I have a powershell script that is throwing error. I am trying to create an Alert Action Group through powershell. The last line is throwing error.
$TenantId = Get-AzTenant | select Id
Connect-AzAccount -TenantId $TenantId.Id -SubscriptionName $SubscriptionName
$Receiver1 = New-AzActionGroupReceiver -Name $ActionGroupReceiver -EmailReceiver -EmailAddress $EmailAddress
Set-AzActionGroup -Name $ActionGroup -ResourceGroup $Rg -ShortName $ActionGroupShortName -Receiver $Receiver1
I have Owner access to the subscription and can confirm that all of these variables have appropriate values.
The same code worked for a different subscription in the same tenant where I have contributor access. This is probably an access issue however I am not able to figure why I am getting Forbidden even with Owner access.
Edit - Error text
Set-AzActionGroup : Exception type: ErrorResponseException, Message:
Microsoft.Azure.Management.Monitor.Models.ErrorResponseException: Operation returned an invalid status code 'Forbidden'
at Microsoft.Azure.Management.Monitor.ActionGroupsOperations.d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Management.Monitor.ActionGroupsOperationsExtensions.d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Management.Monitor.ActionGroupsOperationsExtensions.CreateOrUpdate(IActionGroupsOperations
operations, String resourceGroupName, String actionGroupName, ActionGroupResource actionGroup)
at Microsoft.Azure.Commands.Insights.ActionGroups.SetAzureRmActionGroupCommand.ProcessRecordInternal()
at Microsoft.Azure.Commands.Insights.MonitorCmdletBase.ExecuteCmdlet(), Code: Null, Status code:Null, Reason
phrase: Null
At C:\Users\YashTamakuwala\Desktop\live_traffic\Alerts\Alerts\CreateActionGroup.ps1:25 char:1
Set-AzActionGroup -Name $ActionGroup -ResourceGroup $Rg -ShortName $A ...
+ CategoryInfo : CloseError: (:) [Set-AzActionGroup], PSInvalidOperationException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Insights.ActionGroups.SetAzureRmActionGroupCommand
I found the problem. I tried performing the same action through portal but couldn't. Got this error.
There were policies in place to prevent such activities. Also, the requests from powershell are tracked in Activity Logs which in hindsight, I should have looked into. So I temporarily disabled the policies and was able to run the script successfully.
Related
I have a very annoying issue with one of our servers running our self-hosted agents.
We have a Release pipeline containing Azure Powershell tasks (Task version 5.*). The 'Use PowerShell Core' is switched on.
The scripts run perfectly on 'server_1', but on 'server_2' the task fails during initialisation / Connect-AzAccount. Please note that the logging below is thus the initialisation of the Azure Powershell task, and not our own script.
Log 'server_1':
2022-10-04T13:20:47.8917865Z ##[command]Import-Module -Name C:\Program Files\WindowsPowerShell\Modules\Az.Accounts\1.6.6\Az.Accounts.psd1 -Global
2022-10-04T13:20:48.8314051Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2022-10-04T13:20:50.2298081Z ##[command]Clear-AzContext -Scope Process
2022-10-04T13:20:50.3313243Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant xxxxxxxxxxxxxxxxxx -Credential System.Management.Automation.PSCredential -Environment AzureCloud #processScope
2022-10-04T13:20:51.1463087Z ##[command] Set-AzContext -SubscriptionId yyyyyyyyyyyyyyyyyyyy -TenantId xxxxxxxxxxxxxxxxxx
2022-10-04T13:20:52.4233903Z ## Az module initialization Complete
2022-10-04T13:20:52.4241534Z ## Beginning Script Execution
Log 'server_2':
2022-10-04T12:54:16.3415330Z ##[command]Import-Module -Name C:\Program Files\WindowsPowerShell\Modules\Az.Accounts\1.6.6\Az.Accounts.psd1 -Global
2022-10-04T12:54:17.0951601Z ##[command]Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
2022-10-04T12:54:17.4023735Z ##[command]Clear-AzContext -Scope Process
2022-10-04T12:54:17.4838081Z ##[command]Connect-AzAccount -ServicePrincipal -Tenant xxxxxxxxxxxxxxxxxx -Credential System.Management.Automation.PSCredential -Environment AzureCloud #processScope
2022-10-04T12:54:17.6673926Z ##[error]Unable to read beyond the end of the stream.
2022-10-04T12:54:17.6860076Z ##[error]Initializing Az module failed: For troubleshooting, refer: https://aka.ms/azurepowershelltroubleshooting
2022-10-04T12:54:17.7781536Z ##[error]There was an error with the service principal used for the deployment.
The versions of Azure Powershell modules Az, and Az.Accounts are the same on both servers.
POwershell 5 and Powershell 7 has been installed on both servers.
'server_1' OS is Windows Server 2016 Datacenter
'server_2' OS is Windows Server 2012 R2 Datacenter
When I run a Powershell 5 console on the servers and use Connect-AzAccount using a service principle I also see the same behaviour (server_1 successful, server_2 unsuccessful).
The details of the -debug are:
DEBUG: AzureQoSEvent: CommandName - Connect-AzAccount; IsSuccess - False; Duration - 00:00:47.2917018; Exception - System.IO.EndOfStreamException: Unable to read beyond the end of the stream.
at System.IO.__Error.EndOfFile()
at System.IO.MemoryStream.InternalReadInt32()
at Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache.Deserialize(Byte[] state)
at Microsoft.Azure.Commands.Common.Authentication.Core.ProtectedFileTokenCache.ReadFileIntoCache(String cacheFileName)
at Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache.OnBeforeAccess(TokenCacheNotificationArgs args)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenForClientCommonAsync>d__33.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__56.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Commands.Common.Authentication.ServicePrincipalTokenProvider.AcquireTokenWithCertificate(AdalConfiguration config, String appId, String thumbprint)
at Microsoft.Azure.Commands.Common.Authentication.ServicePrincipalTokenProvider.GetAccessTokenWithCertificate(AdalConfiguration config, String clientId, String certificateThumbprint, String credentialType)
at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction,
IAzureTokenCache tokenCache, String resourceId)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean
skipValidation, Action`1 promptAction, String name, Boolean shouldPopulateContextList)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass92_0.<ExecuteCmdlet>b__0(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord();
Questions:
What could cause this issue on failing task when it runs using on 'server_2', while succeeding on 'server_1', or how could I find the root cause of the ##[error] logs, so this leads to the solution to solve this.
I'm getting an error trying to copy all files from an Azure File Share to a Blob Container within the same Storage account.
$rg = "[REDACTED]"
$storageAccount = "[REDACTED]"
$storageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $rg -AccountName $storageAccount ).Value[0]
$context = New-AzStorageContext -StorageAccountName $storageAccount -StorageAccountKey $storageAccountKey
$sourceSAS = New-AzStorageShareSASToken -Context $context -ExpiryTime (Get-Date).AddHours(24*3) -Permission "rdw" -ShareName "[REDACTED]" -FullUri
$destSAS = New-AzStorageContainerSASToken -Context $context -ExpiryTime (Get-Date).AddHours(24*3) -Permission "rdw" -Name "[REDACTED]" -FullUri
azcopy.exe copy $sourceSAS $destSAS --recursive=true
and getting this error:
INFO: Scanning...
INFO: Failed to create one or more destination container(s). Your transfers may still succeed if the container already exists.
INFO: Any empty folders will not be processed, because source and/or destination doesn't have full folder support
failed to perform copy command due to error: cannot start job due to error: cannot list files due to reason -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/mod/github.com/!azure/azure-storage-blob-go#v0.10.0/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthorizationPermissionMismatch) =====
Description=This request is not authorized to perform this operation using this permission.
RequestId:b0027090-a01e-0088-18c7-6ff7a6000000
Time:2020-08-11T10:08:06.6069744Z, Details:
Code: AuthorizationPermissionMismatch
GET https://[REDACTED].blob.core.windows.net/[REDACTED]?comp=list&delimiter=%2F&include=metadata&restype=container&se=2020-08-14t10%3A03%3A25z&sig=-REDACTED-&sp=rwd&sr=c&sv=2018-11-09&timeout=901
User-Agent: [AzCopy/10.5.1 Azure-Storage/0.10 (go1.13; Windows_NT)]
X-Ms-Client-Request-Id: [efe44227-df00-47e1-74e4-f7a8670e0ace]
X-Ms-Version: [2019-02-02]
--------------------------------------------------------------------------------
RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.
Content-Length: [279]
Content-Type: [application/xml]
Date: [Tue, 11 Aug 2020 10:08:06 GMT]
Server: [Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0]
X-Ms-Client-Request-Id: [efe44227-df00-47e1-74e4-f7a8670e0ace]
X-Ms-Error-Code: [AuthorizationPermissionMismatch]
X-Ms-Request-Id: [b0027090-a01e-0088-18c7-6ff7a6000000]
X-Ms-Version: [2019-02-02]
if I try these 2 work fine:
azcopy.exe copy "C:\TEMP" $destSAS --recursive=true
azcopy.exe copy "C:\TEMP" $sourceSAS --recursive=true
I have Owner access role in the subscription.
I found this issue in github and posted there:
https://github.com/Azure/azure-storage-azcopy/issues/518
Any ideas?
Cheers
When you request the SAS token, you need to make sure you grant list permission as well, the correct syntax for this is rwdl. I have included the reference for the command as well should you need it here.
I have created Azure run books under and Azure Automation account to process a large Azure Analysis services Tabular model.
When I attempt a full Tabular model process via PowerShell it times out at just after an hour of runtime.
Start: 8:47:50 AM
End: 9:48:25 AM
Command Start
Invoke-ProcessASDatabase -server "asazure://---" -DatabaseName "---" -RefreshType Full
Command End
Error Start
Invoke-ProcessASDatabase : Failed to save modifications to the server. Error returned: 'Timeout expired. The timeout
period elapsed prior to completion of the operation.. The exception was raised by the IDbCommand interface.
Technical Details:
RootActivityId: ---
Date (UTC): ---
The command has been canceled.. The exception was raised by the IDbCommand interface.
The command has been canceled.. The exception was raised by the IDbCommand interface.
The command has been canceled.. The exception was raised by the IDbCommand interface.
The command has been canceled.. The exception was raised by the IDbCommand interface.
The command has been canceled.. The exception was raised by the IDbCommand interface.
The command has been canceled.. The exception was raised by the IDbCommand interface.
'.
At line:3 char:1
Invoke-ProcessASDatabase -server "asazure://--- ...
+ CategoryInfo : InvalidArgument: (---:String) [Invoke-ProcessASDatabase],
OperationException
+ FullyQualifiedErrorId : Microsoft.AnalysisServices.PowerShell.Cmdlets.ProcessASDatabase
Error End
I then broke the process down to the partition level. The process partitions run successfully for about an hour as well processing over 100 partitions but then start getting authentication errors.
How can I get a full Tabular model process completed running under an Azure runbook?
Start: 8:59:50 PM
End: 10:06:28 PM
Command Start
Invoke-ProcessPartition -PartitionName "2018_Q4" -TableName "FACT_AR" -server "asazure://---" -Database "---" -RefreshType Full
Command End
Error Start
Invoke-ProcessPartition : Authentication failed.
Technical Details:
RootActivityId: ---
Date (UTC): ---
At line:104 char:1
Invoke-ProcessPartition -PartitionName "2018_Q4" -TableName "FACT_AR ...
+ CategoryInfo : NotSpecified: (:) [Invoke-ProcessPartition], ConnectionException
+ FullyQualifiedErrorId :
Microsoft.AnalysisServices.ConnectionException,Microsoft.AnalysisServices.PowerShell.Cmdlets.ProcessPartition
Error End
Welcome to Stack Overflow :)
Your issue looks similar to this -> Exceed 3 hours timeout Automation Runbook Azure. Please check it if the answers given in there helps to resolve your issue.
Also you may read about fair share from below Microsoft documentation.
https://learn.microsoft.com/en-us/azure/automation/automation-runbook-execution#fair-share
Hope this helps!!
It turned out the credential was somehow corrupted. Dropped the credential and re-created it and the job worked.
I am getting below exception:
Exception type: CloudException, Message: Metric category 'AllMetrics'
is not supported.
Running Azure PowerShell command Set-AzureRmDiagnosticSetting for any Storage Account, same command works fine other resource type like Key Vault, Service Bus, Load Balancers etc.
Azure PowerShell command:
Set-AzureRmDiagnosticSetting -ResourceId $ResourceId -Enable $true
-RetentionInDays 365 -RetentionEnabled $true
Exception details:
Set-AzureRmDiagnosticSetting : Exception type: CloudException, Message: Metric category 'AllMetrics' is not
supported., Code: BadRequest, Status code:BadRequest, Reason phrase: Bad Request
At line:1 char:1
+ Set-AzureRmDiagnosticSetting -ResourceId '/subscriptions/c1ddf901-1db ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureRmDiagnosticSetting], PSInvalidOperationException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Insights.Diagnostics.SetAzureRmDiagnosticSettingCommand
Screenshot
Also tried specifying parameter -StorageAccountId $StorageAccountIdLogs with different Storage Account resource ID, still getting same exception.
Metric category 'AllMetrics' is not supported.
According to the error message, AllMetrics is not supported to Azure Storage Account.
To enable metrics of Storage Account, you could use Set-AzureStorageServiceMetricsProperty.
You could refer to my sample command, it works fine on my side.
C:\PS>$Context = New-AzureStorageContext -StorageAccountName <StorageAccountName > -StorageAccountKey <StorageAccountKey >
C:\PS>Set-AzureStorageServiceMetricsProperty -ServiceType Blob -MetricsType Hour -MetricsLevel Service -Pass Thru -RetentionDays 10 -Version 1.0 -Context $Context
For more details, refer to this article.
I am trying to connect to my Azure Service Fabric cluster from a new Azure virtual machine I just set up. But when I use the Connect-ServiceFabricCluster cmdlet is get the following error message:
Connect-ServiceFabricCluster : An error occurred during this operation. Please check the trace logs for more details.
At line:1 char:1
+ Connect-ServiceFabricCluster -ConnectionEndpoint ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Connect-ServiceFabricCluster], FabricException
+ FullyQualifiedErrorId : CreateClusterConnectionErrorId,Microsoft.ServiceFabric.Powershell.ConnectCluster
The command I am using in powershell is (values are obfuscated):
Connect-ServiceFabricCluster -ConnectionEndpoint {ENDPOINT ADDRESS} -FindType FindByThumbprint -FindValue {THUMBPRINT} -X509Credential -ServerCertThumbprint {THUMBPRINT} -StoreLocation CurrentUser -StoreName My
When I use the exact same command on my development PC it is working just fine. Any suggestions on what is going wrong and how I might debug this is welcome!
Ensure that you have your client certificate installed on the VM at the location indicated in the parameters to the Connect-ServiceFabricCluster cmdlet.