I cannot find any documentation on how to generate/renew the masterkey of CosmosDB for Read/Write or only for Read.
I can do it on Azure Portal, but I wish to do this with python or with a REST API.
For lot of ressource in Azure, we can use the Service Principal to generate a Token and then access other API. Like in Databricks.
curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token \
-d 'client_id=${CLIENT_ID}' \
-d 'grant_type=client_credentials' \
-d 'scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d%2F.default' \
-d 'client_secret=${CLIENT_SECRET}'
With the scope=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d%2F.default it will grant me access to Databricks API. https://vault.azure.net/.default is for Azure KeyVault. But I can't find anything for cosmos-DB
Any Idea on how to manage cosmosdb from a Service Principal?
Yes you can do this using the Python Azure Management Library for Cosmos DB.
Pip install these
azure-identity
azure-mgmt-resource==15.0.0
azure-mgmt-cosmosdb==6.4.0
azure-cosmos==4.2.0
Some samples that show you how to get started using this library here
The API article on how to regenerate a key is here
Related
We quite simply want to run a command to create an app registration within our Azure AD. It is a SPA and obviously we need to set a redirect URL to send users back to our app after they authenticate.
I tried
az ad app create --display-name appName --reply-urls '[{\"url\":\"http://localhost:3000\",\"type\":\"Spa\"}]',
but this fails with
Invalid value specified for property 'replyUrls' of resource 'Application'.
Seems like this would be a very common operation to perform, but I can not locate docs on achieving this. These are the az ad app create docs.
For anyone else who comes across this, this is the solution I came up with after trying to accomplish this in several different ways (Thanks for the mentioning az rest Gaurav Mantri).
I created the following bash script
create-app-registration.sh
#Create App Registration
response=$(az ad app create --display-name $appName)
#Get the ObjectId of the newly created app registration
objectId=$(echo $response| cut -d'/' -f 3)
# Update app for SPA redirect
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/'$objectId \
--headers 'Content-Type=application/json' \
--body '{"spa":{"redirectUris":["'$redirectUri'"]}}'
Thanks, #BryceBy. I did a quick test of your script and it worked well.
In my case, I need to get both app id and object id and create the scripts below.
clientid=$(az ad app create --display-name $appregname --query appId --output tsv)
objectid=$(az ad app show --id $clientid --query objectId --output tsv)
I working on AKS shared cluster, where have multiple teams are working on the same cluster and have their own ACR for each team.
I want to find ways to allow ACR to pull from specified namespace only.
Currently that I have though is an expensive way by
Using ACR premium tier to enable the scope-map feature, and create the token for authentication on pull secret.
Or someone did know how to pull an image from the service principal with the AcrPull role.
please tell me.
thank you.
I have found the solution without changing the ACR pricing tier, by using only the service principal to access the target ACR.
Solution
Create the service principal and assign AcrPull role.
After that, Create kubernetes secret into your namespace to pull image by ImagePullSecrets
kubectl create secret docker-registry <secret-name> \
--namespace <namespace> \
--docker-server=<container-registry-name>.azurecr.io \
--docker-username=<service-principal-ID> \
--docker-password=<service-principal-password>
reference
I am trying to create an Azure Key Vault but I am getting below error:
az keyvault create --location ${regionName} --name ${MyKeyVault} --resource-group ${resourceGroupName}
Error: (VaultAlreadyExists) The name 'check' is already in use.
Please help me write a code to check if the Key Vault name is avaialable.
There is no built-in CLI command to do this, your option is to use az rest call the REST API directly.
Sample:
az rest --method post --uri 'https://management.azure.com/subscriptions/<subscription-id>/providers/Microsoft.KeyVault/checkNameAvailability?api-version=2019-09-01' --headers 'Content-Type=application/json' --body '{"name": "joykeyvault","type": "Microsoft.KeyVault/vaults"}'
You can use Azure API to check that Keyvault name is valid and is not already in use.
https://learn.microsoft.com/en-us/rest/api/keyvault/vaults/checknameavailability
I'm trying to create a file share in Azure CLI command:
az storage share create --account-name storeactjan --name filesharejan --account-key key1
but having below error:
The server failed to authenticate the request. Make sure the value of
Authorization header is formed correctly including the signature.
ErrorCode: AuthenticationFailed AuthenticationFailedServer
failed to authenticate the request. Make sure the value of
Authorization header is formed correctly including the signature.
RequestId:42b399c2-701a-006f-4630-1d9aad000000
Time:2020-04-28T07:39:27.0899771ZThe
MAC signature found in the HTTP request
'QVn0bi79ZIhaO+LS3w/VzaiI5cAMfJiVRav6RbgfbtA=' is not the same as any
computed signature. Server used following string to sign: 'PUT'
You haven't the right format for the account-key argument.
Here is what you have to do according to the microsoft documentation ( https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-create-file-share?tabs=azure-cli ). For your information, I use CLI in PowerShell.
1) Retrieve the key with the right format
$key1 = az storage account keys list --account-name storeactjan --query "[0].value" | tr -d '"'
2) Create your file share
az storage share create --account-name storeactjan --name filesharejan --account-key $key1
Hope it will help you.
I will say, you can create arm template for the same and can call it.
PFB the link -
https://github.com/Azure/azure-quickstart-templates/tree/master/101-storage-file-share
Using Azure CLI, it is possible to generate a SAS Token easily:
SAS_TOKEN=$( \
az iot hub generate-sas-token \
--hub-name $IOT_HUB \
--device-id $DEVICE \
--query sas \
--output tsv)
I would like to generate the SAS token using curl, calling an Azure public API.
Is it possible?
There is no such API, the workaround is that you can use Azure Functions to generate an IoT SAS Token, then call Azure function using curl to get the SAS token.
Reference:
Using Azure Functions to generate an IoT SAS Token