We actually have multiple azure accounts (for some valid reason) and I want to be able to run azure-cli commands for different accounts at the same time from the same machine.
The problem with that is, once I login to one azure account with azure login, token will be stored in ~/.azure directory so I am not sure if I can login into another account exactly at the same time on that machine.
Is there any way to tell azure-cli not to store token in local profile so that I can use azure-cli to connect to multiple accounts at the same time from same machine?
If you are using a windows or mac machine then the tokens are stored in Windows token manager or OSx key chain respectively. Only on Linux systems the tokens are stored in ~/.azure/azureProfile.json
However, you should still be able to login with multiple accounts on Win/Mac or Linux machines.
azure account set "subscription-name" will set the subscription as your default subscription and all the commands that you execute will run against that subscription.
Every command has a -s or --subscription switch where you can explicitly specify the subscription id. Even if the subscription belongs to a different account, it should still work if you have authenticated with that account.
For Linux system, I would suggest to create multiple user accounts and then run the CLI from those accounts. I think there could be a race condition when two commands from different accounts try to access ~/.azure/azureProfile.json.
The latest update is that the environment variable AZURE_CONFIG_DIR has been introduced and that can be set differently for each environment before az login is called.
export AZURE_CONFIG_DIR=/tmp1
az login
and on other window
export AZURE_CONFIG_DIR=/tmp2
az login
Reference: configure the AZURE_CONFIG_DIR for fixing concurrency issue
For Windows, here are steps
Go to env variables and add AZURE_CONFIG_DIR with the value of new config folder (e.x. C:\Users\YourUser\.azure-personal)
restart your cli, then run this az login --use-device-code
use the code given on step 2 and use it with whatever browser to login to new azure account
Now, one of your accounts config is in default azure folder config (C:\Users\YourUser\.azure) and new one lives in the place you specified on step 1.
if you wanna switch between them, you need to flip that env variable to point to whatever config you want
Related
I have two separate Azure accounts.
One for each project in which I am involved, these accounts are totally independent, that is, they do not share any type of resource and do not have the same domain. They are from two totally different companies.
I find that both accounts respond to me at the time of login from PowerShell and I can access those resources.
Both work with Kubernetes (kubectl) but only one of the two accounts is shown. Whatever you do always shows the content of co-owners of one and not the other.
I have the Azure CLI (v.2.0.76) and the PS version is (5.1)
someone know how to I can do?
EDIT with pictures -
Although the account is default, I am not able to access the kubernetes of the same
PS Default Account
Services from the other account..not the default account
services from other cluster
I just found the solution.
When we access from PS with Az Login and select the account, it allows us to access all the resources of that account (the one that is predetermined)
What I have done is basically see the
kubectl config view
This returns the result of all the clusters that it finds with its context. The next thing we have to do is tell kubectl what CONTEXT we want to work with in the following way:
kubectl config use-context "CONTEXT NAME"
And thats it.
I need to generate Azure Databricks token using Powershell script.
I am done with creation of Azure Databricks using ARM template , now i am looking to generate Databricks token using powershell script .
Kindly let me know how to create Databricks token using Powershell script
The only way to generate a new token is via the api which requires you to have a token in the first place.
Or use the Web ui manually.
There is no official powershell commands for databricks, there are some unofficial ones but they still require you to generate a token manually first.
https://github.com/DataThirstLtd/azure.databricks.cicd.tools
Disclaimer I'm the author of these.
UPDATE: these powershell commands can now authenticate using a service principal instead of a bearer token (or can generate a bearer token for you).
so right now there is no way to use the API directly after deploying an Azure Databricks Workspace. I assume that you want to use it as part of an CI/CD pipeline - right? Reason is that you first need to manually create an API token which you can then use for all subsequent API requests.
But I will investigate and keep you updated here!
another option is to create it via terraform.
https://registry.terraform.io/providers/databrickslabs/databricks/latest/docs/resources/token
mind you, it creates the token as whomever you az login'd as. so if you az login as yourself (when it spawns a browser asking who to log in as), that's who the token will be created as (assuming that user has permissions in the databricks workspace) and contributor (or custom read role, reader role doesn't grant the right permissions) permissions into the resource group that houses the workspace.
you can always use az login -u username#email.com -p to log in as someone else, assuming that user doesn't have MFA then run the terraform init/plan/apply. mind you, if you have a backend storage, that user also has to have permissions to that backend storage as well so it can create/update any tfstate files stored there.
We actually have multiple azure accounts (for some valid reason) and I want to be able to run azure-cli commands for different accounts at the same time from the same machine.
The problem with that is, once I login to one azure account with azure login, token will be stored in ~/.azure directory so I am not sure if I can login into another account exactly at the same time on that machine.
Is there any way to tell azure-cli not to store token in local profile so that I can use azure-cli to connect to multiple accounts at the same time from same machine?
If you are using a windows or mac machine then the tokens are stored in Windows token manager or OSx key chain respectively. Only on Linux systems the tokens are stored in ~/.azure/azureProfile.json
However, you should still be able to login with multiple accounts on Win/Mac or Linux machines.
azure account set "subscription-name" will set the subscription as your default subscription and all the commands that you execute will run against that subscription.
Every command has a -s or --subscription switch where you can explicitly specify the subscription id. Even if the subscription belongs to a different account, it should still work if you have authenticated with that account.
For Linux system, I would suggest to create multiple user accounts and then run the CLI from those accounts. I think there could be a race condition when two commands from different accounts try to access ~/.azure/azureProfile.json.
The latest update is that the environment variable AZURE_CONFIG_DIR has been introduced and that can be set differently for each environment before az login is called.
export AZURE_CONFIG_DIR=/tmp1
az login
and on other window
export AZURE_CONFIG_DIR=/tmp2
az login
Reference: configure the AZURE_CONFIG_DIR for fixing concurrency issue
For Windows, here are steps
Go to env variables and add AZURE_CONFIG_DIR with the value of new config folder (e.x. C:\Users\YourUser\.azure-personal)
restart your cli, then run this az login --use-device-code
use the code given on step 2 and use it with whatever browser to login to new azure account
Now, one of your accounts config is in default azure folder config (C:\Users\YourUser\.azure) and new one lives in the place you specified on step 1.
if you wanna switch between them, you need to flip that env variable to point to whatever config you want
I've been successful at creating and executing a snapshot script if I use gcloud auth to use my personal account. but if I have the cron run as root or as a selected user nothing happens during the cron.
I used this script https://gist.github.com/peihsinsu/73cb7e28780b137c2bcd and it works great and as the author notes: "Install gcloud and auth first" are required.
My problem is in using my personal account and not the service account.
When you execute gcloud auth login you get a very important message
Your credentials may be visible to others with access to this
virtual machine. Are you sure you want to authenticate with
your personal account?
Any thoughts or suggestions to avoid this security risk.
Took some time to figure it out. The script is valid. The tricky part is the user permissions. There are 2 user types - the OS user and the GCE user.
The gcloud uses the GCE user, which is most likely something like blabla#gmail.com. You need to figure out what is the OS user that can use GCE credentials. In my particular case (i've set up VM instance using Bitnami) the user was bitnami (NOT root!!!).
You need to make sure that:
you set up the default gcloud user your GCE user (gcloud config set account blabla#gmail.com)
your script file is executable (chmod +x)
your script file's owner is the user that has GCE credentials
you set up cron for the particular user (in my case sudo -u bitnami crontab -e)
you include full path to the script inside crontab
I have a problem when i try to configure the agent on another server.
I have installed the Server RM in one machine and i use the user with name: usr_deploy.
(This machine has an domain called: mydomain.local)
I have another server that i need map to submit files for deploy. What i do? I installed the Agent RM, using the same account and password, but when i try to configure i have the error:
(This machine has an domain called: anotherdomain.local)
(Because i´m a new user i cant post image. I found the same image in Url: http://i.stack.imgur.com/vrkpQ.jpg)
All users i used with the name usr_deploy have local account on each server.
I need to use the same account but all the accounts needs to be a domain account ?
I have very difficultily to find on the web articles or steps to make the correctly configuration.
My scenario is 1 server with the RM Server and 3 servers to make a deploy.
Anyone can help me ?
Tks!
If you don't have a trust relationship between your domains, you'll have to use shadow accounts.
MSDN:
Follow these steps to configure the Release Management Server and the
Deployment Agent on machines that run in different domains that do not
have a two-way trust relationship.
On each computer where you will install the RM Server or Deployment Agent, create a local user account that is a member of the
Administrators group. Use the same account and password on each
machine (i.e. Shadow Account).
Add the RM Server’s Shadow Account to RM and grant both “Service User” and “Release Manager” permissions.
Add the Deployment Agent’s Shadow Account to RM and grant “Service User” permission.
Use the Shadow Account as the service account when you install and configure the Deployment Agent.
Note: When you add the local accounts to Release Management, include
the name of the local machine where the account resides. For example,
add the user account as \ or
When you are configuring the shadow account as the service account in deployment agent, make sure that you logged in using the same shadow account.
write it down as
Correct way:- http://(server):(port)
Incorrect way:- http://(server):(port)/ReleaseManagement
Do not write "/ReleaseManagement/" or any other URL segments after . This will solve your problem.
for e.g. :
http://sunnyserver:1000