After running a DevOps pipeline that created several resources, only two (a new resource group and a Functions app) show up in Azure CLI using az ... list --subscription ....
Other resources, like Static Web Apps and a SQL Server don't show up in that list or when running az staticwebapp list --subscription ... or az sql server list --subscription ... with the subscription argument specified. I have confirmed that these resources DO show up in the portal, and my account is listed as an owner (inherited from subscription) for them in the portal.
I have deployed Azure Static WebApp using Azure Devops.
Followed this MSDoc to publish the static web app.
By using,
az staticwebapp list --resource-group YourRGName
and
az staticwebapp list --subscription YourSubscriptionID
,Iam able to get the StaticWeb App list
For anyone else running into this:
I have not found a solution to getting the az staticwebapp list command to work for my use case, as the results that show up immediately after creating a resource are just inconsistent. However, as a workaround that should satisfy most use cases, using this API (using az rest command) to find all resources associated with the group created by the pipeline, then filtering those down to find the Static Web App I want, seems to work.
Then, when using other APIs that reference that app before it shows up in the normal list, fully specifying subscription and resource group alongside the app's name seems to make things more reliable too.
As far as I can tell, this is probably just a limitation with the inconsistency of how long information about newly deployed resources takes to propagate that shows up when trying to find a resource immediately after creating it.
Related
I have no experience in coding, just started now.
I am trying to create a webapp using the Azure Cloud Shell, so I used the following command:
az webapp create --name WebAppOne --resource-group learn-64c4ca17-0293-40f6-ba23-e4581751cca0 --plan ServicePlanTest
Then I get the message:
Webapp 'WebAppOne' already exists. The command will use the existing app's settings.
Unable to retrieve details of the existing app 'WebAppOne'. Please check that the app is a part of the current subscription
I only have one subscription in Azure as I am still using a free account for learning purposes.
So, I decided to get a list showing the webapps that exist by using the command:
az webapp list --output table
However, the only outcome is a blank line, showing no web apps already existing. What should I try next?
To create a web app in Azure App service, you must have a resource group and App service plan in your subscription.
To check the existing App services in your subscription
az webapp list --resource-group MyRGName
Output :
As you can see, currently I don't have any webapps created in the given Resource group
Run the below command to create an Azure Web App
az webapp create --name MyWebApp --resource-group MyRGName --plan MyAppServicePlan
Though I don't have any Webapps with the given name, I got the same error.
In Azure Portal => Azure Active Directory => App registrations => All applications
In search box, searched with the web app name. I can see the web app with same name is already created.
Reason for the error
You might have created a web app with same name long ago, but the resource got deleted from the resource group. But still, it is available in the Azure Active Directory App registrations.
If it is created by you and you don't want to use anymore, you can delete it. If not create web app with another name.
Tried to create web app with another name.
Create Azure App Service:
Now I can see the created Web App List.
List of Azure Web Apps
I'm following the instructions here to create an azure static web app from the cloud shell, using the command:
az webapp up --location westindia --name static-webapp-test --html
Getting the following Unauthorized error :
The webapp 'static-webapp-test' doesn't exist Creating Resource group 'anubhav.das_rg_8008' ... Resource group creation complete Creating AppServicePlan 'anubhav.das_asp_4721' ... Operation returned an invalid status 'Unauthorized'
I have seen these type of errors like preventing the user from creation of resources due to role restrictions or access level restrictions in the subscription.
Please check your role (should be owner or contributor or user access administrator) and filters added in the Azure Active Directory.
It is recommended to use the latest version of CLI.
If you are using the older version run the below cmdlet to upgrade the CLI to latest version :
az upgrade --yes
I have followed the steps provided in the given documentation, we are able to create the static web app successfully :
Selected Azure Cloud Shell and given the following settings like my subscription, location, resource group name, storage account name, file share name for working on the cloud shell.
Cloned the git hub project to my azure account as you can see in below screenshot:
Also created another same type of application with the name you have given:
As I can see there is no issue in creation of static html web app though I have existing resource group using for working with cloud shell, it is creating new resource group for the web app purpose by using the given commands in the documentation and working good without any access restriction like authorization as my role belongs to Contributor.
Problem
I have an azure pipeline YAML file. It is able to run through a service connection which accesses a service principal with all the proper authority, etc.
But I am now trying to clean up the code; we have multiple service principals running on multiple subscriptions and resource groups. They need to create storage accounts, which need to be unique.
So I am trying to create a storage account built partially from the associated subscription and resource group of the service principal creating the storage account.
Example Solution
For the subscription, it is fairly easy. I can do something like this, from within a PowerShell script called inside the pipeline:
$subscriptionId = $(az account show --query 'id' -o tsv)
Write-Output "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID;isoutput=true;issecret=true]$subscriptionId"
Now I have the variables $subscription ID and AZURE_SUBSCRIPTION_ID set, and can access subscription information within the pipeline itself.
Question
But how can I do something similar with resource groups?
There is no equivalent to az account show with resource groups, without knowing the resource group name itself. (Eg, I have to type az group show -name <RG-name>, but it is precisely the name that I am trying to get.)
Again, to be clear, I am running inside of a particular resource group and subscription, it is those that are associated with the service connection. Now I simply want that information available to the pipeline.
I'm not sure if I completely understand what you are trying to accomplish. But I suspect that the options below might help.
Get role assignments
If you created separate service connections for each individual resource group you can simply check the role assignments for the SPN and determine the scope of the service connection.
If you, for example, use the Azure PowerShell task, you have configured it with a Service Connection. So when the task starts, it has the context of the service principal. You can then do Get-AzRoleAssignment which should output the Resource Groups to which its authorised. Again, this is only useful if you use a service connection per RG, as you otherwise get results for multiple RGs. (Or for subscriptions and Management groups, if you also assigned a role to those scropes)
Use the Azure DevOps API
You can use the Get Service Endpoint request of the Azure DevOps API to get the service connections. The JSON output will contain information regarding the scope of the service connection.
If you find working with the API directly a bit hard, you can try the PSDevOps PowerShell module to interact with the Azure DevOps API. It has the Get-ADOServiceEndpoint command that allows you to get the available service endpoints.
Could someone please let me know how to list all the DBR workspaces under a particualr subscription in Azure.
I have tried Az Cli Option but it doesn't have any option to list any workspace.
you can always use something like this:
az resource list --resource-type "Microsoft.Databricks/workspaces"
so use a generic command to query the rest api directly (what the other answer suggests) but using Azure CLI, so you dont need to handle the auth\tokens\etc
ps. you'd first need to change your Azure CLI context to that subscription with:
az account set -s "sub_name_goes_here"
You can use the REST API,
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Databricks/workspaces?api-version=2018-04-01
Currently im trying to create dynamic environments via AzureDevops.
One of these steps to achieve this is to take a copy of our production databases and place them in a temp resource group (Production Subscription) and then move the sql server and associated databases to our non-production subscription. From here we then create the web apps and deploy code.
When i run this via Az Cli i am able to move the resources with the following
SQLSERVERID=$(az resource show -g $RSGNAMETEMP -n $SQLSERVERNAME --resource-type "Microsoft.Sql/servers" --query id --output tsv)
az resource move --destination-group $RSGNAME --ids $SQLSERVERID --destination-subscription-id $SANDBOXSUBSCRIPTIONID
However when i run this via AzureDevops i get the following error
ERROR: The client (...) with object id (...) has permission to perform action on scope however, it does not have permission to perform action (...) on the linked scope(s).
I believe this problem is happening when you configure the AZ Cli step in AzureDevops you select the Subscription from the drop down list. The account / service principal only has access rights to that specific subscription and not to multiple. Is it possible to configure a service principal (that can be used in AzureDevops) that can connect to multiple subscriptions?
Yes, just go to Azure portal, navigate to the desired subscription blade, go to Access Control, press + sigh at the top and add your principal as a contributor to the subscription.
to find service principal name use this:
Click Manage link in the Azure Subscription field in your VSTS job, it will navigate you to a new blade. Click Manage Service Principal there. It will take you to the application page in Azure AD. After that you can copy name under Managed application in local directory field and use that name to grant it Key Vault permissions.