I have a strange problem with my PowerShell script to create Azure user accounts.
Executing command
New-AzRoleAssignment -RoleDefinitionName 'Contributor' -ObjectId "$Usr.Id" -ResourceGroupName "$rgname"
Results in exception:
New-AzRoleAssignment : Input string was not in a correct format.
At myscript.ps1:151 char:5
+ New-AzRoleAssignment -RoleDefinitionName 'Contributor' -ObjectId ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzRoleAssignment], FormatException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
I've extracted stacktrace for this exception, and it looks like this:
at System.Number.ParseDouble(String value, NumberStyles options, NumberFormatInfo numfmt)
at Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Which is super strange - I'm not using any double number here. I've dig into source code for NewAzureRoleAssignmentCommand - but there is no System.Number.ParseDouble call there.
Only thing related to double is -ConditionVersion, but I don't want to use any Coditions.
What I should check next? I'm not an advanced Azure/Powershell user, so any suggestions are welcomed!
edit:
I've tried running command manually using same parameter values, with and without quotation marks - every time I get same error
New-AzRoleAssignment -RoleDefinitionName 'Contributor' -ObjectId f01b4003-8a47-4a9d-8935-cd000c8cd9c5 -ResourceGroupName myValidResourceGrupName
Try using Azure Cloud Shell to check whether the problem might be local to your machine.
Remove the double quotes that are around $usr.id
If you'd only have a string like:
$usr = <GUID goes here>
then you could pass "$usr". But in this case, you're trying to access the Id property of the $usr object.
I would try getting your with Get-AzRoleDefinition. I tend to get the objects for everything and use the IDs. This works for me.
$Role = Get-AzRoleDefinition -Name Contributor
$ResourceGroup = Get-AzResourceGroup -Name "ResourceGroupName"
$User = Get-AzADUser -UserPrincipalName "User-UPN-Here"
New-AzRoleAssignment -ObjectId $User.Id -RoleDefinitionId $Role.Id -Scope $ResourceGroup.ResourceId
I had the same problem. This script used to work:
$qa = get-azadgroup -displayname qa;
New-AzRoleAssignment -ObjectId $qa.Id -RoleDefinitionName Owner -ResourceGroupName RG-QA
Started getting this error on one computer but not the other. When I checked the modules version for az.resources, I had 2.1.0, 2.4.0 and 2.5.0. After removing versions 2.4.0 and 2.5.0, the script worked. I have the language of Powershell set to French.
https://github.com/Azure/azure-powershell/issues/13096 it's this issue if anyone else runs into this issue. Workaround as above is to use 2.1.0 of Az.resources but should be fixed soon.
Related
As you may know, MSFT is getting rid of AzureRM cmdlets in favor of Az.
There are a lot of issues regarding this since the proposed native aliases "Enable-AzureRmAlias" seems to stop being updated.
I have a script based on AzureRM in one repo, that triggers by Azure DevOps release pipeline step function (Azure PowerShell based),
that has the following piece of code:
$var = (Get-AzureKeyVaultSecret -VaultName $vaultName-Name $Key).SecretValueText
"Enable-AzureRmAlias" command activated as well..., that converts the code like this:
$var = (Get-AzKeyVaultSecret -VaultName $vaultName-Name $Key).SecretValueText
The problem is, that ".SecretValueText" was deprecated a while ago. Instead of it, a new parameter has been added to the Get-AzKeyVaultSecret cmdlet - "-AsPlainText"
so... theoretically the final construction has to be like this:
$var = Get-AzKeyVaultSecret -VaultName $vaultName-Name $Key -AsPlainText
Challenges!
I can't upgrade the original script in the repo to Az due to the necessity of back-compatibility.
The only way to solve it - is to create some kind of alias in Azure PowerShell inline script (that triggers the main script in the repo)
I stuck with this ".SecretValueText"
My original idea to put the following into the inline script doesn't seem to be working:
function Get-AzKeyVaultSecretNew {
Param(
$vaultName,
$Key
)
$var = Get-AzKeyVaultSecret -VaultName $vaultName -Name $Key -AsPlainText
return $var
}
Set-Alias -Name Get-AzKeyVaultSecret -Value Get-AzKeyVaultSecretNew
Any ideas on how to accomplish this?
This should theoretically help your situation. You can run this code at the beginning of the PowerShell session that will be calling your scripts. You will need to make sure any necessary modules are loaded so that the secret object types are loaded.
$Script = { Get-AzKeyVaultSecret -VaultName $this.VaultName -Name $this.Name -AsPlainText }
Update-TypeData -TypeName 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultSecretIdentityItem' -MemberName 'SecretValueText' -MemberType ScriptProperty -Value $Script
The idea is to add the SecretValueText property back to the Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultSecretIdentityItem objects.
You can try using below workaround to replace below piece of code:
(Get-AzureKeyVaultSecret -VaultName $vaultName-Name $Key).SecretValueText
with Get-AzKeyVaultSecret -VaultName $vaultName -Name $Key -AsPlainText via using RegEx Find & Replace task. Check below steps:
1, Add task RegEx Find & Replace to replace the orginal code with the converted code. See below:
FindRegex: '\(Get-AzureKeyVaultSecret -VaultName \$vaultName -Name \$Key\)\.SecretValueText'
ReplaceRegex: 'Get-AzKeyVaultSecret -VaultName $vaultName -Name $Key -AsPlainText'
2, -AsPlainText parameter is only available in the latest az 5.3.0 version. Since the version installed in cloud agent is 4.7.0. You need to install the az 5.3.0 version before executing your script. See below. Use a powershell task to install az 5.3.0 version.
New-Item -Path "C:\Modules" -Name "az_5.3.0" -ItemType "directory"
Save-Module -Name AZ -RequiredVersion 5.3.0 -Path "C:\Modules\az_5.3.0"
3, Then you can invoke your script in the azure powershell task directly.
I am trying the execute the powershell script found at :
https://github.com/amanbedi18/Azure-KeyVault-Automation/tree/master/UploadSecrets
https://github.com/amanbedi18/Azure-KeyVault-Automation
This script is used to automate upload of secrets to azure key-vault.
I have created the below json file and named it /user/kv/AzureSecretsMetaData.json
[
{
"key": "test1",
"value": "1"
},
{
"key": "test2",
"value": "2"
}
]
I then copied contents of setKeyVaultSecrets.ps1 to /user/kv/setKeyVaultSecrets.ps1
I have tried the below commands that were mentioned in the readme and powershell script files and get the below errors, could someone please help me execute this script correctly and point out what I am doing wrong here.
./setkeyVaultSecret.ps1 -KeyVaultName 'avkv01'
setkeyVaultSecret.ps1: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.
./setkeyVaultSecret.ps1 -KeyVaultName 'avkv01' -KVSecretMetadataFilePath '/home/aditya/kv/AzureSecretsMetaData.json'
setkeyVaultSecret.ps1: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.
Any help is greatly appreciated. Thank You
If these are scripts you found, they are very poorly written and I would advise not using them. I would suggest installing the az powershell module and using those scripts as a reference in writing your own script. You can install the az powershell module with powershellget:
Install-module az -force -allowclobber
The way the script that you are trying to call is written very strangely. It defines two different parameter sets, but each of the two parameters are mandatory for BOTH parameter sets?! That doesn't make a lot of sense. If you must run them, you will probably need to modify them a bit. They don't really seem finished.. Why not modify the script and get rid of the parameter sets altogether? Also, the example in the script indicates that the "$KVSecretMetadataFilePath" parameter is not mandatory, since it is not being called, but is defined as being mandatory when defining your parameter. You need to make clear if this parameter is required or not. If it is required Make it look more like this:
<#
.PREREQUISITE
1. An Azure key vault and its name as parameter.
2. Json template should be properly populated with valid json schema in sampleSecretValues.json in KeyVaultjson directory.
.PARAMETER vaultName
The name of the key vault.
.EXAMPLE
. setKeyVaultSecret.ps1 -KeyVaultName 'somekeyvault'
#>
# provision keys and secrets to a key vault
Param(
[Parameter(Mandatory=$true)]
[String]
$KeyVaultName,
[Parameter(Mandatory=$true)]
[String]
$KVSecretMetadataFilePath
)
Install-Module -Name AzureADPreview -ErrorAction SilentlyContinue -Force
Import-Module Azure -ErrorAction SilentlyContinue
Import-Module AzureRM.Resources
Set-StrictMode -Version 3
$json = Get-Content $KVSecretMetadataFilePath | Out-String | ConvertFrom-Json
$json | ForEach {
$secretToSearch = Get-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $_.key -ErrorAction SilentlyContinue
if($secretToSearch -ne $null)
{
echo "The secret $_.key already exists !"
}
Else
{
$NewSecret = Set-AzureKeyVaultSecret -VaultName $KeyVaultName -Name $_.key -SecretValue (ConvertTo-SecureString $_.value -AsPlainText -Force ) -Verbose
Write-Host
Write-Host "Source Vault Resource Id: "$(Get-AzureRmKeyVault -VaultName $KeyVaultName).ResourceId
}
}
If it is not required, remove the line "[Parameter(Mandatory=$true)]" above the $KVSecretMetadataFilePath declaration.
I'm using the following Powershell code to set tags on a bunch of Azure VMs but it doesn't seem to be working. It does not give me an error message, so it appears to run correctly, but it does not set the tags as expected. Any help would be great, perhaps it may be something easy I'm overlooking.
$group = Get-AzResourceGroup -Name my-rg
$resource = Get-AzResource -ResourceName myserver -ResourceGroupName my-rg
Set-AzResource -ResourceId $resource.ResourceId -Tag $group.Tags -Force
I'm only doing a few VMs which I'll probably put on a loop once this works. There are no tags on most of these VMs which may be overwritten.
I am trying to list who have Contributor permissions for specific resource name but when I want to use
Get-AZRoleAssignment -ResourceName "ResName"
I am receiving an error:
"Get-AzRoleAssignment : Parameter set cannot be resolved using the
specified named parameters."
However, I am sure that the mentioned resource exists as I can see it when I run the command
get-azresource -ResourceGroupName "ResGroupName"
I was trying:
Get-AZRoleAssignment -ResourceName "ResName" -ResourceGroupName "ResGroupName"
but no luck.
thanks for help
For your issue, you must miss reading the description of the parameter -ResourceName.
-ResourceName
The resource name. For e.g. storageaccountprod. Must be used in
conjunction with ResourceGroupName, ResourceType, and
(optionally)ParentResource parameters.
So your PowerShell command should like this:
Get-AZRoleAssignment -ResourceName "ResName" -ResourceGroupName "ResGroupName" -ResourceType Microsoft.Compute/virtualMachines
You can change the type as you want. And if you just get the role Contributor, you can add the parameter -RoleDefinitionName with value Contributor.
I have created a functions app and then created a function, The function name defaulted to TriggerCSharp1 or similar.
After adding code I was wondering how to change the function name so I tried Ftp'ing into the functions app and manually changed the folder name TriggerCSharp1. I went back to the Azure portal and now when I click on the function app I get an error The access token is invalid. and nothing appears beneath, see screen-shot below.
I am not sure how I can delete this function app now since I can't get in its blade. The only way I can think of now is to delete the resource group that contains this function app but that is not something I can do since I have tons of other resources in there too.
Edit:
As suggested by David, resources.azure.com is easier and requires no client bits.
Solved using Azure-CLI with the command azure site delete <site name>
One function app may contain multiple functions and hence deleting the whole function app if only one function is corrupted may be overkill. For those in this situation deleting the function folder in the Kudu console/using powershell is a better way.
USING KUDU CONSOLE
Go to https://<yourFunctionApp>.scm.azurewebsites.net
Click on DEBUG(top bar) -> CMD and in the new page that appears navigate to site -> wwwroot
Find your function there and delete it (click on the icon to the right of the Edit/pencil icon)
USING POWERSHELL
(based on this)
$username = '<publish username>' #IMPORTANT: use single quotes as username may contain $
$password = "<publish password>"
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password)))
$commandBody = #{
command = "rm -d -r myAzureFunction"
dir = "site\\wwwroot"
}
$deleteUrl = "https://<myFunctionApp>.scm.azurewebsites.net/api/command"
Invoke-RestMethod -Uri $deleteUrl -Headers #{Authorization=("Basic {0}" -f $base64AuthInfo)} -Method POST `
-ContentType "application/json" -Body (ConvertTo-Json $commandBody)
The publish username and publish password can be obtained as detailed here
$creds = Invoke-AzureRmResourceAction -ResourceGroupName YourResourceGroup -ResourceType Microsoft.Web/sites/config -ResourceName YourWebApp/publishingcredentials -Action list -ApiVersion 2015-08-01 -Force
$username = $creds.Properties.PublishingUserName
$password = $creds.Properties.PublishingPassword
If you wanted to do this in PowerShell, something like the following should work ...
Login-AzureRmAccount #Enter your username / pw
$funcApp = Get-AzureRmWebApp -Name "Your Function App Name"
Remove-AzureRmWebApp -WebApp $funcApp
If you have more than one subscription then make sure your using the right one. You could also add a -Confirm:$true to the remove command if you didn't want the check prompt.