I want to create a VM instance on azure through ansible/shell script from my machine.
ways i have found
Installing az cli on my machine, az login and create instance.
Problem with az cli :In this way i can create instance but i need a session login for infinite time unless i logout. If i logout or system logs me out then i have to login manually with portal to cli which i don't want.If there is any automate process to login with keys or passwords.
can anyone suggesst me how can i acheive ?
For your requirement, you can use the service principal to login both for the Azure CLI and ansible. In this way, it works as the username and password so that you need not log in with portal.
You can follow steps via the Azure CLI command to create the service principal and use it to log in. And the ansible steps here.
Related
I have started using Azure Pipelines with GitHub backed account and created my first organization. I do not have any projects in that organization. I also do not have any subscriptions on portal.azure.com. I want to list available project in my organization using Azure CLI - basically - to get an empty list, because there are no projects yet.
When I type
az login --allow-no-subscriptions
I login successfully using a browser. But all the other Azure CLI commands that I issue afterwards will fail, and ask to login. What's in the name?
After a successful az login, when I type
az devops login --organization https://dev.azure.com/my-org-name-i-will-not-tell-you/
it prompts me for token, which is confusing, because from the official documentation:
If you have already signed in with az login interactively or using user name and password, then you don't have to provide a token as az devops commands now support sign in through az login.
I am confused, why I cannot login. Do I need to create a subscription on portal.azure.com to login? I don't want to do it, and don't' see why that will be necessary for my task.
If you login through
az login --allow-no-subscriptions
there is no need to call az devops login as you have access to Azure DevOps. Anf if you want to configure default organization, you can always use az devops configure
But it looks like mistake on CLI or documentation. I would recommend you create an issue for this page on GitHub.
The documentation indicates if you have already signed in with az login interactively or using user name and password, then you don't have to provide a token as az devops commands now support sign in through az login. In my opinion, the az devops commands here doesn't include az devops login command, as you don't need to run az devops login command after you running az login command.
I have created a docker container and generated final artifact of my azure function app code. Azure Cli is already installed in the container. Is it possible to deploy to Azure using Azure Cli and pass the credentials along?
I tried the following command (example credentials):
az functionapp deployment user set --user-name "MY_USER" --password "MY_PASS" --subscription "MY_SUBSCRIPTION"
But it results in the following error:
Subscription 'MY_SUBSCRIPTION' not recognized. ValidationError: Please run 'az login' to setup account.
If I login (which requires entering a pass code to a browser), then the command above seems to be working.
This is going to be part of CI/CD and manual login is not a solution. Any ideas?
You would need to use a service principle to authenticate. But since you mentioned you are using Jenkins, fortunately there are rich set of plugins available for different Azure resources which can handle the authentication for you if you setup in your Jenkins dashboard. For example, in this case you are using az cli for which you can install https://plugins.jenkins.io/azure-cli/
Yes, you need to be authenticated. Here you have several authentication options: Sign in with Azure CLI
Authenticating with a service principal is the best way to write secure scripts or programs
Sign in with a service principal
I have successfully created a docker image that runs inside a docker container. The container successfully executes the image (a .NET app) but the image crashes shortly after startup because it encounters an error with Azure Services. The reason is because the docker container is attempting to access Azure Services to fetch an authorization token (to fetch secrets from a key vault) and does not have authority to do so.
I should note that it is possible to run the app locally outside of a container via the Azure CLI after using az login to verify my credentials. Then, when the app is started via Azure CLI, it is 'allowed' to access Azure Services to get autho tokens and consequentially fetch data from my key vault.
Would like to know if there is a way to run an az login script with credentials inside a docker container before the .NET app image executes, so that I can start the application from within the Azure CLI (inside the container) after my credentials have been verified. I have looked through the documentation and have not seen a way to configure something like this.
To use the Azure CLI and login inside the container, you need to install the Azure CLI inside the container, then login with an non-interactive model. I would recommend the service principal. You can take a look at the command:
az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>
For more details, see Create an Azure service principal with Azure CLI. After login, then you can start your application as need.
Here are 2 options which don't require Azure CLI in the container, Azure Managed Identity from within a docker container running locally,
inject an access token into the container using ENV variable
use device authentication flow to obtain an access token
I read this answers a while ago. I was looking for the similar solution but using the service principal. I found that Docker can run Kubernetes and there is AAD-Pod-Identity https://github.com/Azure/aad-pod-identity which can do work for me, but it doesn't work for Docker Kubernetes. I forked their Go repository and make modification for mic component. Now it works for Docker Kubernetes, not sure whether Azure team has plans get these modifications on board or not.
You can get detailed instructions how to get things running here: https://github.com/Wallsmedia/aad-pod-identity
Azure CLI would not work for a Docker, because you have setup Azure CLI and login and then run your application.
I'm trying to list virtual machines in azure from inside another virtual machine in azure. I mean, what I want to do is list backend members from the frontent. BUT I don't want to use credentials in my front end and I want to use roles.
For example, in AWS you can assign roles (EC2::DescribeInstance) to instances and use this command:
aws ec2 describe-instances --query 'Reservations[].Instances[].[PrivateIpAddress]' --output text --filters Name=instance-state-name,Values=running Name=tag:myapp-member,Values=myapp-backend
I can run that command without expose my credentials in any place.
If I run something like this on Azure
az vm list
It says I need to login first.
And I can't find how to assign roles to the instance.
Thanks a lot
Cheers
For your purpose, you can use the VM Managed Identity to log in for the Azure CLI, this way will not store any credential in the VM. But first, you need to assign the roles to your VM. And to assign the roles, you can use the Azure CLI command az role assignment create and the steps in Assign a managed identity access to a resource using Azure CLI. Or just in the Azure Portal, you can follow the steps in Assign a managed identity access to a resource by using the Azure portal. The PowerShell command is also available.
When the role is created, you can use the Azure CLI command az login --identity to log in without credential.
Note: You need to install the Azure CLI in the VM first.
I need to use the azure cli from within a linux virtual machine. There are two contraints:
cannot use/store the credentials used for creating the VM on the VM.
the login/authentication need to be automated (non-interactive)
On AWS, I can use instance profiles for such scenario, but I am unable to find any feasible approach for Azure. Any help is greatly appreciated.
If you are using Azure CLI 2.0, you can use az login with the --msi parameter to log in using the Virtual Machine's identity. See the az login documentation for more information.
az login —msi has been deprecated (See here) as of v2.0.22.
The new method is to use the —identity option. ie. az login —identity. See az login docs for more information.
This is how it was resolved for me ,
you need to be logged in to azure portal in your browser
type az login --use-device-code in your ssh terminal
It gives you a URL and a code , enter the URL in the same browser that you were logged in to azure portal and enter the code in the pop up window
choose your email user for the azure portal in the next window and
you will be logged in to azure cli in your ssh terminal