I am creating azure function connecting to to execute PnP commands. I have created certificate as mentioned in the docs. I am always getting Cannot find certificate with this thumbprint in the certificate store.Exception :Type
Why this error is happening? Any settings need to be modified?
Regarding the issue, please refer to the following steps
Create the self signed certificate
New-PnPAzureCertificate -OutPfx pnp.pfx -OutCert pnp.cer
Create Azure AD application
Configure permissions
Office 365 SharePoint Online (Application Permission)
Sites.FullControl.All
TermStore.ReadWrite.All
User.ReadWriteAll
Upload your client certificate(cer file) to the AD application
Create Function
Upload your pfx file to Azure function
az webapp config ssl upload --certificate-file "e:\cert\pnp.pfx" --name "<function app name>" --resource-group "" --certificate-password "" --query thumbprint --output tsv
Configure Function to allow the function to read the certificate
az functionapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_LOAD_CERTIFICATES=<comma-separated-certificate-thumbprints>
8 function code
Connect-PnPOnline -Tenant <>.onmicrosoft.com -ClientId <the appid of the ad application> -Thumbprint <comma-separated-certificate-thumbprints> -Url https://<>.sharepoint.com
Related
How to backup and restore the Azure Key vault that includes keys, secrets & cert along with RBAC?
One way is you can use Powershell or CLI to achieve this. after you have done an az login.
keys
Export-AzKeyVaultKey and Import-AzKeyVaultKey commands in Azure PowerShell or the az keyvault key export and az keyvault key import commands in Azure CLI to export and import keys and secrets.
Certs
Export-AzKeyVaultCertificate and Import-AzKeyVaultCertificate commands in Azure PowerShell or the az keyvault certificate export and az keyvault certificate import commands in Azure CLI.
RBAC policies
Get-AzKeyVaultAccessPolicy and Set-AzKeyVaultAccessPolicy commands in Azure PowerShell or the az keyvault show and az keyvault set-policy
CLI example of how to export the keys, certs and RBAC policies to a local file
# Authenticate to Azure
az login
# Export keys, secrets, and certificates from the key vault
keyVaultName="<key-vault-name>"
exportFolderPath="<export-folder-path>"
az keyvault key export --name "<key-name>" --vault-name $keyVaultName --file "$exportFolderPath/key.json"
az keyvault secret export --name "<secret-name>" --vault-name $keyVaultName --file "$exportFolderPath/secret.json"
az keyvault certificate export --name "<certificate-name>" --vault-name $keyVaultName --file "$exportFolderPath/certificate.json"
# Export RBAC policies from the key vault
keyVault=$(az keyvault show --name $keyVaultName)
accessPolicies=$keyVault.properties.accessPolicies
echo $accessPolicies > "$exportFolderPath/access-policies.json"
If you wanted to restore those from the local file to another key vault this will the CLI way to do it
az keyvault key import --name "<key-name>" --vault-name $keyVaultName --file "$exportFolderPath/key.json"
az keyvault secret import --name "<secret-name>" --vault-name $keyVaultName --file "$exportFolderPath/secret.json"
az keyvault certificate import --name "<certificate-name>" --vault-name $keyVaultName --file "$exportFolderPath/certificate.json"
accessPolicies=$(cat "$exportFolderPath/access-policies.json")
az keyvault set-policy --name $keyVaultName --access-policies $accessPolicies
To Back up and restore an entire keyvault
Backup-AzKeyVault -VaultName <vault_name> -FilePath <file_path>
Restore-AzKeyVault -VaultName <vault_name> -FilePath <file_path>
https://learn.microsoft.com/en-us/powershell/module/az.keyvault/backup-azkeyvault?view=azps-9.2.0
AS Ricky Gummadi said One way is you can use PowerShell or CLI to achieve this.
The other method to Backup and Restore keys, secrets, certificates is through Azure portal is as follows
To backup and restore the Azure Key vault follow the Reference Document.
Keys Backup in Key Vault:
In key vault select created keys and click on Download Backup
Secrets Backup in Key Vault:
Select created Secret then click on Download Backup
Certificates Backup in Key Vault:
Restore:
Select your key vault.
Go to the type of object (secret, key, or certificate) you want to restore.
Select Restore Backup.
Go to the location where you stored the encrypted blob.
Select OK.
Reference link
I want to update the key vault secret values by getting the function app default key and service bus connection string using PowerShell/CLI script.
So, can anyone please help me out on this issue.
Based on the above requirement, We have written the below PowerShell script to pull the function app key value (default & MasterKey), function app application setting (Azure webjob storage) value.
Using those key values the script will create a secrets in the respective key vault.
Here is the PowerShell Script:
$accountInfo = az account show
$accountInfoObject = $accountInfo | ConvertFrom-Json
$subscriptionId = $accountInfoObject.id
$resourceGroup = <ResourceGroupName>
$functionName = <functionName>
$vaultname=<vaultName>
$functionkeylist = az rest --method post --uri "https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Web/sites/$functionName/host/default/listKeys?api-version=2018-11-01"
$keylistobject = $functionkeylist | ConvertFrom-Json
##To pull the functionapp specific setting
$appsetting=az functionapp config appsettings list --name $functionName --resource-group $resourceGroup --query "[?name=='AzureWebJobsStorage'].{Value:value}" -o tsv ##pulling specific functionappsetting
##This block will create the secrets for specific app setting & functionapp key
az keyvault secret set --name $functionName'defaultkey' --vault-name $vaultname --value $keylistobject.functionKeys.default
az keyvault secret set --name $functionName'masterkey' --vault-name $vaultname --value $keylistobject.masterKey
az keyvault secret set --name $functionName'webappstorage' --vault-name $vaultname --value $appsetting
Note:
In the above PowerShell we have pulled existing app setting AzureWebJobStorage created a secret in the keyvault. would suggest you change the $appsettings block with the respective functionapp appsetting to create a secret in keyvault.
Here is the sample output for reference:
Updated Answer:
Add the below code to above PowerShell script which will pull the service bus connection string app setting of functionapp & will store connection string value as secret in key vault.
$servucebusappsetting=az functionapp config appsettings list --name $functionName --resource-group $resourceGroup --query "[?name=='azfapsb_RootManageSharedAccessKey_SERVICEBUS'].{Value:value}" -o tsv ##app setting of service connection string will be in the format (<servicebusName>_RootManageSharedAccessKey_SERVICEBUS)
az keyvault secret set --name $functionName'ServiceBusConnectionString' --vault-name $vaultname --value $servucebusappsetting
I'm trying to run the sample script found here: https://learn.microsoft.com/en-au/azure/service-fabric/service-fabric-quickstart-containers-linux#create-a-service-fabric-cluster
#!/bin/bash
# Variables
ResourceGroupName='containertestcluster'
ClusterName='containertestcluster'
Location='eastus'
Password='q6D7nN%6ck#6'
Subject='containertestcluster.eastus.cloudapp.azure.com'
VaultName='containertestvault'
VmPassword='Mypa$$word!321'
VmUserName='sfadminuser'
# Login to Azure and set the subscription
az login
az account set --subscription <mySubscriptionID>
# Create resource group
az group create --name $ResourceGroupName --location $Location
# Create secure five node Linux cluster. Creates a key vault in a resource group
# and creates a certficate in the key vault. The certificate's subject name must match
# the domain that you use to access the Service Fabric cluster. The certificate is downloaded locally.
az sf cluster create --resource-group $ResourceGroupName --location $Location --certificate-output-folder . --certificate-password $Password --certificate-subject-name $Subject --cluster-name $ClusterName --cluster-size 5 --os UbuntuServer1604 --vault-name $VaultName --vault-resource-group $ResourceGroupName --vm-password $VmPassword --vm-user-name $VmUserName
From the command prompt or PowerShell, I run "az login" and login, then I copy & paste this script into the console but get errors when it comes to the variables.
I see you use the Shell script, it's more appropriate to run in Linux. For Windows, the PowerShell script is more suitable. And in Windows, the variables need to be set like this:
$varName = 'xxxx'
So you need to change all the variables like above. And I suggest you change the script into a PowerShell script.
Trying to create a new azure eventgrid endpoint subscription based on the code in the Microsoft tutorial here errors:
az eventgrid event-subscription create --source-resource-id $topicid --name eventsubscriptionname --endpoint-type storagequeue --endpoint $queueid --expiration-date "2020-05-15"
Deployment failed. Correlation ID: xxxx. The attempt to validate the provided azure endpoint resource:xxxx failed.
The tutorial says to ensure the account has write access to the storage, which it does, I am the owner. All properties in the command have valid values and I am executing from the azure cli.
What could I be doing wrong?
That's weird... I tried on my side and I have the expected result using the following commands :
$resourcegroup="your resource group"
$storagename="your storage name"
$queuename="your queue name"
$topicname="your topic name"
$subscriptionname="your subscription name"
$storageid=az storage account show --name $storagename --resource-group $resourcegroup --query id --output tsv
$queueid="$storageid/queueservices/default/queues/$queuename"
$topicid=az eventgrid topic show --name $topicname -g $resourcegroup --query id --output tsv
az eventgrid event-subscription create --source-resource-id $topicid --name $subscriptionname --endpoint-type storagequeue --endpoint $queueid --expiration-date "2020-05-15"
I sued PowerShell version 5.1.18362.752 and AZ CLI version 2.5.1
Trying to perform an az cli login using a Service Principal and it is throwing an error stating No subscriptions found for <Service_Principal_AppId>. If this is expected, use '--allow-no-subscriptions'. This code has worked fine previously but now it does not appear to work any longer. Command line being used is below:
$sp_appid = (Get-AzureRmADServicePrincipal -DisplayName $spDisplayName).ApplicationId.Guid
$sp_secret = (Get-AzureKeyVaultSecret -VaultName $kvName -Name $appKeySecretName).SecretValueText
az login --service-principal --username $sp_appid --password $sp_secret --tenant $tenant_Id
I verified that the Service Principal is assigned the Contributor role at the subscription level.
After creating a service principal in the Azure Active Directory you need to give this new user some roles within a subscription:
go to your subscription
go to Access Control (IAM)
Add a roles assignment (for instance make your service principal contributor)
Then az login should work.
Actually, I don't recommend you to mix the Azure Powershell and CLI together. If you insist on doing it, I have tried your script, I could not reproduce your issue, it works fine.
According to the error, you could try to pass a --subscription, it also works.
$sp_appid = (Get-AzADServicePrincipal -DisplayName joywebapp2).ApplicationId.Guid
$sp_secret = (Get-AzKeyVaultSecret -VaultName joykeyvault1 -Name joywebapp2).SecretValueText
$tenant_Id = "xxxxxxxxxxxx"
$subscription_Id = "xxxxxxxxxxx"
az login --service-principal --username $sp_appid --password $sp_secret --tenant $tenant_Id --subscription $subscription_Id
Note: Due to the AzureRM powershell module has been deprecated, I use the new Az powershell module, if you want to upgrade to Az, see this link. (It may not be the reason of the issue, but I recommend you to upgrade it.)
Update:
We have to use AZ CLI simply for the property we are trying to grab...there is no PowerShell equivalent.
Actually you can login with a service principal via powershell, the strong password is the secret, more details see this post.
$azureAplicationId ="Azure AD Application Id"
$azureTenantId= "Your Tenant Id"
$azurePassword = ConvertTo-SecureString "strong password" -AsPlainText -Force
$psCred = New-Object System.Management.Automation.PSCredential($azureAplicationId , $azurePassword)
Add-AzureRmAccount -Credential $psCred -TenantId $azureTenantId -ServicePrincipal
The original problem appears to have been a transient platform problem. Went back to the same code yesterday and it work with no issues.
For me, running cache purge worked:
az cache purge
Also, if it still does not work try printing verbose information using:
az login --verbose
I had the same issue that suddenly no subscriptions where showing up for my service principal (on 2 different build servers that I originally installed at the same time).
Updating the Azure CLI seemed to fix the issue.
Trying to az login with a Service Principal account, which does not have Role Based Access Control in its Subscription Scope, will fail with ERROR: No subscriptions found.
Moreover in recent Azure CLI, using the login command with the subscription flag would return unrecognized arguments: --subscription
Thus, to login without specifying subscription, make sure to add a role to your Service Principal account:
# Authenticate via browser
az login
# Get current subscription
subscriptionID=$(az account show --query id -o tsv)
# Create/update servie account with a role (e.g. "Owner")
az ad sp create-for-rbac --name ${theServiceAccount} --role Owner --scopes /subscriptions/${subscriptionID}
# Get current tenant
tenantID=$(az account show --query tenantId -o tsv)
# Login with the updated service account
az login --service-principal --tenant ${tenantID} -u yourUser -p yourPassword