I am attempting to setup and install this reference app from Azure, created by the Microsoft patterns & practices team: https://github.com/mspnp/serverless-reference-implementation - the setup is via Azure CLI not the UI.
However it uses Azure AD Graph, which has just very recently been deprecated and replaced by Microsoft.Graph as documented here: https://learn.microsoft.com/en-gb/cli/azure/microsoft-graph-migration
This breaks the installation instructions in the app, specifically the az ad app create command:
export API_APP_ID=$(az ad app create --display-name $API_APP_NAME --oauth2-allow-implicit-flow true \
--native-app false --reply-urls http://localhost --identifier-uris "http://$API_APP_NAME" \
--app-roles ' [ { "allowedMemberTypes": [ "User" ], "description":"Access to device status", "displayName":"Get Device Status", "isEnabled":true, "value":"GetStatus" }]' \
--required-resource-accesses ' [ { "resourceAppId": "00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" } ] }]' \
--query appId --output tsv)
Fails with: ERROR: unrecognized arguments: --native-app false
If I try to update the command with the new parameters for Microsoft.Graph as per the migration guide above:
export API_APP_ID=$(az ad app create --display-name $API_APP_NAME --enable-access-token-issuance true \
--is-fallback-public-client false --web-redirect-uris http://localhost --identifier-uris "http://$TENANT_NAME.onmicrosoft.com/$API_APP_NAME" \
--app-roles ' [ { "allowedMemberTypes": [ "User" ], "description":"Access to device status", "displayName":"Get Device Status", "isEnabled":true, "value":"GetStatus" }]' \
--required-resource-accesses ' [ { "resourceAppId": "00000003-0000-0000-c000-000000000000", "resourceAccess": [ { "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "type": "Scope" } ] }]' \
--query appId --output tsv)
The create command works - but the app's manifest does not have the expected data:
export API_IMPERSONATION_PERMISSION=$(az ad app show --id $API_APP_ID --query "oauth2Permissions[?value == 'user_impersonation'].id" --output tsv)
This returns NULL - the new Microsoft.Graph API does not even create this field in the app's manifest. I manually confirmed this by looking at the manifest in the Azure UI. This means the following commands that rely on this field existing are unusable.
How can I fix this so I can install this reference app given that the install instructions refer to the no longer available Azure AD Graph API? What is the correct az ad app create command that lets Microsoft.Graph API create the API app with oauth?
Related
I am trying to fetch Azure Artifacts through Service Principal in PowerShell but not able to do it.
Reproduction step:
az login --service-principal --username "" -p="" --tenant ""
Above command works fine and returns the following output:
[
{
"cloudName": "",
"homeTenantId": "",
"id": "",
"isDefault": true,
"managedByTenants": [],
"name": "Microsoft Azure Enterprise",
"state": "Enabled",
"tenantId": "",
"user": {
"name": "",
"type": "servicePrincipal"
}
}
]
Then I ran the following command to download the artifacts:
az artifacts universal download --organization "" --project "" --scope project --feed "" --name "" --version "" --path .
Error:
python.exe : WARNING: Could not retrieve credential from local cache for service principal under tenant
. Trying credential under tenant , assuming that is an app credential.
At C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.ps1:2 char:1
& "$PSScriptRoot..\python.exe" -IBm azure.cli $args
+ CategoryInfo : NotSpecified: (WARNING: Could ...app credential.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
WARNING: Could not retrieve credential from local cache for service principal under tenant
. Trying credential under tenant , assuming that is an app credential.
ERROR: Failed to update Universal Packages tooling.
Before you can run Azure DevOps commands, you need to run the login command(az login if using AAD/MSA identity else az devops login if using PAT token)
to setup credentials. Please see https://aka.ms/azure-devops-cli-auth for more information.
I am able to download the artifacts when I simply run az login, then pass the authentication through browser and then run the az artifact download command. But I want to automate this process through code so I need to login programmatically.
Please let me know what can I do? I have already spent a lot of days for this issue.
Thanks
I have a Problem with Packer and the Azure Stack, I am trying to build an Image in azure stack, but it looks like packer don't try to use my custom-url.
{
"builders": [{
"type": "azure-arm",
"client_id": "client_id",
"client_secret": "client_secret",
"tenant_id": "tenant_id",
"subscription_id": "subscription_id",
"managed_image_resource_group_name": "resource_group_name",
"managed_image_name": "random_name",
"os_type": "Linux",
"image_publisher": "Canonical",
"image_offer": "UbuntuServer",
"image_sku": "18.04-LTS",
"azure_tags": {
"dept": "Engineering",
"task": "Image deployment"
},
"location": "custom_location",
"vm_size": "Standard_DS2_v2"
}],
"provisioners": [{
"execute_command": "chmod +x {{ .Path }}; {{ .Vars }} sudo -E sh '{{ .Path }}'",
"inline": [
"apt-get update",
"apt-get upgrade -y",
"apt-get -y install nginx",
"/usr/sbin/waagent -force -deprovision+user && export HISTSIZE=0 && sync"
],
"inline_shebang": "/bin/sh -x",
"type": "shell"
}]
}
Error
azure-arm: output will be in this color.
==> azure-arm: Running builder ...
==> azure-arm: Getting tokens using client secret
==> azure-arm: Getting tokens using client secret
azure-arm: Creating Azure Resource Manager (ARM) client ...
Build 'azure-arm' errored: Cannot locate the managed image resource group resource_group_name.
==> Some builds didn't complete successfully and had errors:
--> azure-arm: Cannot locate the managed image resource group olaf.
==> Builds finished but no artifacts were created.
But the creds are right, I can login with the ServiceAccount/App credentials and list all resource groups. Seems everything is working.
Do someone have an idea how to get Packer working with azure stack? Is there a way to give the stack domain instead of the original azure domain or something like that?
Thank you! =)
I know this question is old and you likely figured it out, but I encountered the same issue today and thought it might be helpful to add my solution for anyone else that comes across this:
Make sure your service principal is added as a contributor to the resource group.
In Azure Portal, navigate to the target resource group
Click "Access (IAM)" on the left hand side.
Click "Add" at the top and search for the service principal
For web deployment using FTP;I came across a situation, where i'm using Azure CLI command to create an app service plan in FREE tier to deploy the web app in it.
Here is how i am approaching:
used command:
az login --allow-no-subscriptions
sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code xxxxxxx to authenticate. Working fine with below result.
[
{
"cloudName": "AzureCloud",
"id": "1fdacf7a-xxxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"isDefault": true,
"name": "N/A(tenant level account)",
"state": "Enabled",
"tenantId": "1fdacf7a-xxxxx-xxxx-xxxx-xxxxxxxxxxxxx",
"user": {
"name": "email#gmail.com",
"type": "user"
}
}
]
Then, create basic app service plan using :
"az appservice plan create -g MyResourceGroup -n MyPlan"
This gives me error saying "The subscription 1fdacf7a-xxxxx-xxxx-xxxx-
xxxxxxxxxxxxx could not be found.
How to resolve this problem? Thanks.
I can reproduce your issue, to fix the issue, please don't use the --allow-no-subscriptions parameter.
You just need to login with:
az login
or
az login --use-device-code
Then use the command below to set the subscription:
az account set --subscription 1fdacf7a-xxxxx-xxxx-xxxx-xxxxxxxxxxxxx
Run az appservice plan create -g MyResourceGroup -n MyPlan:
I have an resource group ARM template that I use to create an application gateway that is configured for url routing. It sends traffic to different Web Apps in that resource group based on url path rules. I deploy the base resource group ARM template, and then each web app has its own ARM template that setups a Web App on an App Service Plan. I am trying to figure out how to add a rule to an existing Url Path Map on an Application Gateway without defining the whole application gateway in every template. This way, I can simply add web apps and have them "register" on to the application gateway with a particular path rule.
I considered doing a linked template where my base template would have all of the shared resources (databases, app service plan, and app gateway), but even with a linked template, I don't think I can add a rule to the application gateway.
Update
So I modified my template by adding a reference to the existing application gateway, and then adding variables for the new BackEndPoolAddress and new Path Rule. It ends up like this (abbreviated to only relevant parts):
"variables": {
"appGateway": "[reference(concat('Microsoft.Network/applicationGateways/', 'appGateWay-', uniqueString(resourceGroup().id)), '2017-06-01')]",
"pathRule": {
"name": "[concat(parameters('websiteName'), '- RoutingRule')]",
"properties": {
"paths": [
"[parameters('routingRule')]"
],
"backendAddressPool": {
"id": "[concat(variables('appGateway').id, '/backendAddressPools/',parameters('websiteName'), 'BackEndPool')]"
},
"backendHttpSettings": {
"id": "[variables('appGateway').backendHttpSettingsCollection[0]]"
}
}
},
"backendPool": {
"name": "[concat(parameters('websiteName'), 'BackEndPool')]",
"properties": {
"IpAddress": "[reference(variables('webSiteName')).defaultHostName]"
}
}
},
"resources": [
...
{
"apiVersion": "2017-06-01",
"name": "[variables('appGateway').name]",
"type": "Microsoft.Network/applicationGateways",
"location": "[resourceGroup().location]",
"properties": {
"backendAddressPools": "[concat(variables('appGateway').backendAddressPools, variables('backendPool'))]",
"urlPathMaps": [
{
"name": "[variables('appGateway').urlPathMaps[0]]",
"pathRules": "[concat(variables('appGateway').urlPathMaps[0].pathRules, variables('pathRule'))]"
}
]
}
}
],
However I get a template validation error saying I can't use the Reference function in the Variables section. If I don't add it in the variables section, how can I build the correct paths for the pool and pathRule in my variables section?
you can achieve this using the reference() function, array manipulation and nested templates (might work even without those, worst case you will need them). example:
"outputs": {
"httpListeners": {
"type": "array",
"value": "[reference('application_gateway_id', '2018-08-01', 'Full').properties.httpListeners]"
}
}
Will return you array or httpListeners. you can get all the relevant application gateway properties and add new (additional) properties with the concat() and assign the result to the property (properties):
"httpListeners": "[concat(reference('application_gateway_id', '2018-08-01', 'Full').properties.httpListeners, variables('newListener'))]"
you just need to make sure 2 deployments dont start at the same time, one might overwrite the other
Here is the solution I finally ended up with using the Azure CLI. This script is idempotent and runs during my release process.
echo "Logging into AKS Cluster"
az aks get-credentials --resource-group $RESOURCEGROUP_NAME --name $AKSNAME
echo "Get the created service's ip address"
SERVICEIP=$(kubectl get service --namespace $AKSNAMESPACE $APPNAME-service -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
echo "Creating backend pool - IP $SERVICEIP"
az network application-gateway address-pool create \
--gateway-name $APPGATEWAYNAME \
--resource-group $RESOURCEGROUP_NAME \
--name "$APPNAME-pool" \
--servers $SERVICEIP
echo "Creating probe"
az network application-gateway probe create \
--gateway-name $APPGATEWAYNAME \
--name "$APPNAME-probe" \
--path $APPPROBE \
--resource-group $RESOURCEGROUP_NAME \
--protocol Http \
--resource-group $RESOURCEGROUP_NAME \
--host-name-from-http-settings true
echo "Creating HTTP Settings"
az network application-gateway http-settings create \
--gateway-name $APPGATEWAYNAME \
--name "$APPNAME-settings" \
--port 80 \
--resource-group $RESOURCEGROUP_NAME \
--host-name-from-backend-pool \
--probe "$APPNAME-probe" \
--protocol Http
echo "Creating URL Path Map"
az network application-gateway url-path-map rule create \
--gateway-name $APPGATEWAYNAME \
--name "$APPNAME-rule" \
--paths $RULEPATH \
--path-map-name $RULENAME \
--resource-group $RESOURCEGROUP_NAME \
--http-settings "$APPNAME-settings" \
--address-pool "$APPNAME-pool"
So I'm following this guide in order tosuse Azure 2.0 CLI to create an app service to deploy.
https://learn.microsoft.com/en-us/azure/app-service-web/app-service-web-get-started
I have set up the resource group, the app service plan and the app but instead of setting up the deployment with a Git repository like this
az appservice web source-control config-local-git --name <app_name> --resource-group my-first-app-group
I would like to put all my files into a folder in DropBox.
This step can be done by using the Azure web site but I would like to know if it is possible to using the Azure 2.0 CLI? If so, what is the command?
I would like to put all my files into a folder in DropBox.
This step can be done by using the Azure web site but I would like to
know if it is possible to using the Azure 2.0 CLI?
We can use CLI 2.0 command like this:
C:\Users>az appservice web source-control config --repo-url https://www.dropbox.com/sh/ar7n31ozqgchnb2/AABxdZN4v4pklk3USCnFBWdVa?dl=0 --repository-type mercurial --name jasonapp2 --resource ubuntu
Here is my result:
C:\Users>az appservice web source-control config --repo-url https://www.dropbox.com/sh/ar7n31ozqgchnb2/AABxdZN4v4pklk3USCnFBWdVa?dl=0 --repository-type mercurial --name jasonapp2 --resource ubuntu
{
"branch": null,
"deploymentRollbackEnabled": false,
"id": "/subscriptions/5384xxxx-xxxx-xxxx-xxxx-0361e29a7b15/resourceGroups/ubuntu/providers/Microsoft.Web/sites/jasonapp2/sourcecontrols/web",
"isManualIntegration": false,
"isMercurial": false,
"kind": null,
"location": "Central US",
"name": "jasonapp2",
"repoUrl": "https://www.dropbox.com/sh/ar7n31ozqgchnb2/AABxdZN4v4pklk3USCnFBWdVa?dl=0",
"resourceGroup": "ubuntu",
"tags": {
"hidden-related:/subscriptions/5384xxxx-xxxx-xxxx-xxxx-0361e29a7b15/resourcegroups/AppResource/providers/Microsoft.Web/serverfarms/palian160919": "empty"
},
"type": "Microsoft.Web/sites/sourcecontrols"
}