I have created a docker container and generated final artifact of my azure function app code. Azure Cli is already installed in the container. Is it possible to deploy to Azure using Azure Cli and pass the credentials along?
I tried the following command (example credentials):
az functionapp deployment user set --user-name "MY_USER" --password "MY_PASS" --subscription "MY_SUBSCRIPTION"
But it results in the following error:
Subscription 'MY_SUBSCRIPTION' not recognized. ValidationError: Please run 'az login' to setup account.
If I login (which requires entering a pass code to a browser), then the command above seems to be working.
This is going to be part of CI/CD and manual login is not a solution. Any ideas?
You would need to use a service principle to authenticate. But since you mentioned you are using Jenkins, fortunately there are rich set of plugins available for different Azure resources which can handle the authentication for you if you setup in your Jenkins dashboard. For example, in this case you are using az cli for which you can install https://plugins.jenkins.io/azure-cli/
Yes, you need to be authenticated. Here you have several authentication options: Sign in with Azure CLI
Authenticating with a service principal is the best way to write secure scripts or programs
Sign in with a service principal
Related
Do I still need to login using az devops login in cli to work on Azure DevOps when I already have PAT set using environment variable?
I tried the code below on three workstations but it keeps failing on third workstation:
Ubuntu running in Azure
Ubuntu running locally in the container in my laptop
WSL (Ubuntu) running locally in my laptop
export AZURE_DEVOPS_EXT_PAT=******************
organization="https://dev.azure.com/myorg/"
az devops project list --organization $organization
Note that I am able to retrieve the project list from the first two "workstations" without invoking az devops login, but unable to retrieve so on my WSL, and I am getting the following error message:
Before you can run Azure DevOps commands, you need to run the login command(az login if using AAD/MSA identity else az devops login if using PAT token) to setup credentials. Please see https://aka.ms/azure-devops-cli-auth for more information.
Any idea of what would contribute to this inconsistency?
I've installed AZ DEVOPS extension from az cli
az extension add --name azure-devops
az devops login --organization https://myorg.com
But when I insert my DEVOPS Personal Access Token, fail with the following error.
Failed to store PAT using keyring; falling back to file storage.
You can clear the stored credential by running az devops logout.
Refer https://aka.ms/azure-devops-cli-auth to know more on sign in with PAT.
I'm trying to access from a Linux Centos 7 machine to automate DevOps Pipeline creation.
Someone know how to fix this issue?
As a prerequisite,your Azure CLI version must be 2.0.49 at a minimum. You can use az --version to validate.
After you add az extension, you could also run az login to sign in.
If you have already signed in with az login interactively or using
user name and password, then you don't have to provide a token as az
devops commands now support sign in through az login.
When you are using az devops login command, first make sure you are using Azure DevOps Service organization URL. Example: https://dev.azure.com/MyOrganizationName. Azure DevOps Server/TFS is not support at present.
For Azure DevOps tokens, you need to make sure it's valid and with enough scopes for this token to authorize for your specific tasks.
More details please refer our official tutorial here-- Sign in with a Personal Access Token (PAT)
I have successfully created a docker image that runs inside a docker container. The container successfully executes the image (a .NET app) but the image crashes shortly after startup because it encounters an error with Azure Services. The reason is because the docker container is attempting to access Azure Services to fetch an authorization token (to fetch secrets from a key vault) and does not have authority to do so.
I should note that it is possible to run the app locally outside of a container via the Azure CLI after using az login to verify my credentials. Then, when the app is started via Azure CLI, it is 'allowed' to access Azure Services to get autho tokens and consequentially fetch data from my key vault.
Would like to know if there is a way to run an az login script with credentials inside a docker container before the .NET app image executes, so that I can start the application from within the Azure CLI (inside the container) after my credentials have been verified. I have looked through the documentation and have not seen a way to configure something like this.
To use the Azure CLI and login inside the container, you need to install the Azure CLI inside the container, then login with an non-interactive model. I would recommend the service principal. You can take a look at the command:
az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>
For more details, see Create an Azure service principal with Azure CLI. After login, then you can start your application as need.
Here are 2 options which don't require Azure CLI in the container, Azure Managed Identity from within a docker container running locally,
inject an access token into the container using ENV variable
use device authentication flow to obtain an access token
I read this answers a while ago. I was looking for the similar solution but using the service principal. I found that Docker can run Kubernetes and there is AAD-Pod-Identity https://github.com/Azure/aad-pod-identity which can do work for me, but it doesn't work for Docker Kubernetes. I forked their Go repository and make modification for mic component. Now it works for Docker Kubernetes, not sure whether Azure team has plans get these modifications on board or not.
You can get detailed instructions how to get things running here: https://github.com/Wallsmedia/aad-pod-identity
Azure CLI would not work for a Docker, because you have setup Azure CLI and login and then run your application.
I want to create a VM instance on azure through ansible/shell script from my machine.
ways i have found
Installing az cli on my machine, az login and create instance.
Problem with az cli :In this way i can create instance but i need a session login for infinite time unless i logout. If i logout or system logs me out then i have to login manually with portal to cli which i don't want.If there is any automate process to login with keys or passwords.
can anyone suggesst me how can i acheive ?
For your requirement, you can use the service principal to login both for the Azure CLI and ansible. In this way, it works as the username and password so that you need not log in with portal.
You can follow steps via the Azure CLI command to create the service principal and use it to log in. And the ansible steps here.
I'm trying to use the Jenkins pipeline with Azure using this tutorial: https://learn.microsoft.com/en-us/azure/jenkins/execute-cli-jenkins-pipeline with the exception that I have Jenkins on localhost (running Win7).
The build works as expected, but deployment fails on the line in Jenkinsfile where the 'az login...' script should run, with a 'command not found' error.
withCredentials([azureServicePrincipal('...')]) {
sh '''
'az login ..'
I am able to use the 'az' commands in the command line outside of Jenkins.
Am I missing something? Any help would be appreciated.
You need to add Azure service principal to Jenkins credential. Please refer to the link you provided.
If you don't have a service principal, you could use Azure CLI 2.0 to create a new. Please refer to this link:Create an Azure service principal with Azure CLI 2.0.
withCredentials([azureServicePrincipal('<mySrvPrincipal>')])
<mySrcvPrincipal> is credential id you set.
Note:
When you add Azure service principal to Jenkins credential, click Verify Service Principal, please ensure you also see Successfully verified the Microsoft Azure Service Principal.