I'm trying to create an Azure DevOps service endpoint to connect to Azure Resource Manager and to deploy my app into a App Service.
When I go to Azure DevOps > Project Properties and create a Service Endpoint using the UI (Automated dialog) it works fine and my app can be deployed to App Service from a yaml pipeline, BUT, when I try to replicate it thru the Azure CLI it doesn't work (the build fails to deploy complaining about the Service Principal).
This is my code:
az_account=$(az account show)
az_subscription_id=$(echo $az_account |jq -r '.id')
az_subscription_name=$(echo $az_account |jq -r '.name')
az_tenant_id=$(echo $az_account |jq -r '.tenantId')
az_service_principal=$(az ad sp create-for-rbac -n "my-app-service-principal")
az_service_principal_password=$(echo $az_service_principal|jq -r '.password')
az_service_principal_id=$(az ad sp list --all | jq -c '.[] | select( .appDisplayName | contains("my-app-service-principal"))'| jq -r '.objectId')
export AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY=$az_service_principal_password
az devops service-endpoint azurerm create --azure-rm-service-principal-id $az_service_principal_id --azure-rm-subscription-id $az_subscription_id --azure-rm-subscription-name $az_subscription_name --azure-rm-tenant-id $az_tenant_id --name my-app-service-endpoint
How should I create this Service Enpoint programatically with the Azure CLI?
Updated with the Azure DevOps error:
Your script simply creates the Service Principal but it is not giving any permission to the SP.
I would add some lines like these to create a Resource Group and scope permission to it
az_service_principal_appid = $(echo $az_service_principal|jq -r '.appId')
az group create --name myrg --location westeurope
az role assignment create --role Contributor --assignee $az_service_principal_appid --resource-group myrg
Clearly you need to think how to arrange your resources and SPs: you may need many of both depending on your architecture.
Related
I am trying to pass the below variable to a inline script in the Azure CLI Job in Azure release Pipelines, to get the principal ID of an identity:
miid=$(az identity show -g Resourcegroup -n prodaks-agentpool --query "principalId" -o tsv)
I am then running the below commands to set a policy in keyvault for the identity.
call az keyvault set-policy -n proddigitalkeyvault1 --key-permissions get --object-id $miid
call az keyvault set-policy -n proddigitalkeyvault1 --secret-permission get --object-id $miid
call az keyvault set-policy -n proddigitalkeyvault1 --certificate-permissions get --object-id $miid
I receive the error: "miid is not recognized as an internal command". Is it possible to add this variable into the inline script? This script works fine when running from my own machine.
I switched my type of script to shell and removed the "call" command. This script now runs ok in Azure Devops
While Copy a production database locally with AZ CLI it has been copied successfully. But when I am integrating it into the Azure DevOps I am getting the ERROR : The Resource 'Microsoft.Sql/servers/mi-tools/databases/ABC' under resource group 'xyz' was not found.
Here is the code that I need to execute in my Pipeline.
az sql db copy --subscription $(SubscriptionName) --dest-server $(ServerName) --name $(ProductionDatabaseName) --dest-name $(CopyDatabaseName) --resource-group $(ResourceGroupName) --server $(ServerName) -f Gen5 -c 4 --compute-model Serverless
While deleting a database through the Azure DevOps pipeline it will take some time to delete. And my next line copied the database So it will execute immediately and the database not completely deleted.
You have to do it within two-step in Azure DeOps.
I am trying to deploy Spinnaker to a K8s cluster using Halyard running on an Ubuntu 16.04 VM. The Kubernetes cluster is deployed on Azure Kubernetes Service.
I am following the instructions here to add an Azure account to Halyard: https://www.spinnaker.io/setup/install/providers/azure/
I get the error in the last steps.
hal config provider azure account add my-azure-account --client-id $APP_ID --tenant-id $TENANT_ID --subscription-id $SUBSCRIPTION_ID --default-key-vault $VAULT_NAME --default-resource-group $RESOURCE_GROUP --app-key
The appKey (password) of your service principal.:
Get current deployment
Success
Add the my-azure-account account
Failure Problems in default.provider.azure: ! ERROR Error
instantiating Azure credentials: The subscription ‘XXX-XX-X-XXXXXX’
could not be found. ? Follow instructions here
https://aka.ms/azspinconfig to setup azure credentials.
Failed to add account my-azure-account for provider azure.
Has anyone successfully deployed Spinnaker on Azure using Halyard?
I see the following errors in halyard.log:
Failure Problems in default.provider.azure: ! ERROR Error
instantiating Azure credentials: The subscription ‘XXX-XX-X-XXXXXX’
could not be found.
Kindly verify the subscription ID which you are passing in Azure account.
First, make sure the provider is enabled:
hal config provider azure enable
Next, run the following hal command to add an account named my-azure-account to your list of Azure accounts:
hal config provider azure account add my-azure-account \
--client-id $APP_ID \
--tenant-id $TENANT_ID \
--subscription-id $SUBSCRIPTION_ID \
--default-key-vault $VAULT_NAME \
--default-resource-group $RESOURCE_GROUP \
--app-key
I´m using az functionapp create for creating function ap in Azure, where apparts of creating the function app it also hooks it to a bitbucket repo. I´m using parametere --deployment-source-url -u but it seems is not working this way and is giving me an error. This is done by a jenkin file pipeline
node {
stage('Azure Login') {
withCredentials([azureServicePrincipal('6-8afd-ae40e9cf1e74')]) {
sh 'az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET -t $AZURE_TENANT_ID'
sh 'az account set -s $AZURE_SUBSCRIPTION_ID'
}
}
stage('Build Azure FuntionApp') {
sh 'az functionapp create -g $RG_NAME -p $SP_NAME -n grey-$JOB_NAME-$BUILD_NUMBER -s $SA_NAME --deployment-source-url https:// bitbucket.org/xxxx/functions/s***strong text***rc/develop --debug'
}
If I put --deployment-source-url -u https://user#bitbucket.org I get:
ERROR: az functionapp create: error: argument
--deployment-source-url/-u: expected one argument
I tried without the -u just : --deployment-source-url https://#bitbucket.org
and the job gets done, but the link with bitbucket repos is not made. Getting this:
So how is it that this work? how come if I put user it says invalid argument and if I don´t it pases but It can find user. Does anyone ever used this command to create a function app? thanks!
If you want to create azure function via azure-cli, you could change the deployment resource url after --deployment-source-url. You could refer to my command to create a function with a blob trigger, replace the url of yours. It works fine on my side.
Note: The Access level should be public, you could check it in Settings like the screenshot below.
az functionapp create --deployment-source-url https://bitbucket.org/xxx/azure-function --resource-group resourcegroupname --consumption-plan-location westeurope --name joyfun22 --storage-account <storage_name>
Besides, you also can use a github repository to create a function.
For example, to use the command below to create a function with a blob trigger.
az functionapp create --deployment-source-url https://github.com/Joyw1/Azure-Function-Trigger --resource-group myResourceGroup --consumption-plan-location westeurope --name <app_name> --storage-account <storage_name>
Update:
If your Access level is private. You need a access token to access your bitbucket repository. Please follow the steps bellow.
1.Go to the Bitbucket Labs -> Access Management -> OAuth -> Add consumer
More details, refer to this link.
2.Enable authenticated git deployment with Azure CLI
#!/bin/bash
gitrepo=<Replace with your GitHub repo URL e.g. https://github.com/Azure-Samples/functions-quickstart.git>
token=<Replace with a GitHub access token>
# Enable authenticated git deployment
az functionapp deployment source update-token \
--git-token $token
For complete command, refer to this link.
I have 3 subscription in my Azure Account, I need to change the default subscription. When i Run the command:
azure account list
I have this output:
I have tried to change the default or current subscription on this way, with no results...
azure config set subscription {{MyIdSubscription}}
Any ideas? Thanks.
For Azure CLI 2.0 (preview) I had to use
az account set --subscription <name or id>
Please try the following:
azure account set -s {Subscription Id}
That should change the subscription.
1. List all the subscriptions you have
az account list --output table
Name CloudName SubscriptionId State IsDefault
--------------- ------------ ---------------- --------- ----------
AssociateProd AzureCloud xxxxxxxxxxxx Enabled False
2. Pick the subscription you want and use it in the command below.
az account set --subscription <subscription_id>
Use id (subscription id) that is GUID, which will be listed when you did az login
And then execute the below command..
az account set --subscription fffde5cb-cccc-aaaa-eee-457c3292608e
Try in this way.it worked for me to set Azure PowerShell to a specific Azure Subscription
Set-AzContext -SubscriptionId "t666-e251-49ce-a1cd-5c3144"
An important tip!
Be careful mixing Azure Shell and Powershell - eg. "az login" and "Connect-AzAccount"
If you use "az login" it will not reflect on commands like Get-AzContext.
So if you have powershell scripts that depend on Get-AzContext they'll fail.
Azure CLI latest (2.39.0):
az account set (--name or -n) <name>
az account set (--subscription or -s) <id>
I have created a wrapper around the Azure-CLI for this in a PiP Package, with colors.
pip install azure-account-switcher
note: it's dependent on azure-cli which downloads a lot of dependencies. So you should install in environment with azure-cli already present.