I am trying to connect to a Windows EC2 instance and run some commands against it using pywinrm.
I am using the following code to create a session:
session = winrm.Session(ec2_instance.public_dns_name, auth=(user_name, password))
which works fine.
Now, when I use the session object created above to run a command like:
session.run_ps("hostname") or session.run_cmd("hostname") -> it fails with a timeout error because the firewall rules for WinRM ports 5985 and 5986 are not configured (The security group on AWS side has the ports open but the VM does not have it).
Once the inbound rule for ports 5985 and 5986 is configured on the EC2 instance, running any command fails with the following error:
Exception has occurred: InvalidCredentialsError the specified credentials were rejected by the server
I know that error message is misleading because the credentials are correct.
The reason I say that the credentials are correct because when I run the following from the EC2 instance:
Set-Item -Force WSMan:\localhost\Service\auth\Basic $true
Set-Item -Force WSMan:\localhost\Service\AllowUnencrypted $true
And then run the command using my code, it all works fine.
Now, what I am trying to find is, a way to enable the AllowUnencrypted value through my python code.
I have looked at using Kerberos but it seems like I need to create an AWS Managed Microsoft AD directory which will incur cost to my organization.
I have also tried to use NTLM like this:
protocol = Protocol(
endpoint=f"https://{ec2_instance.public_dns_name}:5985/wsman",
transport="ntlm",
username="Administrator",
password="Password",
server_cert_validation="ignore",
)
shell_id = protocol.open_shell()
But I get the following error:
HTTPSConnectionPool(host='ec2-x-x-x-x.us-west-2.compute.amazonaws.com', port=5985): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1129)')))
Any help is appreciated.
Thanks
"HTTPSConnectionPool(host='ec2-x-x-x-x.us-west-2.compute.amazonaws.com', port=5985): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1129)')))"
From your error, port 5985 is HTTP listener where as HTTPS should be port 5986.
Change endpoint port to 5986 and give a try "endpoint=f"https://{ec2_instance.public_dns_name}:5986/wsman","
Sorry I'm unable to add comment yet.
Here is the solution that worked for me:
Step 1:
Use AWS SSM to run commands on an EC2 instance. These commands will
Set WMan attributes Basic Authentication to True and AllowUnencrypted to True.
Create Windows Firewall Rules with ports 5985 and 5986.
Set-Item -Force WSMan:\localhost\Service\auth\Basic $true
Set-Item -Force WSMan:\localhost\Service\AllowUnencrypted $true
New-NetFirewallRule -DisplayName "Allow WinRM Ports" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5985-5986
I got help from here: How to execute commands on AWS Instance using Boto3
AMIs with SSM pre-installed: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-win.html
Note: The commands can only be run on an EC2 instance if it has this IAM profile associated to it:
ARN = arn:aws:iam::<your_aws_account_id>:instance-profile/AmazonSSMRoleForInstancesQuickSetup
Name = AmazonSSMRoleForInstancesQuickSetup
This can be done using boto3 EC2 client method associate_iam_instance_profile()
Once the IAM is associated to the EC2 instance, it takes a minute or two to take this effect and get listed under describe_instance_information() method of boto3 ssm client.
Make sure to add a waiting method for your EC2 instance to be listed under the output of the above method before trying to run any command.
Step 2:
Use WinRM python library to bring EBS disk online, initialize, partition and format the disk.
Note: I could have used SSM to run the commands mentioned above but WinRM provides better output which can be converted to JSON and used for further validation.
Step 3:
Code to decrypt password for login:
from winrm.protocol import Protocol
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
with open(private_key_file_path, "r") as key_file:
key_text = key_file.read()
key = RSA.importKey(key_text)
cipher = PKCS1_v1_5.new(key)
password = cipher.decrypt(base64.b64decode(password_data),None).decode("utf-8")
Trying to install the Azure Devops CLI Extension
https://learn.microsoft.com/en-us/azure/devops/cli/?view=azure-devops
az extension add --name azure-devops
is the command I run
I get the following error message
Error Message I have tried
git config http.sslVerify "false"
I've tried to do multiple azure cli and powershell commands
I've set my context with
Set-AzContext -Subscription "xxxx-xxxx-xxxx-xxxx"
I don't understand what the issue is here.
I've tried running the commands with and without the VPN ( I use Pulse VPN for reference)
I've tried setting powershell's execution policy to Undefined
Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser
If someone could please let me know their thoughts on the specific error:
Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='objects.githubusercontent.com', port=443): Max retries exceeded with url: /github-production-release-asset-2e65be/107708057/665228bd-d0c3-4865-b029-624cbc247ca1?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20220701%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220701T163308Z&X-Amz-Expires=300&X-Amz-Signature=dd9381d3d71deeb228b151ec41140e8238f425ca9bf2882889c6bc9592c782e6&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=107708057&response-content-disposition=attachment%3B%20filename%3Dazure_devops-0.25.0-py2.py3-none-any.whl&response-content-type=application%2Foctet-stream (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))
Normally, when executing the command line "az extension add --name azure-devops", it will go to the Azure DevOps CLI Extension GitHub Repo to download the latest release of the extension.
You can try to manually open the Azure DevOps CLI Extension GitHub Repo and download the extension on your browser:
If you also cannot manually access the GitHub Repo and download the extension, check whether there is any networking restriction or firewall set on your machine and the current network.
If you can manually access the GitHub Repo and download the extension, try to manually install the extension on your machine.
I am just doing this module of Microsoft course:
https://learn.microsoft.com/en-us/learn/modules/microservices-aspnet-core/
I created an azure subscription and tried to run the script given in unit 2.
Something is going on in the console, but at some point it shows something like this:
Getting credentials for AKS...
(ResourceNotFound) The Resource 'Microsoft.ContainerService/managedClusters/eshop-learn-aks' under resource group 'eshop-learn-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix
Code: ResourceNotFound
Message: The Resource 'Microsoft.ContainerService/managedClusters/eshop-learn-aks' under resource group 'eshop-learn-rg' was not found. For more details please go to https://aka.ms/ARMResourceNotFoundFix
Installing NGINX ingress controller
error: You must be logged in to the server (the server has asked for the client to provide credentials)
error: You must be logged in to the server (the server has asked for the client to provide credentials)
error: You must be logged in to the server (the server has asked for the client to provide credentials)
Getting load balancer public IP
> kubectl get svc -n ingress-nginx -o json | jq -r -e '.items[0].status.loadBalancer.ingress[0].ip // empty'
error: You must be logged in to the server (the server has asked for the client to provide credentials)
Waiting for load balancer IP...
Am I doing something wrong? Strictly followed instructions.
Edit:
I think problem is with VM, not AKS.
> az aks create -n eshop-learn-aks -g eshop-learn-rg --node-count 1 --node-vm-size Standard_D2_v5 --vm-set-type VirtualMachineScaleSets -l centralus --enable-managed-identity --generate-ssh-keys -o json
ERROR: (BadRequest) The VM size of AgentPoolProfile:nodepool1 is not allowed in your subscription in location 'centralus'.
You need to log in :
az login
az account set --subscription <YOUR SUB ID>
az aks get-credentials --resource-group <AKS RG> --name <AKS NAME>
The 'CentralUS' location doesn't accept new VM with the type of subscription you have.
You need to use another location.
To do that, you need to declare a variable 'defaultRegion' in the bash shell (ex.: declare defaultRegion=eastus) before executing wget
When I run the pipeline on AKS and run az login --identity it gives me an error as below. What should I do to fix this issue.
AzureResponseError: Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned http error: 400, reason: Bad Request
I am using Azure CLI in bash within PowerShell in Windows 10. I sit behind a corporate proxy. My goal is to automate the deployment and setup of Azure resources.
Some of the Azure CLI commands work perfectly fine: I can run az login, change the default subscription, list locations, resource groups, resources within resource groups and I can even run shell scripts to deploy resources like Key Vaults.
However, when I try to list the keys or secrets within a Key Vault, or create keys/secrets I get the following:
Error occurred in request., SSLError: HTTPSConnectionPool(host='xxxxxx.vault.azure.net', port=443): Max retries exceeded with url: /secrets?api-version=7.0 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
The example I am providing here is for a Key Vault, but I am getting the same error with other types of resources, so I don't think the Key Vault is the issue.
When appending the --debug parameter to the command, I can see the error is coming from one of the Python libraries:
urllib3.connectionpool : Retrying (Retry(total=0, connect=4, read=4, redirect=None, status=None)) after connection broken by 'SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),)': /secrets?api-version=7.0
I have tried the suggestions provided at:
Working with Azure CLI behind SSL intercepting proxy server,
Including export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=anycontent to disable certificate check (not recommended) and export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt to make Python requests use the system ca-certificates bundle.
I have also tried:
export ADAL_PYTHON_SSL_NO_VERIFY=1
which is suggested in the following post:
[AzureStack] Handle SSL verification for certs not in Python root CA list #2267
But unfortunately none of the above produced any change in the outcome.
I am using Azure CLI version 2.0.60 and Python 3.
Due to you were using Windows not Linux or MacOS, please try to use set instead of export to set the environment variables in PowerShell, as below, then to run the azure cli command for Key Vault again.
set ADAL_PYTHON_SSL_NO_VERIFY=1
set AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
And for the command export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt on Linux, I think you can refer to the SuperUser thread https://superuser.com/questions/217719/what-are-the-windows-system-certificate-stores to run a powershell window as administrator (right click on the PowerShell shortcut and select Run as administrator to run).
However, as you said about in bash with PowerShell, it sounds like you open a bash shell session of Windows Subsystem for Linux or like Git Bash from PS: prompt, which described fuzzily that I can not understand for your operations, please post more details about it, and I don't think it's a good practice to use PowerShell with bash nested.
I've updated this with my comment from https://github.com/Azure/azure-cli/issues/5099
#rzand 's process was the only one that worked for me, I'll expand on his solution though as there were extra steps required. All from elevated Shells
"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python" -m pip install --upgrade pip
"C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python36_64\Scripts\pip" install python-certifi-win32
Add the Cloud services root CA to cacert.pem exported from the downloaded certificate. I specifically needed Microsoft IT TLS CA 5 and the "Baltimore CyberTrust Root" from that cert. Simply open the certs in text editor and append the contents to the bottom of C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
Add the Self-signed certificate given to you by the network team. Simply open the cert in text editor and append the contents to the bottom of C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem
Set the system/environment variable in Command prompt setx /m REQUESTS_CA_BUNDLE "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem"
Set the system/environment variable in Powershell $env:REQUESTS_CA_BUNDLE="C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem"
Close and open Bash / Command Prompt
FINALLY no errors. I can even retrieve Key Vault secrets
Running just the below two commands, fixed the issue for me
"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python" -m pip install --upgrade pip
"C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Scripts\pip" install python-certifi-win32
In my case the issue was seen due to invoking a Azure CLI command behind a company proxy.
Peter Pan's set method doesn't work well in PowerShell, use this instead:
$env:ADAL_PYTHON_SSL_NO_VERIFY = '1'
$env:AZURE_CLI_DISABLE_CONNECTION_VERIFICATION = '1'
Works on WSL Ubuntu 20.04
export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
In order to make Python requests use the system ca-certificates bundle
Solution from Working with Azure CLI behind SSL intercepting proxy server
Having contacted the azure cli team, it appears there is a bug that affects keyvault commands that are run behind a proxy.
Refer to the following github issue that I created with an in-depth explanation of the issue (and a potential workaround):
AZURE_CLI_DISABLE_CONNECTION_VERIFICATION does not have any effect for SSL verification
The above issue is also linked to the following, which appears to be a duplicate:
Az keyvault secret list --vault_name thru proxy is getting Proxy Authentication Required
It is also worth mentioning that this issue happens regardless of the platform the azure cli is running on so it is not an environmental issue or a problem when setting environment variables.
Below worked for me in a corporate firewall and proxy.
Added HTTP_PROXY and HTTPS_PROXY environment variables to the system
Find certifi path for your AZ CLI installation. It was "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi" for me.
Download your company root certificate and append it to "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem"
Done !