I have Azure Pipeline setup with Azure CLI task
I am using Service Connection. In az cli task I want to retrieve current Service Connection details (like appId name objectId etc..) which I am using to run this task.
az ad sp show required id parameter, which will not work in my case. I want to know that id dynamically
Is there any way to get current SP details?
You can now use a checkbox to expose the service principal id, secret and tenant in the Azure CLI script.
You can get your current session context with
az account show
and then simply get some extra details on the service principal
az ad sp show --id <guid>
and application
az ad app show --id <guid>
I found Service principle is in Azure Active Directory. And i cannot add them to azure devops service connection. What i can add is Azure subscription or azure resource group.
Not sure show how did you add your applications to azure service connection.
If you want to get the connection details. You can try az accout show for azure subscription, or az group show --name for azure resource group
Ran into this same issue, and found out the simplest possible way to get the SP Id in Azure Cli task in the pipeline:
First, define in the task addSpnToEnvironment like this:
- task: AzureCLI#2
continueOnError: true
inputs:
addSpnToEnvironment: true
scriptLocation: inlineScript
After that, you can get the SP Id from $env:servicePrincipalId and use it like this:
az deployment group create ... --parameters SPId=$env:servicePrincipalId
Combine with Adam Marczak's solution with python in one liner,
az ad sp show --id $(az account show| python -c 'import json,sys;print json.load(sys.stdin)["user"]["name"]')
Related
There are many questions similar to mine, but I hit a wall finding what I want, please help.
I am running Azure Dev ops pipeline within the organization "MyOrganization" and in the project "MyProject". The service connection or subscription I am connected to is "Subscription-Id" (something like this: abc123-def456..xyz3265)
Pipeline has several tasks.
The first task is a powershell taks that creates Azure Resource Group and then an Azure Key vault. (NewKeyVault)
Second task, will scan another existing key vault (SourceKeyVault) and copy its secrets into the NewKeyVault. I know how to do this and it works just fine when I run the powershell tasks from within my PCwhen I explicitly log in with my log in to azure.
Howerer, here when ran under Azure Dev Ops pipleline, I get error that the "logged in" user has no permissions to Create, get list, etc.. to the secrets.
I want to automatically assign access policy to newly created key vault.
If using the web portal, I can see the Devops as a registered application and can do it. I don't know how to access it from within power shell task within the devops running pipeline.
Based on your expectation, you may consider using the Azure CLI pipeline task, where you can run az keyvault set-policy command to configure keyvault access policies for specific user.
az keyvault set-policy -n $(TheAzureKeyVaultName) --secret-permissions get list --object-id $(UserPrincipalGUID)
See more information on az keyvault set-policy.
steps:
- task: AzureCLI#2
displayName: 'Azure CLI '
inputs:
azureSubscription: 'ARM_Svc_Cnn_Auto_Sub1'
scriptType: ps
scriptLocation: inlineScript
inlineScript: 'az keyvault set-policy -n $(TheAzureKeyVaultName) --secret-permissions get list --object-id $(UserPrincipalGUID)'
This task requires to use the Azure Resource Manager service connection to authenticate and login Azure.
For the automatically created ARM service connection, you can use this API to find out which service principal that the ARM service connection is referenced to az login.
In my case, the ARM service connection is referencing the service principal MyDevOpsOrg-TheProjectName-MySubID which is the contributor of my target KeyVault (inherited from subscription) and has sufficient permission to set key vault access policy.
I was able to resolve an issue in a simple manner - I am using Azure Power shell
script that creates the key vault itself
New-AzKeyVault -VaultName $newKvName -ResourceGroupName $resourceGroupName -Location $location
(all the variables referenced with $ are arguments passed to the script)
And then I get the context for a logged in principal
(AzDevOps pipeline is a principal in itself, registered in Azure AD)
#This gives a context object, which has principal
#id as a property of.
$Context = Get-AzContext
Then I set that principal as access policy
Set-AzKeyVaultAccessPolicy -VaultName $newKvName -ServicePrincipalName $Context.Account.Id -PermissionsToSecrets Get,List,Set
I have enabled the identity in azure web app, it has created one object id. I want to pull the object id using PowerShell, like that I want to pull all the app service using powershell command
You could use this command:
(Get-AzWebApp -Name <Your_WebApp_Name> -ResourceGroupName <Your_ResourceGroup>).Identity.PrincipalId
As per this MSDoc, we have alternate command to get the Azure WebApp Service Principal ID.
Display name must be your WebApp Name
Get-AzADServicePrincipal -DisplayName "Core52022"
To check whether you got the correct ID, you can verify it in Azure Active Directory
Navigate to the Portal => Azure AD => Enterprise applications,remove all the filters and in search box type your Web App name
Finally I got the answer for this. I try to get my identity id in my webapp, so to get this using below command in PowerShell
Command:
az webapp identity show --name yourwebappname --resource-group resrourcegroupname --query principalId
Example:
az webapp identity show --name ph-prod-blue-portal --resource-group test_resource --query principalId
you will get the below result
"abc-def-ghi-ijk-lnmkop"
I created a keyvault and secrets from the MS docs and confirmed that I can list the keyvault and secrets from an Azure CLI session. When somebody else granted my access to another keyvault in our Azure tenant, I am not able to list that vault from the Azure CLI.
The CLI command I am using is : 'az keyvault list'
I have compared the individual policies applied in two vaults, and have 'owner' role access to both. I can see the vaults and secrets when I use a browser to navigate to the azure portal.
Thanks in advance for any suggestions on what I should check.
I suppose the keyvault is in another subscription in your Azure AD tenant, in Azure CLI, you could just use az keyvault list to list the keyvaults in the default subscription, if you want to do operations in another subscription, you need to set the subscription with it.
Navigate to the keyvault which you want to list in the portal, copy the Subscription ID like below.
Then run the command below before you list the keyvaults.
az account set --subscription <Subscription ID>
az keyvault list
In my case, my login had expired, but unlike with other commands, I did not get a warning to that effect. It simply returned the [] empty list.
Renewing my login with az login allowed az keyvault list to work.
In my case I had to go to the subscription / RG where the key-vault was and give the user / service principal the Reader role. You can do that by clicking on the subscription/RG and then selecting "Access Control (IAM)" on the left side. And then add the role assignment. Instructions - https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current
My pipe in bitbucket:
- pipe: microsoft/azure-cli-run:1.0.2
variables:
AZURE_APP_ID: $AZURE_APP_ID
AZURE_PASSWORD: $AZURE_PASSWORD
AZURE_TENANT_ID: $AZURE_TENANT_ID
Where is AZURE_APP_ID? On Azure -> App Services I can see a table with my apps but no application id. And what password is it? I haven't set a password anywhere. And tenant id?
First you need to create an Azure service principal in your azure subscription to enable connecting bitbucket to azure services.
When you create the service principal you will get a set of information after successful creation from which you can extract the app ID and tenant ID. This is via azure CLI.
az ad sp list --show-mine --query '[].{"id":"appId", "tenant":"appOwnerTenantId"}'
This information along with your azure password is what you need to supply to the bitbucket pipeline to enable deployment from your repo to azure.
Currently im trying to create dynamic environments via AzureDevops.
One of these steps to achieve this is to take a copy of our production databases and place them in a temp resource group (Production Subscription) and then move the sql server and associated databases to our non-production subscription. From here we then create the web apps and deploy code.
When i run this via Az Cli i am able to move the resources with the following
SQLSERVERID=$(az resource show -g $RSGNAMETEMP -n $SQLSERVERNAME --resource-type "Microsoft.Sql/servers" --query id --output tsv)
az resource move --destination-group $RSGNAME --ids $SQLSERVERID --destination-subscription-id $SANDBOXSUBSCRIPTIONID
However when i run this via AzureDevops i get the following error
ERROR: The client (...) with object id (...) has permission to perform action on scope however, it does not have permission to perform action (...) on the linked scope(s).
I believe this problem is happening when you configure the AZ Cli step in AzureDevops you select the Subscription from the drop down list. The account / service principal only has access rights to that specific subscription and not to multiple. Is it possible to configure a service principal (that can be used in AzureDevops) that can connect to multiple subscriptions?
Yes, just go to Azure portal, navigate to the desired subscription blade, go to Access Control, press + sigh at the top and add your principal as a contributor to the subscription.
to find service principal name use this:
Click Manage link in the Azure Subscription field in your VSTS job, it will navigate you to a new blade. Click Manage Service Principal there. It will take you to the application page in Azure AD. After that you can copy name under Managed application in local directory field and use that name to grant it Key Vault permissions.