when I try to provide access control to azure using powershell script, I got below error.
****Set-AzureRmKeyVaultAccessPolicy : Your Azure credentials have not been set up or have expired, please run Connect-AzureRmAccount to set up your Azure credentials.****
please provide some solution.
The error has told you, you need to login with Connect-AzureRmAccount first to use AzureRm powershell module.
Besides, you should know the AzureRM module was deprecated, so I recommend you to use the new Az module. Login with Connect-AzAccount and use the Set-AzKeyVaultAccessPolicy command.
Related
I am trying to shutdown the VM using Azure Automation Account System Managed identity option.
However I am ending up with below error.
As per the other articles it is mentioned to upgrade the module Update-ModulesInAutomationToLatestVersion but I could not update due to below error. I am not sure what is the issue in the script. Same script works with AzureRunAsConnection option without issues ( script ).I even checked with simple login with System Managed Identity it successfully login and fetches the resource group names.
I have tested the above shared script in my automation account. Below are
the couple of observations:
You need to use Connect-AzureRMAccount -Identity cmdlet instead of 'connect-AzAccount` to connect to your subscription because the rest of the script that you have written using Azure RM cmdlets.
If we use AzureRM cmdlets in your run book script the job is getting suspended stating that Azure RM is going to retired and suggesting us to use Az Module in your workflow.
You can refer to this documentation on how to migrate your PowerShell scripts automatically from AzureRM to AZ modules.
If you want to perform start/stop on your virtual Machines you can leverage the Azure Automation start/stop during the off hours feature.
According to the MICROSOFT DOCUMENTATION and looking at your script the Azure Rm module is not supported and it has been updated to the latest version of Az module.
For more information please refer the below links:-
MICROSOFT DOCUMENT|Using a system-assigned managed identity for an Azure Automation account & Troubleshoot runbook issue.
1) I open Azure portal with my user account john.smith#mycompany.com at subs id "111111111111111111111111111". I can successfully create new resource as I'm contributor.
2) I run Az command to create resource and connect with following.
Connect-AzAccount -Subscription "111111111111111111111111111"
ERROR:
Connect-AzAccount : The provided account john.smith#mycompany.com does not have access to
subscription ID "111111111111111111111111111". Please try logging in with different
credentials or a different subscription ID.
What could be wrong?
Try the following link it might help you if you haven't figured it out already
Connect-AzAccount - how to avoid azure device authentification?
I want to configure the authentication for my Azure function via code, be it powershell, ARM template or an API? is this possible?
i'm under the impression that an Azure Function is nothing more then an App Service so i would assume it resolve around there.
https://learn.microsoft.com/en-us/powershell/module/az.websites/?view=azps-2.0.0#app_service - there doesn't seem to be anything in the powershell.
https://resources.azure.com/ doesn't seem to give much information.
Here is some documentation on how to use managed identities for App Service and Azure Functions: https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity
You could create an PowerShell function app with MSI (Managed Service Identity) enable in a consumption plan. Here is some documentation (https://azure.microsoft.com/en-us/resources/templates/101-functions-managed-identity/) on how to do that.
Once the function app is created, you can grant it access to a given resource https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azroleassignment?view=azps-2.0.0#examples
Lastly, the PowerShell function app comes with a profile.ps1 which contains code to authenticate against Azure via MSI out the box.
# Authenticate with Azure PowerShell using MSI.
# Remove this if you are not planning on using MSI or Azure PowerShell.
if ($env:MSI_SECRET -and (Get-Module -ListAvailable Az.Accounts)) {
Connect-AzAccount -Identity
}
Please give it a try and let us know if you run into any issues.
Azure Functions Authentication are still pending. Currently AFAIK there is not a way to add authentication via code except with the Function Host Keys
You can track the issue here in Github
Using terraform is a really good way of configuring these, a good example is below. Also az CLI 'az webapp auth' seems to have really good support now. PowerShell still seems to be lagging behind.
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app
I have a Azure Key Vault in which I want to add access policies for my MSI enabled App Service using powershell.
Using portal it's straightforward. As you can see below, I am searching by my app service name and I see app service and app registrations both.
in above example I selected app service directly without registrating it in Azure AD and it's working awesome.
I just need guidance to do the same using Azure Powershell(which will run VSTS SPN).
Please help.
Thanks
Set-AzureRmKeyVaultAccessPolicy -VaultName $valutName -UserPrincipalName 'PattiFuller#contoso.com' -PermissionsToKeys create,import,delete,list -PermissionsToSecrets set,delete -PassThru
Make sure you have logged in from the PowerShell and selected the resource group where the resource exists before you run the command.
Refer documentation for more.
You need to use the the Set-AzureRmKeyVaultAccessPolicy command but with ObjectId parameter.
Set-AzureRmKeyVaultAccessPolicy -VaultName my-keyvault -ResourceGroupName my-resource-group -ObjectId 15faf32d-146a-4985-a315-640527b6c489 -PermissionsToSecrets get
Bear in mind that MSI apps are registered as Enterprise Apps.
EDIT: Curious, what are you trying to achieve?
I'm writing a PowerShell deployment script which automates the creation of my Azure resources and an accompanying ServicePrincipal.
Here is the code I'm using, which I've tested and works when run directly from PowerShell with the latest Azure 1.0.4 SDK module:
$ResourceGroupName = "my-resource-group"
$ADAppIdentifierUri = [string]::Concat("https://", $ResourceGroupName, ".azurewebsites.net")
# Generate a password for the AD application
$ServicePrincipalPassword = [Guid]::NewGuid().ToString().Replace("-", "")
# Create the Azure AD Application and service principal, and only assign access to our resource group
$AzureADApplication = New-AzureRmADApplication -DisplayName $ResourceGroupName -HomePage $ADAppIdentifierUri -IdentifierUris $ADAppIdentifierUri -Password $ServicePrincipalPassword
When I run this code using my ResourceGroup project deployment script in Visual Studio, I get the following error:
New-AzureRmADApplication : Unable to cast object of type 'Microsoft.Azure.TokenCloudCredentials' to type 'Microsoft.Azure.Common.Authentication.AccessTokenCredential'.
According to the stack trace the exception was raised at the start of the command New-AzureRmADApplication, so the exception is happening internally in the Azure SDK code unfortunately.
I've browsed the source code of the SDK in the following files and could not find any insight:
https://github.com/Azure/azure-powershell/blob/f803b991daa7eeeea1217238ab071c8d83de34be/src/ResourceManager/Resources/Commands.Resources/ActiveDirectory/NewAzureADApplicationCommand.cs
https://github.com/Azure/azure-powershell/blob/956d0ca795acfce67d8f142bf059ab2b8ab2c67b/src/ResourceManager/Resources/Commands.Resources/Models.ActiveDirectory/ActiveDirectoryClient.cs
https://www.symbolsource.org/Public/Metadata/NuGet/Project/Microsoft.Azure.Graph.RBAC/1.6.0-preview/Release/.NETFramework,Version%3Dv4.0/Microsoft.Azure.Graph.RBAC/Microsoft.Azure.Graph.RBAC/Generated/GraphRbacManagementClient.cs?ImageName=Microsoft.Azure.Graph.RBAC
I can only find one person who's encountered this same error at this link here:
https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/
However, the solution there does not make sense to me because I am not using a management certificate to authenticate, and I don't have any management certificates listed on the manage.windowsazure.com site.
This is an issue (i.e. bug) when using token based authentication with the AzureRMAD* cmdlets. When you run the script from VS, VS uses the token you have from the VS sign-in to avoid prompting for auth. To work around it, you have to run it outside of VS using credentials.
There is an internal work item tracking this but if you want to monitor progress you can file an issue here: https://github.com/Azure/azure-powershell/issues/