I have generated a zip file of a Node.JS-based web app in Gitlab, and I am trying to deploy it as an Azure "web app" using az webapp deploy. This works fine on my local machine where I am logged in, but I can't for the life of me figure out how I can log in to Azure from the Gitlab runner, so that I can run that same command. I've tried:
Using the Publish Profile (already need to be logged in for that!)
Creating a managed identity with roles on the app (but I don't have access to AD)
Creating the managed system identity in the app's "Identity" pane (can't find any associated password?!)
Generating a JWT token to store in Gitlab as described in this question (I don't have access to the App Registrations functionality)
I don't want to use Azure to rebuild the application using the webhook system, I already have a known-working ZIP package that I want to deploy. My only hangup is logging in.
How can I log in to Azure -- i.e. what incantations do I have to provide to az login -- from a Gitlab CI runner, in order to deploy my website from a zipped Gitlab artifact to the App Service?
(note: I am a teacher and trying to figure this out for my students; it is possible that I am working with a somehow-limited Azure but my local IT doesn't support us for this and of course neither will Microsoft.)
If you cannot access the app registrations as discussed in a similar question and have no federation configured, your only options are to use a username and password (e.g. a user's username and password to authenticate to AAD), use a device code flow, or self-host your GitLab runner on Azure with a managed identity.
Using username and password
To use username is password is straightforward:
az login --tenant $YOUR_TENANT_ID -u $YOUR_USERNAME -p $YOUR_PASSWORD
However, this may not be possible if you normally do not login to Azure using a username and password (for example, you use OAuth or other federated login for the Azure portal and users have no passwords set). In which case, you will need to use the device code flow.
Using device code
To use device code flow, you will need to monitor the job output, copy the URL shown, and login from your browser every time your job runs. In your job, add the following:
az login --tenant $YOUR_TENANT_ID --use-device-code
In the job output you will see a message similar to the following:
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code YOUR-CODE-WILL-APPEAR-HERE to authenticate
Copy the code from the message, open your browser to the device login page and enter the code to allow your job to proceed.
Note: It is possible for organizations to disable this login method, in which case you will see an error when trying to login this way.
Self-hosting GitLab runner on Azure with a managed identity
Lastly, if you're not able to use any of the above methods, you can deploy the GitLab runner to Azure itself as an application that uses a managed identity (for example on AKS, ACI, or on a VM with a managed identity).
For example, you can configure a shell runner on an Azure VM. Azure VMs with a managed identity will not require az login to perform az cli commands.
Creating the managed system identity in the app's "Identity" pane (can't find any associated password?!)
The reason you can't find any associated password is because managed identities can only be leveraged from Azure services -- for example, Azure VMs using a managed identity are able to use az cli without logging in.
Related
I have a script that pushes a Docker Container to an Azure Container Registry. But before that, one needs to log in to Azure, which requires a password (either it's a user, or a service principal). That is not an option, since this password will be explicit and visible in code.
Any chance to log in another way, without explicit credentials?
The only possible ways for Azure CLI are User or Service Principal. You could do the authentication outside of the script if it helps. Or if it helps, Service Principals could also use a certificate to authenticate. If you don't commit it (.gitignore) it should stay on your machine only.
If you are in a build pipeline in Azure DevOps or GitHub, there are ways to handle connections and secrets without exposing them to the code.
I have an Azure CDN. It has a custom domain, and I attempting to register my own certificate for HTTPS support.
I am attempting to follow the instructions here: https://learn.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate
I have uploaded my Certificate to a Key Vault. That should be good. I am now trying grant my Azure CDN Profile access to my Key Vault in order for it to get the certificate. That is this step in the tutorial (Register Azure CDN, step #2)
That step shows a GUID (205478c0-bd83-4e1b-a9d6-db63a3e1e1c8). Where is that coming from? Is that the identifier for my Azure CDN Profile? If so, where would I get that?
I also just noticed there are two commands there: The text shows New-AzADServicePrincipal, but the screenshot shows New-AzureRmADServicePrincipal. Presumably, the latter is the (older?) command based on Resource Manager. But, which one should I be using?
Also, I don't think I have Azure Powershell installed. Can I do this using Cloud Shell via the Azure Portal?
What I see when I attempt to run the command from Cloud Shell
That step shows a GUID (205478c0-bd83-4e1b-a9d6-db63a3e1e1c8). Where is that coming from? Is that the identifier for my Azure CDN Profile? If so, where would I get that?
The GUID is the Application ID of the multi-tenant AD App in the Microsoft tenant(microsoft.onmicrosoft.com), when you use the New-AzADServicePrincipal with the GUID, it will create a service principal related to this AD App in your AAD tenant, which represents your CDN.
When you run the New-AzADServicePrincipal successfully, you could find it in the portal -> Azure Active Directory -> Enterprise applications in your tenant.
I also just noticed there are two commands there: The text shows New-AzADServicePrincipal, but the screenshot shows New-AzureRmADServicePrincipal. Presumably, the latter is the (older?) command based on Resource Manager. But, which one should I be using?
The New-AzureRmADServicePrincipal belongs to the old AzureRM module, New-AzADServicePrincipal belongs to the new Az module. You could use both of them, but I recommend you to use New-AzADServicePrincipal, because the AzureRM module was deprecated and will not be updated any more.
Also, I don't think I have Azure Powershell installed. Can I do this using Cloud Shell via the Azure Portal?
Of course, you can. Just run that in the cloud shell, no need to install any module manually.
I'm trying to debug a web API on azure and need to access the logs from FTP
Whenever I try and download the publish profile in order to learn my FTP connection details, I get an error page saying credentials were incorrect
How can this be if I'm already logged in?
Make sure you have privileged permissions to the resources which you are trying to access.
Incase if you haven’t set the credentials for your Web API, suggest you set the credentials first using the azure portal.
Select your Azure Web App/API -> under deployment credentials set your FTP deployment credentials. For more details, you can refer the below screenshot.
You could also use Get-AzurePublishSettingsFile PowerShell cmdlet to download the publish settings profile file.
Is there a way to authenticate to Azure without any login on an Azure VM? Same feature like amazon instance profile so I can run azure commands without authentication
I don't think it is possible to communicate with Azure cloud without authentication like AWS using the instance profile. In Azure you have to use service principle with respective role(Reader, contributor or owner) assigned. Once service principle is created you can use it for authentication with Azure SDK or REST API. You can automate once you have service principle details.
You can use Azure CLI.
The authentication can be done using the Publish Settings file.
This is useful if you wish to use Azure CLI commands in a script etc.
You can download the file by using
azure account download
Make sure you keep this file safe as it provides direct access to your azure account.
Then authentication is a simple process of importing the file using
azure account import /path/to/.publishsettings_file
Now deployment commands can be run on the command line without logging in.
Scroll to the section public settings file in the link for more info on how to use the publish settings file.
I am trying to spin up a Kubernetes cluster using my Microsoft Azure account. I'm following this guide:
https://github.com/kubernetes/kubernetes/blob/release-1.0/docs/getting-started-guides/coreos/azure/README.md#lets-go
At some point, the guide instructs to execute this command:
./azure-login.js -u <your_username>
I am pretty new to Azure, and I don't know what this username is. I have an e-mail that I use to login to the Azure Portal, where I can start virtual machines.
The issue was that apparently one needs to have an organization account in order to use the Azure CLI tool. I had set up my account as an individual, with an e-mail address, so the tool wasn't working.
The solution was to convert my account to an organizational one by playing with the Active Directory service here, as explained here:
https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-work-id-from-personal/
A simple peek at azure-login.js (located in the same folder as the link you posted) shows:
require('child_process').fork('node_modules/azure-cli/bin/azure', ['login'].concat(process.argv));
So... it's calling the azure cli: azure login username
And username would be your email address for your Azure subscription (the same email address you'd login with in the portal). You'd then be prompted for your password.