I am trying to fetch Azure Artifacts through Service Principal in PowerShell but not able to do it.
Reproduction step:
az login --service-principal --username "" -p="" --tenant ""
Above command works fine and returns the following output:
[
{
"cloudName": "",
"homeTenantId": "",
"id": "",
"isDefault": true,
"managedByTenants": [],
"name": "Microsoft Azure Enterprise",
"state": "Enabled",
"tenantId": "",
"user": {
"name": "",
"type": "servicePrincipal"
}
}
]
Then I ran the following command to download the artifacts:
az artifacts universal download --organization "" --project "" --scope project --feed "" --name "" --version "" --path .
Error:
python.exe : WARNING: Could not retrieve credential from local cache for service principal under tenant
. Trying credential under tenant , assuming that is an app credential.
At C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.ps1:2 char:1
& "$PSScriptRoot..\python.exe" -IBm azure.cli $args
+ CategoryInfo : NotSpecified: (WARNING: Could ...app credential.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
WARNING: Could not retrieve credential from local cache for service principal under tenant
. Trying credential under tenant , assuming that is an app credential.
ERROR: Failed to update Universal Packages tooling.
Before you can run Azure DevOps commands, you need to run the login command(az login if using AAD/MSA identity else az devops login if using PAT token)
to setup credentials. Please see https://aka.ms/azure-devops-cli-auth for more information.
I am able to download the artifacts when I simply run az login, then pass the authentication through browser and then run the az artifact download command. But I want to automate this process through code so I need to login programmatically.
Please let me know what can I do? I have already spent a lot of days for this issue.
Thanks
Related
I am attempting to setup and install this reference app from Azure, created by the Microsoft patterns & practices team: https://github.com/mspnp/serverless-reference-implementation - the setup is via Azure CLI not the UI.
However it uses Azure AD Graph, which has just very recently been deprecated and replaced by Microsoft.Graph as documented here: https://learn.microsoft.com/en-gb/cli/azure/microsoft-graph-migration
This breaks the installation instructions in the app, specifically the az ad app create command:
export API_APP_ID=$(az ad app create --display-name $API_APP_NAME --oauth2-allow-implicit-flow true \
--native-app false --reply-urls http://localhost --identifier-uris "http://$API_APP_NAME" \
--app-roles ' [ { "allowedMemberTypes": [ "User" ], "description":"Access to device status", "displayName":"Get Device Status", "isEnabled":true, "value":"GetStatus" }]' \
--required-resource-accesses ' [ { "resourceAppId": "00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" } ] }]' \
--query appId --output tsv)
Fails with: ERROR: unrecognized arguments: --native-app false
If I try to update the command with the new parameters for Microsoft.Graph as per the migration guide above:
export API_APP_ID=$(az ad app create --display-name $API_APP_NAME --enable-access-token-issuance true \
--is-fallback-public-client false --web-redirect-uris http://localhost --identifier-uris "http://$TENANT_NAME.onmicrosoft.com/$API_APP_NAME" \
--app-roles ' [ { "allowedMemberTypes": [ "User" ], "description":"Access to device status", "displayName":"Get Device Status", "isEnabled":true, "value":"GetStatus" }]' \
--required-resource-accesses ' [ { "resourceAppId": "00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" } ] }]' \
--query appId --output tsv)
The create command works - but the app's manifest does not have the expected data:
export API_IMPERSONATION_PERMISSION=$(az ad app show --id $API_APP_ID --query "oauth2Permissions[?value == 'user_impersonation'].id" --output tsv)
This returns NULL - the new Microsoft.Graph API does not even create this field in the app's manifest. I manually confirmed this by looking at the manifest in the Azure UI. This means the following commands that rely on this field existing are unusable.
How can I fix this so I can install this reference app given that the install instructions refer to the no longer available Azure AD Graph API? What is the correct az ad app create command that lets Microsoft.Graph API create the API app with oauth?
For web deployment using FTP;I came across a situation, where i'm using Azure CLI command to create an app service plan in FREE tier to deploy the web app in it.
Here is how i am approaching:
used command:
az login --allow-no-subscriptions
sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code xxxxxxx to authenticate. Working fine with below result.
[
{
"cloudName": "AzureCloud",
"id": "1fdacf7a-xxxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"isDefault": true,
"name": "N/A(tenant level account)",
"state": "Enabled",
"tenantId": "1fdacf7a-xxxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"user": {
"name": "email#gmail.com",
"type": "user"
}
}
]
Then, create basic app service plan using :
"az appservice plan create -g MyResourceGroup -n MyPlan"
This gives me error saying "The subscription 1fdacf7a-xxxxx-xxxx-xxxx-
xxxxxxxxxxxxx could not be found.
How to resolve this problem? Thanks.
I can reproduce your issue, to fix the issue, please don't use the --allow-no-subscriptions parameter.
You just need to login with:
az login
or
az login --use-device-code
Then use the command below to set the subscription:
az account set --subscription 1fdacf7a-xxxxx-xxxx-xxxx-xxxxxxxxxxxxx
Run az appservice plan create -g MyResourceGroup -n MyPlan:
I have a File Share setup in a Storage Account. When I try to mount it in my Web App I get the following response:
"nexport-shared": {
"accessKey": "hidden==",
"accountName": "hidden",
"mountPath": "\\\\nexportshared",
"shareName": "nexportcampusbetashare",
"state": "InvalidCredentials",
"type": "AzureFiles"
}
I am using the az CLI command below :
az webapp config storage-account add --resource-group "GROUPNAME" --name "WEBAPPNAME" --custom-id nexport-shared --storage-typeAzureFiles --share-name nexportcampusbetashare --account-name STORAGEACCOUNT --access-key "hidden==" --mount-path "\\nexportshared" --verbose --debug
When I run 'az webapp config list' it shows up in the list but still with InvalidCredentials
A possible reason is that you have input an invalid key or storage account to mount the Azure files. Correcting these parameters fixes this issue for me.
Fixed as below
You may need to turn off or modify the firewall on the storage account for the Azure-Cli and the App Service to be able to see it.
I'm getting same response and file share is working as expected.
Also I just found an issue created about this, seems to be an error in the response message from the API:
https://github.com/Azure/azure-cli/issues/21571
I'm trying to deploy Kubernetes through ACS. The deployment works perfectly but as soon as I try connect to the cluster with kubectl proxy it fails.
Every kubectl command fails.
I SSH'ed to the server and found out only one container started. Not a single other one in sight even with -a.
Anyone got a clue to why this happens?
According to your description, it seems you have not configured the Service Principal correctly.
You may need to check to ensure the credentials were provided accurately, and that the configured Service Principal has read and write permissions to the target Subscription.
If your Service Principal is misconfigured, none of the kubernetes components will come up in a healthy manner. We can check to see if this the problem:
root#k8s-master-D9DE702A-0:~# journalctl -u kubelet | grep --text autorest
If you see output that looks like the following, it means you have not configured the service Principal correctly.
May 18 07:09:36 k8s-master-D9DE702A-0 docker[5534]: E0518 07:09:36.901937 5920 kubelet.go:1186] Cannot get Node info: failed to get external ID from cloud provider: autorest#WithErrorUnlessStatusCode: POST https://login.microsoftonline.com/1fcf418e-66ed-4c99-9449-d8e18bf8737a/oauth2/token?api-version=1.0 failed with 400 Bad Request: StatusCode=400
May 18 07:09:37 k8s-master-D9DE702A-0 docker[5534]: E0518 07:09:37.119646 5920 kubelet_node_status.go:70] Unable to construct api.Node object for kubelet: failed to get external ID from cloud provider: autorest#WithErrorUnlessStatusCode: POST https://login.microsoftonline.com/1fcf418e-66ed-4c99-9449-d8e18bf8737a/oauth2/token?api-version=1.0 failed with 400 Bad Request: StatusCode=400
More information about how to create /configure a service principal for ACS-Engin Kubernetes cluster, please refer to this Azure CLI 2.0 or PowerShell.
We can use CLI 2.0 to get the information about ACS, the clientId is the service principal.
C:\Users>az acs show -g k8s -n containerservice-k8s
{
"agentPoolProfiles": [
{
.
.
.
.
},
"provisioningState": "Succeeded",
"resourceGroup": "k8s",
"servicePrincipalProfile": {
"clientId": "1498b171-xxxx-xxxx-xxxx-8ef56a178b89",
"secret": null
},
"tags": null,
"type": "Microsoft.ContainerService/ContainerServices",
"windowsProfile": null
}
We can use PowerShell to get the service principal:
PS C:\Users> Get-AzureRmADServicePrincipal | ?{ $_.ApplicationId -eq "1498b171-xxxx-xxxx-xxxx-8ef56a178b89" } | fl *
ServicePrincipalNames : {http://azure-cli-2017-04-13-08-16-07, 1498b171-xxxx-xxxx-xxxx-8ef56a178b89}
ApplicationId : 1498b171-xxxx-xxxx-xxxx-8ef56a178b89
DisplayName : azure-cli-2017-04-13-08-16-07
Id : d86886b9-xxxx-xxxx-xxxx-25ab57803a33
Type : ServicePrincipal
So I'm following this guide in order tosuse Azure 2.0 CLI to create an app service to deploy.
https://learn.microsoft.com/en-us/azure/app-service-web/app-service-web-get-started
I have set up the resource group, the app service plan and the app but instead of setting up the deployment with a Git repository like this
az appservice web source-control config-local-git --name <app_name> --resource-group my-first-app-group
I would like to put all my files into a folder in DropBox.
This step can be done by using the Azure web site but I would like to know if it is possible to using the Azure 2.0 CLI? If so, what is the command?
I would like to put all my files into a folder in DropBox.
This step can be done by using the Azure web site but I would like to
know if it is possible to using the Azure 2.0 CLI?
We can use CLI 2.0 command like this:
C:\Users>az appservice web source-control config --repo-url https://www.dropbox.com/sh/ar7n31ozqgchnb2/AABxdZN4v4pklk3USCnFBWdVa?dl=0 --repository-type mercurial --name jasonapp2 --resource ubuntu
Here is my result:
C:\Users>az appservice web source-control config --repo-url https://www.dropbox.com/sh/ar7n31ozqgchnb2/AABxdZN4v4pklk3USCnFBWdVa?dl=0 --repository-type mercurial --name jasonapp2 --resource ubuntu
{
"branch": null,
"deploymentRollbackEnabled": false,
"id": "/subscriptions/5384xxxx-xxxx-xxxx-xxxx-0361e29a7b15/resourceGroups/ubuntu/providers/Microsoft.Web/sites/jasonapp2/sourcecontrols/web",
"isManualIntegration": false,
"isMercurial": false,
"kind": null,
"location": "Central US",
"name": "jasonapp2",
"repoUrl": "https://www.dropbox.com/sh/ar7n31ozqgchnb2/AABxdZN4v4pklk3USCnFBWdVa?dl=0",
"resourceGroup": "ubuntu",
"tags": {
"hidden-related:/subscriptions/5384xxxx-xxxx-xxxx-xxxx-0361e29a7b15/resourcegroups/AppResource/providers/Microsoft.Web/serverfarms/palian160919": "empty"
},
"type": "Microsoft.Web/sites/sourcecontrols"
}