I have a use case to add an event hub as a subscriber to an event grid domain topic.
Here event grid domain & event hub resides in 2 different Azure subscription (protected by same tenant)
How to create a event grid domain topic subscription to connect to event hub via az cli command ?
Can this be done just with SPN which has access to both these resources or should we use managed identity ?
Yes, it is possible to create the Azure Event Grid domain topic Subscription to connect to Event Hub using Azure CLI Cmdlets - without managed identity:
Followed this MS Doc for the below cmdlets:
az account set --subscription <my-dev-subscriptionid>
az eventgrid domain create -g KrishDev-RG --name hedomain1 -l westus2 - Done 1
az eventgrid domain topic create -g KrishDev-RG --domain-name hedomain1 --name hedomain1topic1
az account set --subscription <my-prod-subscriptionid>
az eventhubs namespace create --name heventhubns01 --resource-group Krishprod-RG -l westus2
az eventhubs eventhub create --name hevhns01hub --resource-group Krishprod-RG --namespace-name heventhubns01
az eventgrid domain topic event-subscription create --name kes1 \
-g Krishprod-RG --domain-name hedomain1 --domain-topic-name hedomain1topic1 \
--endpoint <eventhub-endpoint>
Result:
Related
Just want to know how can I get the service buses in the portal through powershell
I was able to access the app insights through this piece of script
az monitor app-insights component show | ConvertFrom-Json
Now I wish to access the service bus , app service and app service plans as well through powershell
I was using this
az monitor servicebus component show | ConvertFrom-Json
for service bus but it is not working.
You are using Azure CLI there, not the PowerShell modules.
If you want to list / show the details around the following services, then you need to use the corresponding Azure CLI commands:
ServiceBus
az servicebus namespace show --resource-group myresourcegroup --name mynamespace
Reference: https://learn.microsoft.com/en-us/cli/azure/servicebus/namespace?view=azure-cli-latest#az-servicebus-namespace-show
App Service
az webapp show --name MyWebapp --resource-group MyResourceGroup
Reference: https://learn.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest#az-webapp-show
App Service Plans
az appservice plan show --name MyAppServicePlan --resource-group MyResourceGroup
Reference: https://learn.microsoft.com/en-us/cli/azure/appservice/plan?view=azure-cli-latest#az-appservice-plan-show
Here is the full CLI reference: https://learn.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest
To get service bus namespace list in your current subscription, you use below command:
az servicebus namespace list
To get the service bus queue list you below command:
az servicebus queue list --resource-group myresourcegroup --namespace-name mynamespace
If you want for topic, keep topic in place of queue in above command.
If you want to get app service plans use the below command:
az appservice plan list
Alternatively, you can use azure resource graph query like below for servicebus:
resources
| where type =~ 'microsoft.servicebus/namespaces'
You can use azure resource graph query like below to get app services:
resources
| where type == 'microsoft.web/sites'
References taken from:
https://learn.microsoft.com/en-us/cli/azure/appservice/plan?view=azure-cli-latest#az-appservice-plan-list
https://learn.microsoft.com/en-us/cli/azure/servicebus?view=azure-cli-latest
Edit:
Yes if you want apim use below query:
resources
| where type == "microsoft.apimanagement/service"
Get apim Using cli :
az account set -s "Subscription name"
$Resources = az resource list
$Resources | Where type -in "Microsoft.ApiManagement/service"
I get an ERROR: The request did not have a subscription or a valid tenant level resource provider. when trying to create a service principal via the azure cli under the scope of an Azure Iot Hub. I'm using the CLI (bash) but python would be sufficient, too.
As shown at end, i have correct credentials & rights to create sp's in this subscription, and i have owner rights to the iot hub in question.
In case i'm missing a better way to accomplish this, here is the context: We need to authenticate a job that automates the registration of new devices immediately after they are flashed, before they are shipped off to be plugged in. This does many things to customize the flashed filesystem (add unique device hostname & local passwords, for instance); and finally it needs to register the device with IotHub.
az iot hub device-identity create --device-id [device id] --hub-name [hub name] --edge-enabled
With my user permissions, i can az login and accomplish all of this - but it needs to run in an automated job with no interactive login. I believe service principal is the way to accomplish this (?).
Thus, attempting to create the principal I run:
# the following pulls a valid(looking) `"/subscriptions/NAME/resourceGroups/THEGROUP/providers/Microsoft.Devices/IotHubs/THEHUB"`
IOTHUB_ID="$(az iot hub show --name TheHubName --query id)
az ad sp create-for-rbac --name http://my-iothub-serviceprincipal --scopes $IOTHUB_ID --role contributor --query password --output tsv
which fails with the following as above (Note: contributor is too broad, will be a custom-role later):
WARNING: Role assignment creation failed.
ERROR: The request did not have a subscription or a valid tenant level resource provider.
as a test to ensure i have the right az login and other local state, the following analogous command for an Azure ACR scope does succeed, with a new service principal visible in the portal.
ACR_ID="$(az iot hub show --name TheAcrName --query id)
az ad sp create-for-rbac --name http://acr-service-principal-foobar --scopes $ACR_ID --role acrpull --query password --output tsv
This was caused by a bug in the azure CLI. az iot hub show is returning an improperly quoted string; az acr show for example does not.
az iot hub show --name your-iothub-name --query id returns a string like the following. both quotes " are in the original
'"/subscriptions/guid/.../IotHubs/your-iothub-name"'
az acr show --name your-acr-name --query id returns the same format string, but without the extra ' quoting.
"/subscriptions/.../registries/your-acr-name"
az iot hub device-identity create cannot deal with the '"..."' (understandable) but unfortunately doesn't fail cleanly, making this a bit difficult to track down as quoting blends in a bit for script output.
I have tried az aks show and az aks list commands but they don't show the names of the attached ACR's.
I ran the command to attach acr using az aks update --attach-acr and it shows thats it attached.
Can I see through the CLI or portal that the acr is in the cluster?
I am afraid you cannot see the attached ACR in the cluster UI portal.
When you attached the ACR to the AKS cluster using az aks update --attach-acr command.
It just assigned the ACR's AcrPull role to the service principal associated to the AKS Cluster. See here for more information.
You can get the service principal which associated to the AKS Cluster by command az aks list
See below screenshot. The AcrPull role was assigned to the service principal associated to the AKS Cluster.
If you want to use Azure CLI to check which ACR is attached to the AKS cluster. You can list all the ACRs. And then loop through the ACRs to check which one has assigned the AcrPull role to the AKS service principal. See below example:
# list all the ACR and get the ACR id
az acr list
az role assignment list --assignee <Aks service principal ID> --scope <ACR ID>
Actually, the parameter --attach-acr in the command just grant the role ACRPull to the service principal of the AKS. There is no difference from before. You only can see the service principal of the AKS. Currently, the CLI command az role assignment list cannot get the ACR directly if you do not know the ACR scope already. But you can get the principal ID first like this:
az aks show --resource-group groupName --name aksName --query identityProfile.kubeletidentity.objectId
And then use the CLI command to get the resource Id of the ACR:
az rest --method get --uri "https://management.azure.com/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01" --uri-parameters "\$filter=principalId eq 'objectId'" --query "value[0].properties.scope"
If you know the ACR resource Id, I think you know which ACR attached to the AKS clearly.
The az aks check-acr command checks if a certain ACR is available from a specific AKS.
You have to provide both the ACR and AKS as argument, so this is not good for discovery.
You can build a small script around this that queries multiple subscriptions for their registered ACRs (you cannot pass multiple subscription argument to az acr list --subscription, you have to query the Subscriptions one-by-one), build an aggregated table of the ACRs then pass those values in a loop to az aks check-acr.
I created the Azure Kubernetes Service and Azure Container Registry using Azure Portal. After that I am able to give the Grant AKS access to ACR, for that I used the below script:
Login-AzureRmAccount
Set-AzureRmContext -SubscriptionID 'XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXX'
#Get the id of the service principal configured for AKS
$AKS_RESOURCE_GROUP = "DSEU2-AKSRES-SB-DEV-RGP-01"
$AKS_CLUSTER_NAME = "DSEU2-AKSRES-SB-DEV-AKS-01"
$CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
# Get the ACR registry resource id
$ACR_NAME = "DSWEAKSRESSBDEVACR01"
$ACR_RESOURCE_GROUP = "DSWE-AKSRES-SB-DEV-RGP-01"
$ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)
#Create role assignment
az role assignment create --assignee $CLIENT_ID --role Reader --scope $ACR_ID
Whenever I am running the above PowerShell script then I am getting the exception like shown in below figure.
For the above scenario I followed this documentation:Authenticate with Azure Container Registry from Azure Kubernetes Service
For the command az role assignment create, the description for the argument with --assignee:
Represent a user, group, or service principal. supported format:
object id, user sign-in name, or service principal name.
But what you use is the resource Id of Azure Kubernetes cluster. So you get the error.
And the link you posted, the document shows the secret in the yaml file and the secret created with the command kubectl create secret. The secret just be used for pulling the image from the Azure Container Registry.
Update
With the ERROR shows, the resource group could not be found, so you should check your resource group carefully.
And from your script, you use PowerShell command to log in and use CLI to execute. I think the subscription will not be changed for CLI. So you can check if you are in the correct subscription. PowerShell command will not change the Subscription for CLI.
So I suggest the CLI command az account set --subscription.
Is it possible to get Azure Service Bus primaryConnectionString with AZ CLI?
Input parameters:
Resource Group
Service Bus Name
Years later it's now supported. In case anyone else stumbles upon this question like me, it can be done this way:
az servicebus namespace authorization-rule keys list --resource-group myresourcegroup --namespace-name mynamespace --name RootManageSharedAccessKey --query primaryConnectionString -o tsv
For now, Azure CLI 2.0 does not support service bus. You could use az -h to check. Power Shell and Azure CLI 1.0(asm mode) support service bus now.
You could use Power Shell to get primary ConnectionString.
$CurrentRule = Get-AzureRmServiceBusNamespaceAuthorizationRule -ResourceGroup $ResGrpName -NamespaceName $Namespace -AuthorizationRuleName $AuthRule
$AuthRule=$CurrentRule.Name
(Get-AzureRmServiceBusNamespaceKey -ResourceGroup shuibus -NamespaceName shuitest -AuthorizationRuleName $AuthRule).PrimaryConnectionString
More information please refer to this link.
Update:
On a Linux VM, you could use this Rest API to automation generate connectionstring.
POST /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ServiceBus/namespaces/{namespaceName}/AuthorizationRules/{authorizationRuleName}/listKeys?api-version=2015-08-01