Azure VM command fails with no credential error - linux

I am running a command from the azure CLI to execute a script on a linux VM running in Azure.
The command looks like this:
az vm run-command invoke --command-id RunShellScript --name <\VMName> --resource-group <\RGName> --scripts "curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash"
The script installs azure CLI on the VM.
The command results into error:
Could not retrieve credential from local cache for service principal 0cf4e5cf-de8f-4524-8be6-5e2exxxxxx. Please run 'az login' for this service principal.
Can someone help me understand the problem here.
When I run the command without the piped sudo, the command works fine.

I tried to reproduce the same in my environment I got the same error as below
az vm run-command invoke --command-id RunShellScript --name <\VMName> --resource-group <\RGName> --scripts "curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash"
This error may occur if you are not using latest version, please check your version like below and try to update your version:
az version
Also, I have tried logging in with my service principal in Azure CLI and tried running the command to install azure-cli inside the VM and it run successfully.
az login --service principal -u <AppID> -p <secret> --tenant <TenantID>
You can also install latest version locally by using this MsDocs
Reference:
Azure CLI GitHub Action fails with Azure CLI 2.30.0: Could not retrieve credential from local cache for service principal · Issue #20154 · Azure/azure-cli · GitHub

Related

Azure VM run-command fails with piped commands

I am trying to install Azure CLI on an ubuntu VM running in Azure.
I am using the run-command cli operation to execute the command
az vm run-command invoke --command-id RunShellScript --name trainingVM-1 --resource-group azure-privsec --scripts "curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash"
When running a non-piped command, the command works fine but when I run the above piped command to install azure-cli, it fails with the error:
Could not retrieve credential from local cache for service principal 8bf34d22-7230-47e7-907e-e0df201xxxxx. Please run 'az login' for this service principal.
One of the reasons could be that I am using an old version of Azure cli(2.29.2). For now, I dont have the leverage to upgrade the azure-cli version.
What can be the best way to install azure-cli on my VM using the run-command cli call.
Edit:
Splitting into two commands like this works for me but I am still trying to see if we can consolidate it into a single command:
az vm run-command invoke --command-id RunShellScript --name trainingVM-1 --resource-group azure-privsec --scripts "wget -O /tmp/file.sh https://aka.ms/InstallAzureCLIDeb"
az vm run-command invoke --command-id RunShellScript --name trainingVM-1 --resource-group azure-privsec --scripts "sudo bash /tmp/file.sh"
Tested in Azure PowerShell and Azure DevOps pipeline, your first Azure VM run-command run successfully.
Use Azure PowerShell, I can run this command directly without any issue.
Use Azure CLI task in the DevOps pipeline and use a Microsoft-hosted agent.
Please ensure that the service principal corresponding to the Azure Resource Manager connection(Service Connection) has sufficient permission for your Azure VM, such as owner or contributor permissions.
Then I can see the command run successfully.
There are some docs for your reference:
Manage service connections
Connect to Microsoft Azure

Custom Script Extension failing on Virtual Scale Set upgrade

I have created an Azure virtual scaleset with Linux VMs. I have to run Azure CLI commands via release pipelines on these VMs so I am trying to install a Azure CLI using Custom Extensions so that every time a new VM is up CLI is installed on the VM.
I have created a .sh file with below command on blob storage :
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
I ran below command on from the CLI to deploy the custom extension :
az vmss extension set --vmss-name <VMSS Name> --resource-group <Resource Group> --name CustomScript --version 2.0 --publisher Microsoft.Azure.Extensions --settings '{"FileUris": ["https://<Blobscriptpath>/preinstallscript.sh"],"commandToExecute": "bash /preinstallscript.sh"}'
This command is installing the extension and I can see that on Azure but when I am upgrading the VM instance I am getting below error:
"Failed to upgrade virtual machine instance ''. Error: Multiple VM extensions failed to be provisioned on the VM. Please see the VM extension instance view for other failures. The first extension failed due to the error: VM has reported a failure when processing extension 'CustomScript'. Error message: "Enable failed: failed to get configuration: json validation error: invalid public settings JSON: FileUris: Additional property FileUris is not allowed""
Below are the images from Azure Portal showing the Extension:
Please suggest if I am missing something.
According to the error message, Additional property FileUris is not allowed, you should use fileUris instead of FileUris. Read the Property values.
Also, If the blob is not public, you need to provide the storage account name and key to access the blob. For example, you can provide a .sh file on the blob storage.
#!/bin/bash
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
and deploy the custom extension with CLI.
az vmss extension set --vmss-name <VMSS Name> --resource-group <Resource Group> --name CustomScript --version 2.0 --publisher Microsoft.Azure.Extensions --settings '{"fileUris": ["https://xxx.blob.core.windows.net/shscripts/preinstallscript.sh"],"commandToExecute": "sh preinstallscript.sh"}'
Edit
After installing the VMSS, you can upgrade the VMSS instance to take this script effect.

Azure Subscription can't be found when I sign into Azure via Dockerized env

I have a strange situation where when I use a local powershell script in my visual studio project that logs in using a service principal and then is able to associate a specific subscription.
#login with service principal
az login --service-principal --username $APPLICATION_CLIENT_ID --password $SECRET --tenant $TENANT --allow-no-subscriptions
#set the subscription we want to use
az account set --subscription $SUBSCRIPTION_ID
and i'm able to create resource groups etc, once I've picked the right subscription.
Now I need to do the same thing in a Dockerized environment.
admins:~ admin$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
9e507c6639a1 mcr.microsoft.com/dotnet/core/sdk:3.1 "bash" 2 days ago Up 2 days adoring_goodall
I login into the container and I run these commands:
curl -sL https://aka.ms/InstallAzureCLIDeb | bash
apt-get install curl && curl -sL https://deb.nodesource.com/setup_12.x | bash -
apt-get install nodejs
npm install -g azure-functions-core-tools#3 --unsafe-perm true
az login --service-principal -u $APPLICATION_ID -p $SECRET --tenant $TENANT_ID --allow-no-subscriptions
This works just fine. Output I get back from the login is identical to output from my local workstation via powershell.
PS /usr/share/powershell> az login --service-principal --username $AZ_APPLICATION_CLIENT_ID --password $AZ_SECRET --tenant $TENANT --allow-no-subscriptions
{
"cloudName": "AzureCloud",
"id": "<tenantId>",
"isDefault": true,
"name": "N/A(tenant level account)",
"state": "Enabled",
"tenantId": "<tenantID>",
"user": {
"name": "<ApplicationClientID>",
"type": "servicePrincipal"
}
}
But when I try to associate the subscription, I get the following error message:
The subscription of '<subscription ID>' doesn't exist in cloud 'AzureCloud'
I've even gone ahead and install powershell on the docker container just so i can copy paste from my local ps script into the docker env. But I'm getting the same results.
Any tips?
Edit 1
In the docker container, I ran "az login"... and went ahead and authenticated my "device" at https://microsoft.com/devicelogin
Once I did that, all the commands listed above in my question started working the same way in the docker environment as it does on the actual local workstation.
I thought the idea behind creating a service principal was to avoid the "interactive" steps needed to use the az cli. how can i set things up so that when i deploy my azure function app via a script, it can run unattended? I want to be able to use dockerized containers to deploy this app to different azure tenants ..(dev, qa and production)
Going back to the drawing board / reading the docs to see what I missed but any suggestions would be appreciated.
Thanks.
As far as I know, the output of the command az login --service-principal --username $AZ_APPLICATION_CLIENT_ID --password $AZ_SECRET --tenant $TENANT --allow-no-subscriptions also includes the subscription ID like "id": "<subscriptionId>" instead of "id": "<tenantId>" in your output. You can show the default subscription with the command az account show.
I found that there are two variables $APPLICATION_CLIENT_ID and $APPLICATION_ID in your questions. Not sure you have a typo or using the wrong variable there. Please make sure you input the correct subscription id value when you run az account set -s <subscriptionId> and other parameters values via echo the environment variable value.
You can also get a list of subscriptions for the logged-in account with the command az account list and check if the subscription Id does exist in the specific tenant.
At last, you may need to re-auth the CLI with az login. Or, by comparing the Az CLI version with your local workstation, you may need to reinstall or upgrade it.
Edit
You can verify if the service principal indeed belongs to the subscription. Search the display name of App registration in the IAM of subscriptions.

AzureResponseError: Operation returned an invalid status code 'Unauthorized'

I have cloned my app from GitHub into the Azure shell. When I tried to create and deploy the webapp I am facing few errors. First I tried az webapp up -n newappname and I got the below error
Then I created a web app myself in the portal and just tried deploying it from Azure shell using the command az webapp up -n newappname_createdatportal. I got the below error
Any suggestions here will be much appreciated!
It seems it was a bug for old Azure CLI version, run az upgrade --yes and restart your prompt solve the problem for me.
Here are something to notice:
my Azure CLI version: 2.18.0
the command I use:
az upgrade --yes
#restart session and run this for authorizing
az login
az webapp up -n webappnamecreated
Here is the reproduce screenshot:
Here is the successful screenshot:
I tried updating the az command line as other answer suggested but didn't work for me.
Instead of doing az webapp up -n appname, try first creating an appservice plan with application name appname then only after it has been deployed enter the command az webpp up -n appname. This worked for me.

"az vm run-command" with "sudo waagent -deprovision+user -force" does not return prompt

I'm trying to create a Linux VM image using Azure CLI.
According to the Microsoft document below, before creating the VM image, I need to run "# sudo waagent -deprovision+user -force" command on the VM.
How to create an image of a virtual machine or VHD:
https://learn.microsoft.com/en-us/azure/virtual-machines/linux/capture-image
Instead of logging into the VM, I'm trying to use run-command as follows, but prompt does not get returned after the message " - Running ..".
# az vm run-command invoke -g rgName -n vmName --command-id RunShellScript --scripts "sudo waagent -deprovision+user -force"
- Running ..
Could you give me some advice on this issue?

Resources