I am writing an auto deployment service and I am already able to create my App Service resource via ARM Template using the ARM API but now I need to deploy the content there, Im planning use the Kudu Zip deployment API (https://github.com/projectkudu/kudu/wiki/Deploying-from-a-zip-file) but Im missing how to set or get the deploy username and password automatically through some api based process (not using the UI).
I know the site credentials are actually account-tied users, if you know a different kind of credential can be used to deploy, please point me the direction that would allow me release without a specifc person-oriented credential (an app credential instead)
If you want to get the publish credentials, you could use the
Web Apps - List Publishing Credentials Rest API to do that.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/publishingcredentials/list?api-version=2016-08-01
About how to call the Azure Resource Manager REST API, please refer to this tutorial.
We also could use Azure SDK to get the publish credentials. For more information about how to use Kudu API or Azure SDK to get the publish credential, please refer to another SO thread.
Related
I am able to create a new Azure App Service on my Azure subscription from VS code. If I then try to deploy my python web application to the App Service that I just created I get a "401 - Unauthorized: Access" error. If I logon to the Azure portal I can view my newly created App Service. I can see on the Access Control page that I am listed as a contributor. I am not sure why I can not deploy my code or view files. Does anyone have suggestions as to security settings to check? I need to be able to deploy my code. Thank you.
#Kachopsticks, Apologies! If my response is to too late. To benefit the community, sharing the steps that could help isolate such issues:
There is a way to disable basic auth access to the WebDeploy port and SCM site with basicPublishingCredentialsPolicies, see if this is the case.
basicPublishingCredentialsPolicies --parent sites/ --set properties.allow=false
https://learn.microsoft.com/azure/app-service/deploy-configure-credentials?tabs=cli#webdeploy-and-scm
You could re-download the publish profile from Azure portal, and import publish settings in Visual Studio for deployment.
In the Azure portal, open the Azure App Service.
Go to Get publish profile and save the profile locally.
A file with a .publishsettings file extension has been generated in the location where you saved it and you may import that in VS and then attempt to re-deploy.
Additionally, Azure App Service supports two types of credentials for local-Git and FTP/S deployment:
User-level credentials one set of credentials for the entire Azure account.
App-level credentials (one set of credentials for each app. It can be used to deploy to that app only) -. They can't be configured manually, but can be reset anytime. For a user to be granted access to app-level credentials via (RBAC), that user must be contributor or higher on the app (including Website Contributor built-in role). Readers are not allowed to publish, and can't access those credentials.
I am trying to follow https://blogs.msdn.microsoft.com/tfssetup/2016/04/01/build-and-deploy-azure-web-apps-using-team-foundation-serverservices-vnext-builds/.
I have no issues deploying the web app manually from Visual Studio using PublishingSettings and Publish option. I just want to automate the process and I am stuck at this step:
The article clearly advises
Select the Certificate Based connection. This is very important when
you are trying to deploy. Credential based Microsoft Account
(#outlook, #hotmail) are no longer supported and only Organizational
accounts are. Even then, if they use Two-Factor Authentication(2FA),
the build will fail trying to connect to Azure.
This is correct and if I try to use Credentials, my deployment fails with unknown_user_type: Unknown User Type
There was an error with the Azure credentials used for deployment. message.
So >> Certificate. But in my PublishSettings file there is no Management Certificate and as per this article
Azure Management Certificates and Publishing Setting files (...) are
only intended and limited to manage Azure Service Management (ASM)
resources
I tried this option:
But VSTS is not connected to the Azure environment (considering that Azure belongs to one Customer and VSTS to another, is it even possible?).
My questions:
* Is it the deployment somehow possible with PublishSettings file?
* Should the "Credentials" option work if I am using an organizational account Me#Company.com?
* How else can I try?
EDIT
Your solution could be creating a service principal in Azure and connect it to VSTS. The automatic Build from VSTS should then be published to Azure automatically. Here you find how to setup the service principal and connect it to VSTS: https://www.petri.com/connect-visual-studio-team-services-azure-using-service-principal-name
I am not sure right now, whether you are using TFS or VSTS?! When I publish a Web App in VSTS, the ARM Service Endpoints works well:
I want to send daily email with my application.
Background
My application has web.api which created .net core & published on Azure app api (Paas).
API has it's own authentication mechanism(JWT token) & it's used dependancy injection. It read configuration value ex. Database, Redis cache, bob storage connection string from Azure key vault
Solution
1)If i create new console application and set in web job. I have to do lot of coding for dependnecy injection and have to integrate azure valut.
2)Can i create web api in current api project but how to ensure security only azure web job can call api.
same question ::Securely calling a WebSite hosted Web API from an Azure WebJob
As you mentioned that we could use the Azure scheduled WebJob to send daily mail. Send mail demo code please refer to another SO thread.
Can i create web api in current api project but how to ensure security only azure web job can call api.
We need to use our authentication way to security our WebApi. And Azure also supply multiple ways to help us protect our WebApp. We can get more info about
Authentication and authorization for API Apps in Azure App Service from document.
Is there a way to authenticate to Azure without any login on an Azure VM? Same feature like amazon instance profile so I can run azure commands without authentication
I don't think it is possible to communicate with Azure cloud without authentication like AWS using the instance profile. In Azure you have to use service principle with respective role(Reader, contributor or owner) assigned. Once service principle is created you can use it for authentication with Azure SDK or REST API. You can automate once you have service principle details.
You can use Azure CLI.
The authentication can be done using the Publish Settings file.
This is useful if you wish to use Azure CLI commands in a script etc.
You can download the file by using
azure account download
Make sure you keep this file safe as it provides direct access to your azure account.
Then authentication is a simple process of importing the file using
azure account import /path/to/.publishsettings_file
Now deployment commands can be run on the command line without logging in.
Scroll to the section public settings file in the link for more info on how to use the publish settings file.
I created an empty Azure cloud service and I want to allow other developers to deploy to it. So far the only route I can see is adding the developers as Azure subscription administrators. I would rather give them more specific access to the cloud services only.
No such functionality exist today which will allow you to grant/revoke permissions at the cloud service level. Once a developer is provided access to the subscription, they would have access to all the resources under that subscription.
There's a REST API behind cloud service deployments and all the tools (including Windows Azure Portal and Visual Studio) consume this API for creating deployments. One possible solution would be to build your own solution consuming this API. In this solution you will implement access control based on your requirements so that when your user use this service, they will only see the cloud service they're assigned to and can only manage that cloud service. There's a managed library for consuming this API. You can find more information here: http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries.
It seems that if the original developer downloads the publish profile from Azure (it's an xml file that with a .PublishSettings extension), you can copy the userPWD from that file, give it to another developer and they can paste it into the password field in the Connection section of the Publish dialog.
The userPWD is a string that looks something like this:
EFFCLfDqDKHlXcA2YDZPvX4BZXWFaobxaLN0aPJd4HCfa8WxlqEkt2yywBsx