I have Azure subscription where I am the owner of it. So, I have access to manage all resources.
I successfully login to Azure Account from PowerShell using command Connect-AzAccount
Now, I am trying to create a storage account using script like below:
New-AzStorageAccount -ResourceGroupName $resourceGroupName -Name
$my_storage_Acc -Location $location -SkuName Standard_LRS
But after executing the above command, I am getting the error like this:
The client with my_object_id does not have authorization to perform
action over scope(code:Authorization Failed)
Can anyone help me why I'm getting this error though I've owner role for subscription and how to get rid of that error?
As per the error, it said that you don't have enough permission to do this action. It's an authorization issue. But you said that you are the owner of this subscription. I have a question, what have you declared in the my_object_id?
To create Azure Storage Account you can use this script.
# Variables
$ResourceGroup="MyResourceGroup007"
$StorageName="webappstorage007"
$Location="West US"
# Create a Resource Group
New-AzResourceGroup -Name $ResourceGroup -Location $Location
# Create Storage Account
New-AzStorageAccount -Name $StorageName -ResourceGroupName $ResourceGroup -Location $Location -SkuName Standard_LRS
This script can create a storage account successfully. Check the following Screenshot.
Related
I am a beginner at azure-CLI.
I just wanted to find out the storage account id.
I have a resource group named 'group2' and a storage account with the name 'storageacc1'.
I tried the below PowerShell command to get storage account details :
Get-AzStorageAccount -ResourceGroupName "group2" -AccountName "storageacc11"
In the return I got StorageAccountName,ResourceGroupName,PrimaryLocation, SkuName,Kind, AccessTier,CreationTime,ProvisioningState,EnableHttpsTrafficOnly,LargeFileShares.
how to get a storage account id?
Just use the code blow:
$s = Get-AzStorageAccount -ResourceGroupName "xx" -AccountName "xx"
$s.Id
I am trying to automate the creation of certain azure resources via an Azure PowerShell script that is triggered from an Azure DevOps release pipeline. I want to create a function app, and automatically integrate reading right access to secrets in an already existing Key Vault. This Key Vault is in the same Azure subscription.
While I can create most resources following the documentation, there seems to be a lack of documentation regarding the creation of certain resources using Azure PowerShell (or I can't find it).
If I follow the sample from this link, I can accomplish it without a problem by using the UI in the Azure Portal, but I can't find any documentation on Microsoft Docs to do it using PowerShell.
Write-Host "Creating Function App..."
$fnApp = New-AzFunctionApp -Name $functionAppName `
-ResourceGroupName $emailFunctionRg `
-Location "$(AzureRegion)" `
-StorageAccount $storageName `
-Runtime dotnet `
-FunctionsVersion '3' `
-IdentityType SystemAssigned
Write-Host "Function App created!"
Write-Host "Assigning Key Vault access..."
$appId = Get-AzADServicePrincipal -DisplayName $functionAppName
Set-AzKeyVaultAccessPolicy -VaultName EmailSettings -ServicePrincipalName $appId -PermissionsToSecrets Get,List
Write-Host "Key Vault access granted!"
Running Set-AzKeyVaultAccessPolicy fails with "Insufficient privileges to complete the operation.". But I am not sure if this is the right path to follow, it was just a guess, based on the available functions in the documentation.
Any ideas?
Two potential issues to check out here:
your app creation assigns the result to $fnApp. perhaps $fnApp or as commented above, $fnApp.ApplicationId is what you should be using for the -ServicePrincipalName parameter on the access policy grant.
you don't have privileges to assign RBAC roles. Go to the Key Vault, choose Access Control, then click the Role Assignments tab and verify that your user appears in the list as an Administrator, User Access Administrator, or Owner.
Edit: With respect to the RBAC privilege, since this is running in Azure Powershell from Azure DevOps, you need to check the role assignment for the Service Connection's service principal - under Azure Active Directory in the Azure Portal, look up the principal used to create the service connection, and make sure THAT gets the correct Role on the key vault.
After a little of trial and error I just came to the conclusion I was not using the right parameter for the Set-AzKeyVaultAccessPolicy cmdlet.
The following script will work (if the service principle running it has the appropriate role, like WaitingForGuacamole mentioned in his/her answer):
Write-Host "Creating Function App..."
$fnApp = New-AzFunctionApp -Name <FnAppName> `
-ResourceGroupName <ResourceGroupName> `
-Location <AzureRegion> `
-StorageAccount <StorageAccount> `
-Runtime dotnet `
-FunctionsVersion '3' `
-IdentityType SystemAssigned
Write-Host "Function App created!"
Write-Host "Assigning Key Vault access..."
Set-AzKeyVaultAccessPolicy -VaultName <NameOfTheKeyVault> -ObjectId (Get-AzADServicePrincipal -DisplayName <FnAppName>).Id -PermissionsToSecrets <Get, List, etc...>
Write-Host "Key Vault access granted!"
In AWS we have instance IDs to identify machines. What's the equivalent in Azure and how do I find that?
I'd like to list the instance ID in powershell so I can put that into a script.
If I have not misunderstood, I suppose you want to get the InstanceId of the VM in the Azure VM Scale set.
You could try to use Get-AzureRmVmssVM to get it.
Get-AzureRmVmssVM -ResourceGroupName <ResourceGroupName> -VMScaleSetName <VMScaleSetName>
Update:
If you want to get the ResourceId of azure resource, you could use Get-AzureRmResource to do it, just specify the properties what you want.
For example:
1.Get ResourceId of the specific resource:
$resource = Get-AzureRmResource -ResourceGroupName <ResourceGroupName> -ResourceType <ResourceType> -ResourceName <ResourceName>
$resource.ResourceId
2.Get ResourceIds of all resources in the specific resource group
$resource = Get-AzureRmResource -ResourceGroupName <ResourceGroupName>
$resource.ResourceId
3.Get ResourceIds of all resources under your subscription.
$resource = Get-AzureRmResource
$resource.ResourceId
The result will like(actual result will decided by your properties):
Is there a way in Azure to create keyvault without any user? I am trying to follow the documentation but dont see any command that will achieve this in one line?
New-AzureRmKeyVault -VaultName my-test -ResourceGroupName abc -Location "Brazil South"
Any powershell command I can add above to not create any access policy or principal user?
You can use a template to create a vault with no access policy - see: https://github.com/Azure/azure-quickstart-templates/blob/master/101-key-vault-create/azuredeploy.json and just remove this: https://github.com/Azure/azure-quickstart-templates/blob/master/101-key-vault-create/azuredeploy.json#L105-L114
You can deploy that with PowerShell using New-AzureRMResourceGroupDeployment.
The New-AzureRmKeyVault create keyvault with access policy by default, if you want to achieve this in one line, you could use powershell pipeline, try the command below, it works fine on my side.
New-AzureRmKeyVault -VaultName '<VaultName>' -ResourceGroupName '<ResourceGroupName>' -Location 'East US' | Remove-AzureRmKeyVaultAccessPolicy -ObjectId "<ObjectId of your signin user or service principal>"
Update:
I suppose you create the keyvault via a user account, you could get the ObjectId via Get-AzureRmADUser,-UserPrincipalName is your account.
Complete command:
$ObjectId = (Get-AzureRmADUser -UserPrincipalName "xxxx#xxxx.com").Id
New-AzureRmKeyVault -VaultName '<VaultName>' -ResourceGroupName '<ResourceGroupName>' -Location 'East US' | Remove-AzureRmKeyVaultAccessPolicy -ObjectId $ObjectId
I have a cloud service that has two VMs in it. I'm trying to follow the steps listed in this article to reserve my cloud service's IP address.
Login-AzureRmAccount -TenantId <my tenant id>
Set-AzureRmContext -SubscriptionId <my subscription id>
New-AzureReservedIP -ReservedIPName myname -Location "Central US" -ServiceName mycloudservicename
I always get this error:
New-AzureReservedIP : ResourceNotFound: No deployments were found.
The VMs were created in the new portal but are classic mode. I'm not sure if that is somehow my problem. I've tried other combinations of cmdlets to add accounts or set subscription but nothing helps.
Any ideas?
I was fighting like 30 minutes with this. I'm not very sure why this was happening but I think was an error selecting the subscription. Last time it worked like this:
Close Azure Power Shell and Open it again.
Listed my subscriptions with: "Get-AzureSubscription" (Make sure you are logged in).
Now I can see the exact Subscription ID and use "Select-AzureSubscription -SubscriptionId XXXXXXXX"
After that the command worked.
New-AzureReservedIP -ReservedIPName "myname" -Location "South Central US" -ServiceName "myservice"
Hope it helps.
If your VMs were created in the new portal, you need to switch to the Resource Manager model, New-AzureReservedIP is only used for the classic portal services, so it prompted ResourceNotFound: No deployments were found error.
There is no AzureReservedIP in Azure RM cmdlets. In the new portal, the IP address is associated to network interface.If you want to set your VMip to be static,run the following command:
$nic=Get-AzureRmNetworkInterface -ResourceGroupName JohTest -Name johtestvm250
$nic.IpConfigurations[0].PrivateIpAllocationMethod="Static"
$nic.IpConfigurations[0].PrivateIpAddress = "10.2.0.4"
Set-AzureRmNetworkInterface -NetworkInterface $nic
If you dont know the networkinterface in your RG, run the command to see:
Get-AzureRmNetworkInterface -ResourceGroupName JohTest
More information here