Has anybody created MikroTik script to update Azure DNS record?
It needs to curl visits:
Also question is, how to detect public IP address change and then run the script, not to use schedule (I am trying to set up alternative to /ip cloud)
On forum are dozen of examples about dyndns, no-ip and others.
All questions are already explained for the others.
What change between all methods is only the url…
Sorry, but I do not see that DynDNS and others, uses such a OAuth2 authentication method with code flow, if you can reference a link?
Thank you
Not sure see anyone use /tool/fetch with OAuth2, perhaps possible but be pretty complex since a browser is usually involved.
If you using version 7, client certificates may be an option.
In V7, the allow client-certificate on /tool/fetch. This allow the Mikrotik to talk to cloud services like Azure (or AWS). Basically you’d use a certificate on the Mikrotik to access Azure, instead of OAuth2. You don’t strictly need the IoT extra-package, but you’d can follow Mikrotik’s directions on how to get a Azure cert: https://help.mikrotik.com/docs/display/UM/MQTT+and+Azure+configuration.
You technically don’t need to use MQTT and the IoT package. Once the certificate is install and the IoT device is in Azure, you can call their API (assuming an ACL allows it on the Azure side) using /tool/fetch. The AWS IoT example has a good HTTP /tool/fetch script that shows the usage of a client certificate (and be similar to Azure):
https://help.mikrotik.com/docs/pages/viewpage.action?pageId=63045633#heading-HTTPSpostwithascript
While not required, you could just install the IoT extra-package, imagine Azure has rules that can take a MQTT message to create an DNS record. And Mikrotik IoT MQTT makes it pretty easy to send a message to Azure – then on the Azure side you should be able to do the DNS record creation/update stuff.
Either HTTP or MQTT with a certificate won’t not require you re-authenticate… Since the issue with OAuth2 is in a Mikrotik scheduled script, is you may not be there to provide the need password in the OAuth2 flow – the tokens issued by OAuth2 have an expiration date.
Updating Azure DNS servise is simple HTTP query, but it has to have Authorization barer token in headers.
To obtain token, i need to use client id + secret. Instead secret client certificate is also possible. It is called OAuth2 code flow.
I do not need to involve IOT / MQTT etc.
So, did somebody maybe wrote a script to authenticate with Azure and then do some Azure change (like Azure DNS) using /tool/fetch ?
Tx
I’m not the Azure expert, only using MS for Office365. And did not see anyone using Azure REST on the forums yet…
I know AWS pretty well, so thought cert approach work. But with Azure, they do want use OAuth2 – and don’t seem to support X509 certs. And, now it make sense why Mikrotik does NOT have an HTTP example for Azure, but does have an HTTP example for AWS: OAuth2 using /tool/fetch be pretty complex.
But it really comes down to how MS is using OAuth2 that matters. In theory you can use your PC to do the OAuth to generate the needed token. But the issue is OAuth2 tokens typically expire, sometime hours, generally days/months. Similar why using Let’s Encrypt was difficult to use on a Mikrotik before V7 added direct support for it.
I couldn’t find out when the Azure’s OAuth tokens expire… But there docs on how generate one with curl, should be pretty close with fetch, so you could try:
https://docs.microsoft.com/en-us/rest/api/azure/#how-to-call-azure-rest-apis-with-curl
You have to pay attention that the content is JSON, but the headers follow the HTTP form with colons.
With this posting having more details:
https://mauridb.medium.com/calling-azure-rest-api-via-curl-eb10a06127
Sure you have reasons for using Azure, but I’ll offer with AWS Route53, the approach with X509 client certs on V7 to call AWS APIs is pretty straightforward. Basically you follow Mikrotik’s IoT instruction. It doesn’t matter if you use MQTT, it the IoT Core certificate issue by AWS to the Mikrotik that’s what critical. So it’s just attaching the right ACL in AWS IAM to IoT certificate issue to the Mikrotik that allow calling the AWS Route53 DNS REST API. The the /tool/fetch on the Mikrotik is pretty simple, just use “certificate=” in /tool/fetch. While certs expired, in AWS you control how long you want the IoT one to be valid for.
Basically getting X509 cert isn’t always easy. But using them is pretty easy. It just wasn’t possible to use X509 client cert auth on Mikrotik before V7.1.
But yeah the AWS approach will not work for Azure it seems. Google Cloud seems to have same issue but no solution either: http://forum.mikrotik.com/t/any-way-to-connect-mts-iot-mqtt-to-google-iot-core-like-its-done-for-aws-azure/154037/1
Azure AD supports OAuth2 with secret OR certificate.
So, you say that now RouterOS also supports sending certificate, which is great.
Yup, V7 supports certificates (x509 auth) using /tool/fetch. But typically that’s different than OAuth2… But IF Azure had a way to get you a X.509 certificate for the Mikrotik ( and the certificate was authorized to access DNS), you’d be pretty set to do this. But you may have to use OAuth2 on Windows/PowerShell to be able to generate a certificate first. Just dunno enough about Azure to help beyond that.