I am trying to use Add-AzVMSshPublicKey cmdlet to update ssh key on existing Azure linux VM , command executed without an issue but key hasnt been updated on server.
Is there any other way available where i can able to achieve OR any Azure cli command to do same ?
The Add-AzVMSshPublicKey cmdlet is used to add the public keys for SSH for a virtual machine, when only creating the VM. If you use the command with Update-AzVM, the command will error. So it does not use to add the keys after VM is created.
The following example updates the SSH key for the user azureuser on the VM named myVM.
az vm user update \
--resource-group myResourceGroup \
--name myVM \
--username azureuser \
--ssh-key-value ~/.ssh/id_rsa.pub
You can use the above CLI commands to append the new public key text to the ~/.ssh/authorized_keys file for the admin user on the VM. This does not replace or remove any existing SSH keys. You can SSH into that VM to remove the old public key if you would like to remove it.
Read Manage administrative users, SSH, and check or repair disks on Linux VMs using the VMAccess Extension with the Azure CLI for more details.
Alternatively, you can reset the SSH key from the Azure portal---> reset password.
Related
I am trying to create linux VM with azure cli from local machine. I was able to create VM using following command but now when I want to ssh into the VM, I need to have public key on my local machine?
How can I get the required public key to connect to vm using ssh azureuser#publicIpAddress? Where are the ssh keys generated by --generate-ssh-keys and how to get it?
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keys
I used PowerShell 7.0 with elevated privileges to run the above command
Solved
Update 1:
SSH keys are generated in c:\users\.ssh\ when you use --generate-ssh-keys switch
If there are already file with name id_rsa & id_rsa.pub then it might be conflicting and you can use another switch --ssh-key-values /path/to/public/key to specify different file name
After that if you get Permissions for 'private-key' are too open error then follow steps mentioned here
From MSDN for --generate-ssh-keys:
Generate SSH public and private key files if missing. The keys will be stored in the ~/.ssh directory.
Which will by default create a private id_rsa and public id_rsa.pub SSH key pair in the ~/.ssh directory if they don't exist. If you already have existing SSH keys in that location, it will just use those and not overwrite them.
On Windows this is the C:\Users\username\.ssh directory.
Additionally, you could also pass in a specific SSH public key path with --ssh-key-values:
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image UbuntuLTS \
--admin-username azureuser \
--ssh-key-values /path/to/public/key
This is particularly useful if you have created SSH keys in another location with ssh-keygen.
As #Ash pointed out in the comments, you could have a look at Generate keys automatically during deployment for more information.
You can find it under
C:\Users\<<your-user-name>>\.ssh
When you create a VM for the first time you get the below message as well
SSH key files 'C:\Users\<<your-user-name>>\.ssh\id_rsa' and
'C:\Users\<<your-user-name>>\.ssh\id_rsa.pub' have been generated under ~/.ssh
to allow SSH access to the VM. If using machines without permanent
storage, back up your keys to a safe location.
For subsequent VM creations, the same key pair is used and you don't see the message again.
(I verfied using Windows OS, creating a linux VM with RedHat:RHEL:7-RAW:7.4.2018010506 image via Azure CLI)
I am building an Azure DevOps pipleline using Terraform. The pipeline creates a Linux server and then logs into the Linux server to update packages and install Apache.
I am currently storing the private key in my BitBucket repo (I know, this is not best practice), which are then pulled down onto the build agent server and then I login to the new server with the following command:
ssh -f -q -o BatchMode=yes -o StrictHostKeyChecking=no -i ../private_key.pem ubuntu#$ip sudo apt update -y
What is the best way to store and then retrieve the private key within Azure DevOps?
Two options I can think of:
1) Create an ssh service connection in azure DevOps. Reference the service connection in your pipeline. https://medium.com/#sibeeshvenu/ssh-deployment-task-in-azure-pipelines-b0e2923bd7b4
2) Store the SSH key as an Azure Key Vault secret and then download the secret using the Azure CLI during the build.
az keyvault secret download --name mysshkey --vault-name mykeyvault --file ~/.ssh/id_rsa
Authenticate the Azure CLI using a service principal, and supply the credentials to the pipeline using a variable group.
I found that Azure DevOps provides you a feature to upload secret files are part of the build. You can see more information here:
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops
I am working through the instructions outlined here to try and set up a Couchbase cluster on Azure Container Service (AKS). That tutorial is using terminal/Mac, and I'm using Powershell/Windows.
I'm getting an error before I even get to the Couchbase part. I successfully created a resource group (which I called "cb_ask_spike", and yes it does appear on the Portal) from the command line, but then I try to create an AKS cluster:
az aks create --resource-group cb_aks_spike --name cbakscluster
I also tried:
az aks create --resource-group cb_aks_spike --name cbakscluster --generate-ssh-keys
In both cases, I get an error:
az aks create: error: Incorrect padding
I don't know what this error message means, and I can't seem to find any reference to it in the documentation or anywhere. What am I doing wrong?
I'm using azure-cli v2.0.31.
I am fairly confident that I solved why I'm getting this error, and I've updated issue 6142 on azure-cli. At this time, I believe this is a bug, and it's not fixed, but there is a workaround.
First it's important to note that --generate-ssh generates a new ssh key in ~/.ssh
I had a hunch that since ~ for me is "C:\Users\Matthew Groves" that the space in the path was causing the problem. Sure enough, I created a new account called "mgroves". ~ is now "C:\Users\mgroves" and voila, I don't get the "incorrect padding" error message anymore.
So, the workaround is either to use a new account (huge pain) or rename the folder (this is what I have done, and it's also a huge pain and I'm still finding little problems here and there all throughout my system because of it.
In addition to the now approved answer there is a solution that doesn't require you to change any directory or account name and is also easy to implement as well.
As correctly stated in the other answers the Azure CLI cannot handle the actual location where the generated SSH keys will be stored if there is a space in the path. I.e. C:\Users\Admin Account\.ssh\.
When using the az aks create command you can either use --generate-ssh-keys to let the Azure CLI handle it, OR you can specify an already existing SSH key with --ssh-key-value.
I used Git Bash to generate a new SSH key pair in the C:\Users\Admin Account\.ssh\ directory:
ssh-keygen -f ~/.ssh/aks-ssh
Now create the Azure AKS cluster while pointing to this new SSH key with:
az aks create \
--resource-group YourResourceGroup \
--name YourClusterName \
--node-count 3 \
--kubernetes-version 1.16.8 \
--ssh-key-value ~\.ssh\aks-ssh.pub
And you are good to go!
Just verified today using az cli in Powershell for version 2.0.31. You might need to first run the az group and then create az aks command. Screenshot for your reference.
How you add SSL Cert to an existing azure Linux VM from Azure Key vault. for windows we use the following command
$vaultId=(Get-AzureRmKeyVault -ResourceGroupName $resourceGroup -VaultName $keyVaultName).ResourceId
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore "My" -CertificateUrl $certURL
Is there a similar one like this for linux vm? Is there a link similar to this for linux Secure IIS web server with SSL certificates on a Windows virtual machine in Azure
You could use Azure Cli to do this. Using following command.
secret=$(az keyvault secret list-versions \
--vault-name $keyvault_name \
--name mycert \
--query "[?attributes.enabled].id" --output tsv)
vm_secret=$(az vm format-secret --secret "$secret")
az vm update -n shui -g shuikeyvault --set osProfile.secrets="$vm_secret"
Then the certificate stores on /var/lib/waagent, you could use Azure Custom Script to use it.
Note: You should use "$vm_secret", I test in my lab, only $vm_secret does not work for me.
ssh-copy-id -i ~/.ssh/id_rsa.pub aht#myserver. But if you have rights to the VM but not the original key, you want to use azure vm reset-access to do so. It is in fact documented as a standalone ability:
help: -M, --ssh-key-file path to public key PEM file or SSH Public key file for SSH authentication (valid only when os-type is "Linux")
of course, it doesn't say what ELSE should happen here in order to ADD the key I provide to the currently running VM I'm targeting. But the result needs to be that if I specify a user that already exists, and there's a key already there, this one needs to be added to the directory.
You'll note that in Azure/azure-linux-extensions#295, https://github.com/Azure/azure-linux-extensions/issues/295 believes that using azure vm set-extensions ,then reset-access is broken.
Update a Key Vault for use with VMs
Set the deployment policy on an existing key vault with az keyvault update. The following updates the key vault named myKeyVault in the myResourceGroup resource group:
Azure CLI
Copy
az keyvault update -n myKeyVault -g myResourceGroup --set properties.enabledForDeployment=true
I've used this command to deploy a Kubernetes cluster in Azure:
az acs create -n acs-cluster -g acsrg1 -d applink789 --generate-ssh-keys
Everything is working- I can connect to the cluster with kubectl. Now I want to define an SSH step in a Continuous Delivery pipeline. The documentation indicates that this command created a public/private key pair. Where is the private key stored? I've looked in the .ssh, .kube, and .azure folders in my home directory but I can't tell if any of those values are the private key.
Figured it out- the documentation says the keys will be generated if they are missing. If the id_rsa keypair is present in the .ssh hidden directory, it is used. Connected with Putty using the azureuser default account.