How to pass SAS url from function app to docker container deployed in AKS
I want this in automation because every time the new SAS url is creating when new changes made
I tried to reproduce the same in my environment to create default overview dashboard as group by type in Azure Portal :
Please follow the below steps to create a dashboard as a group type.
1.Go to Azure Portal > Click on the All resources button on the left sidebar > Select Pin blade
To check the created dashboard in Azure Portal.
Click on the "Dashboards" button on the left sidebar > under "Dashboard section" choose your dashboard, like below.
If you need only particular Resource Group, kindly follow the below steps.
Click on setting button and choose your resource group under resource group filter, like below.
Once modify the changes, it displays only Resource Group details.
Related
I am using Azure DevOps with a Microsoft Account (#outlook.com). The same account is co-administrator of 3 different Azure Subscriptions.
I am trying to create a new Service connection from my Azure DevOps Project to my newest Azure Subscription (out of the 3).
When I:
Go to my project's Project Settings view and click on the Service Connections tab.
Click on the 'New service connection' button.
Choose 'Azure Resource Manager' for the connection type.
Choose 'Service Principal (automatic)' authentication method.
I find that the drop-down list for Subscription is only showing my two older subscriptions and my newer subscription is missing, as shown here:
How can I get my third, newer, subscription to appear in the 'Subscription' list?
I've tried the following without success:
Made my Microsoft Account to be a 'Co-administrator' of the Azure Subscription.
Gave my Microsoft Account the 'Owner' Role for the Azure Subscription.
Added my Microsoft Account to the 'Global Administrators' group in Azure Active Directory.
Set 'Guest users permissions are limited' to 'No' in the In my Active Directory's External collaboration settings.
UPDATE: The subscription that's not shown in the list is currently a "free-tier" subscription whereas the 2 subscriptions that are shown are "pay-to-go". Could this be the reason for my problem?
This is what solved it for me:
Go to your MS Azure account.
Search and go to 'Tenant Properties'.
Click on Manage Security Defaults.
Turn these off
I can finally see my Azure Subscription in the Subscription list. I'm not 100% sure which step I took is responsible for fixing the issue so I'll list 2 things that I did:
In the Azure Portal I created a new App Registration, this time having the "Supported account types" setting set to "Accounts in any organizational directory ... and personal Microsoft account ...":
In PowerShell and using the AzureAD module I reset the Service Principal Key Credential:
a. Ran PowerShell (v5.1) "as Administrator".
b. Install-Module -Name AzureAD
c. Connect-AzureAD -TenantId <tenant-id-from-the-app-registration-overview>
b. New-AzureADServicePrincipalKeyCredential -ObjectId <object-id-from-the-managed-application-overview>
PS - The Subscription's being in the free-tier seems to be irrelevant to the issue.
You can try accessing DevOps in a private mode, it simply gets the existing subscription.
Not an exact answer to the OP's question, but I think it's related and maybe helpful to others. My issues was creating a new subscription and that subscription not showing up on the Subscriptions page.
Click on the "Directories + subscriptions" button in top right.
Open dropdown and ensure desired subscriptions are selected
Navigate to Subscriptions page and click on "Subscriptions == globalfilter" and selected desired subscriptions.
See if you have a "default subscription filter" set on the Portal Settings page. Seems to add one by default.
I solved the problem by deleting an old app registration with an expired certificate. I'm not sure about the link between the two, maybe it forced a refresh somewhere.
I am trying to link Azure Key Vault secrets to a variable group in Azure Pipelines (part in Azure DevOps). Microsoft documentation here.
However, the "Authorize" button does not seem to work. It spins endlessly. Screenshot.
My target Azure Key Vault already has the service principal included in its access policy with Get and List permissions. Screenshot.
Anyone seen this issue before?
This workaround also seems like a bug for Azure Key Vault deployments using ARM templates.
If the service principal in question is added to the Azure Key Vault (AKV) access policies through an ARM template by referencing the service principal's Object ID (as Microsoft documentation calls for), permission errors with Azure Pipelines follow.
However, if I manually add the service principal to the AKV's access policies by referencing the service principal's application (client) ID, the permissions errors go away entirely.
Again, feels like a bug. And now my automated deployment pipeline doesn't quite work because of this manual step.
Also, in the AKV ARM template, if I were to combine the mandatory field objectId with the optional field applicationId, the service principal shows up as a "compound identity". That does not fix the permissions issues in Azure Pipelines. I do not see a way of adding a service principal properly without doing it manually.
Firstly, please make sure the service connection is working correctly. Then refresh the page and try it again. Alternately you can also try in browser inprivate session.
Just as the message said "The specified Azure service connection needs to have "Get, List" secret management permissions on the selected key vault."
Basically, we need to click the "Authorize" button to enable Azure Pipelines to set these permissions for the specific service connection.
If that doesn't work, we can also manually set the permissions for the specific service connection.
Go to Project settings - > Service connections -> Select the
specific ARM service connection
Click Edit to popup the Update Authentication for xxx dialog
Click the "use the full version of the service connection dialog."
link, to get the Service principal client ID
Go to your key vault in Azure portal -> Access Policies -> Add a new
Access Policy -> Select a template (e.g Key&Secret Management) - >
Select Get, List for Secret permissions.
Click Select Principal -> Copy and paste the Service principal client ID
to search the user/application -> Select the searched
user/application
After that you can see the new APPLICATION access policy.
Try it again after successfully adding the application access policy.
UPDATE:
Generally in Azure DevOps we need to create a ARM service connection (the client which can access the azure sources) first before deploying an Azure Key Vault through an ARM template.
Actually when you select the Azure subscription then click Authorize in Azure resource group deployment task
, the ARM service connection is created automatically. You just need to check the AppID and get the ObjectID to use in the ARM template.
We can get the Service principal client ID (AppID) by following above steps. After that we can get ObjectId by the AppID with running the following command: (See Find service principal object ID using PowerShell for details.)
$(Get-AzureADServicePrincipal -Filter "AppId eq 'a89c3dee-f5bf-4ea1-a805-d4c729a4add3'").ObjectId
Then you can specific the ObjectId when deploying the Azure Key Vault through an ARM template.
I want to use a Azure Container Registry of a different account in a Build pipeline in Azure DevOps.
When I try to add a Docker Registry Service Connection and select Azure Container Registry, it only lets me choose between the subscription of the current account.
When I try to add the Azure Resource Manager of the Subscription of a different account which contains the Azure Container Registry in the Service Connections, it says it cannot find any Azure Container Registry.
So how do I accomplish this?
I have the same situation in which the Azure Container Registry (ACR) is in a different Azure AD from the Azure DevOps build pipelines.
I'll outline the steps I used:
Create an app registration in the Azure AD where the ACR exists.
Give it a name like myregistry-app
Go to the myregistry-app Certificates and secrets page and create a new secret. Copy the value as you cannot retrieve it later.
Also copy the myregistry-app application id. You can find it on the overview screen.
Now go to the ACR Access Control (IAM) screen for your container registry.
Add a role assignment and assign the myregistry-app identity the Contributor role.
Back in your build pipeline create a Docker task and click on the New button under the Container Registry section.
In the popup dialog Add a Docker Registry service connection choose the Others radio button.
Put in the URL to your ACR which you can find on the container registry overview page.
Use the application id for myregistry-app as the Docker ID.
Use the myregistry-app secret for the password.
This is currently working for me. There may be a better way
Currently im trying to create dynamic environments via AzureDevops.
One of these steps to achieve this is to take a copy of our production databases and place them in a temp resource group (Production Subscription) and then move the sql server and associated databases to our non-production subscription. From here we then create the web apps and deploy code.
When i run this via Az Cli i am able to move the resources with the following
SQLSERVERID=$(az resource show -g $RSGNAMETEMP -n $SQLSERVERNAME --resource-type "Microsoft.Sql/servers" --query id --output tsv)
az resource move --destination-group $RSGNAME --ids $SQLSERVERID --destination-subscription-id $SANDBOXSUBSCRIPTIONID
However when i run this via AzureDevops i get the following error
ERROR: The client (...) with object id (...) has permission to perform action on scope however, it does not have permission to perform action (...) on the linked scope(s).
I believe this problem is happening when you configure the AZ Cli step in AzureDevops you select the Subscription from the drop down list. The account / service principal only has access rights to that specific subscription and not to multiple. Is it possible to configure a service principal (that can be used in AzureDevops) that can connect to multiple subscriptions?
Yes, just go to Azure portal, navigate to the desired subscription blade, go to Access Control, press + sigh at the top and add your principal as a contributor to the subscription.
to find service principal name use this:
Click Manage link in the Azure Subscription field in your VSTS job, it will navigate you to a new blade. Click Manage Service Principal there. It will take you to the application page in Azure AD. After that you can copy name under Managed application in local directory field and use that name to grant it Key Vault permissions.
While using azure vmazure network public-ip create I have encountered following error:
error: The subscription is not registered to use namespace 'Microsoft.Network'.
I have added a namespace to active directory on azure portal. However I cannot figure out how to configure it in order to work. Can anyone help, please?
This is what helped me (through the Azure Portal).
Navigate to the Azure Portal
Under All Services, select Subscriptions
Select the subscription you are using
On the left menu, under Settings, select Resource Providers
Find the provider you need (Microsoft.Network) and click Register
I got these instructions from the following link.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-register-provider-errors#solution-3---azure-portal