, and scope (the 3 parameters which make a role assignment unique).
Gets RBAC role assignment by its Object UUID.
Gets all role assignments objects in current Azure tenant and save them to local cache file.
Gets role definition by displayName See https://learn.microsoft.com/en-us/rest/api/authorization/role-definitions/list.
Gets role definition object if it exists exactly as x object (as per essential attributes).
Gets role definition by Object Id.
Gets all role definitions in current Azure tenant and save them to local cache file Option to be verbose (true) or quiet (false), since it can take a while.
Gets service principal by its Object UUID or by its appId, with all attributes.
Gets all service principals from Azure and sync to local cache.
Gets specific Azure subscription by Object UUID.
Gets all subscription in current Azure tenant, and saves them to local cache file.
Gets all subscription full IDs, i.e.
Gets Azure user object by Object UUID, with all attributes.
Gets all users from Azure and sync to local cache.
Retrieves locally cached list of objects in given cache file.
Returns an id:name map of all applications.
Returns id:name map of all groups.
Returns id:name map of management groups.
Returns id:name map of all RBAC role definitions.
Returns an id:name map of all service principals.
Returns id:name map of all subscriptions.
Returns an id:name map of all users.
Gets all AD roles matching on 'filter'.
Gets all applications matching on 'filter'.
Gets all groups matching on 'filter'.
Gets all Azure management groups matching on 'filter'.
Gets all RBAC role assignments matching on 'filter'.
Gets all role definitions matching on 'filter'.
Gets all service principals matching on 'filter'.
Gets all Azure subscriptions matching on 'filter'.
Gets all users matching on 'filter'.
Returns 3 values: File format type, single-letter object type, and the object itself.
Generic function to get objects of type t whose attributes match on filter.
Initiates an Azure JWT token acquisition with provided parameters, using a Client ID plus a Client Secret.
Initiates an Azure JWT token acquisition with provided parameters, using a Username and a browser pop up window.
Returns number of group object entries in Azure tenant.
Returns number of group object entries in local cache file.
Returns count of management groups in Azure.
Returns count of management group objects in local cache file.
Returns ARM object type based on long string.
Builds JSON mergeSet from deltaSet, and builds and returns the list of deleted IDs.
Prints Azure AD role definition object in YAML-like format.
Prints API error messages in 2 parts separated by a newline: A header, then a JSON byte slice.
Prints application object in YAML-like format.
Prints appRoleAssignments for other types of objects (Users and Groups).
Prints appRoleAssignments for given service principal (SP).
Prints certificate list stanza for Apps and Sps.
Prints a status count of all AZ and MG objects that are in Azure, and the local files.
Print group object in YAML-like format.
Prints HTTP headers specific to API calls.
Prints all objects that match on given specifier.
Prints all memberOf entries.
Recursively print management groups and all its children MGs and subscriptions.
Prints management group object in YAML-like format.
Gets current tenant management group tree, and recursively calls function PrintMgChildren() to print the hierarchy.
Generic print object function.
Prints object by given UUID.
Print owners stanza for Apps and Sps.
Lists all cached Privileged Access Groups (PAGs).
Prints HTTP parameters specific to API calls.
Prints RBAC role definition object in YAML-like format.
Prints a human-readable report of all RBAC role assignments.
Prints role definition object in a YAML-like format.
Prints secret list stanza for App and SP objects.
Prints service principal object in YAML-like format.
Prints string map in YAML-like format, sorted, and in color.
Prints subscription object in YAML-like format.
Prints this single object of type 't' tersely, with minimal attributes.
Prints user object in YAML-like format.
Removes a secret from the given application.
Removes specified cache file.
Removes a secret from the given SP.
Calculates count of all role assignment objects in Azure.
Retrieves count of all role assignment objects in local cache file.
Counts all role definition in Azure.
Dedicated role definition local cache counter able to discern if role is custom to native tenant or it's an Azure BuilIn role.
Selects JSON object with given ID from slice.
Initializes the necessary global variables, acquires all API tokens, and sets them up for use.
Sets up credentials file for client_id + secret login.
Gets credentials from OS environment variables (which take precedence), or from the credentials file.
Sets up credentials file for interactive login.
Retrieves counts of all SPs in this Azure tenant, 2 values: Native ones to this tenant, and all others.
Retrieves counts of all SPs in local cache, 2 values: Native ones to this tenant, and all others.
Returns count of all subscriptions in current Azure tenant.
Returns count of all subscriptions in local cache file.
Does a very basic validation of the JWT token as defined in https://tools.ietf.org/html/rfc7519.
Creates or updates a role definition or assignment based on given specfile.
Creates or updates an RBAC role definition as defined by give x object.
Returns the number of entries in Azure tenant.
Returns the number of entries in local cache file.
# Constants
No description provided by the author
One day.
'Microsoft Azure PowerShell' ClientId.
No description provided by the author
See https://stackoverflow.com/questions/1508490/erase-the-current-printed-console-line.
Half hour.
No description provided by the author