I´m using az functionapp create for creating function ap in Azure, where apparts of creating the function app it also hooks it to a bitbucket repo. I´m using parametere --deployment-source-url -u but it seems is not working this way and is giving me an error. This is done by a jenkin file pipeline
node {
stage('Azure Login') {
withCredentials([azureServicePrincipal('6-8afd-ae40e9cf1e74')]) {
sh 'az login --service-principal -u $AZURE_CLIENT_ID -p $AZURE_CLIENT_SECRET -t $AZURE_TENANT_ID'
sh 'az account set -s $AZURE_SUBSCRIPTION_ID'
}
}
stage('Build Azure FuntionApp') {
sh 'az functionapp create -g $RG_NAME -p $SP_NAME -n grey-$JOB_NAME-$BUILD_NUMBER -s $SA_NAME --deployment-source-url https:// bitbucket.org/xxxx/functions/s***strong text***rc/develop --debug'
}
If I put --deployment-source-url -u https://user#bitbucket.org I get:
ERROR: az functionapp create: error: argument
--deployment-source-url/-u: expected one argument
I tried without the -u just : --deployment-source-url https://#bitbucket.org
and the job gets done, but the link with bitbucket repos is not made. Getting this:
So how is it that this work? how come if I put user it says invalid argument and if I don´t it pases but It can find user. Does anyone ever used this command to create a function app? thanks!
If you want to create azure function via azure-cli, you could change the deployment resource url after --deployment-source-url. You could refer to my command to create a function with a blob trigger, replace the url of yours. It works fine on my side.
Note: The Access level should be public, you could check it in Settings like the screenshot below.
az functionapp create --deployment-source-url https://bitbucket.org/xxx/azure-function --resource-group resourcegroupname --consumption-plan-location westeurope --name joyfun22 --storage-account <storage_name>
Besides, you also can use a github repository to create a function.
For example, to use the command below to create a function with a blob trigger.
az functionapp create --deployment-source-url https://github.com/Joyw1/Azure-Function-Trigger --resource-group myResourceGroup --consumption-plan-location westeurope --name <app_name> --storage-account <storage_name>
Update:
If your Access level is private. You need a access token to access your bitbucket repository. Please follow the steps bellow.
1.Go to the Bitbucket Labs -> Access Management -> OAuth -> Add consumer
More details, refer to this link.
2.Enable authenticated git deployment with Azure CLI
#!/bin/bash
gitrepo=<Replace with your GitHub repo URL e.g. https://github.com/Azure-Samples/functions-quickstart.git>
token=<Replace with a GitHub access token>
# Enable authenticated git deployment
az functionapp deployment source update-token \
--git-token $token
For complete command, refer to this link.
Related
I am trying to pass the below variable to a inline script in the Azure CLI Job in Azure release Pipelines, to get the principal ID of an identity:
miid=$(az identity show -g Resourcegroup -n prodaks-agentpool --query "principalId" -o tsv)
I am then running the below commands to set a policy in keyvault for the identity.
call az keyvault set-policy -n proddigitalkeyvault1 --key-permissions get --object-id $miid
call az keyvault set-policy -n proddigitalkeyvault1 --secret-permission get --object-id $miid
call az keyvault set-policy -n proddigitalkeyvault1 --certificate-permissions get --object-id $miid
I receive the error: "miid is not recognized as an internal command". Is it possible to add this variable into the inline script? This script works fine when running from my own machine.
I switched my type of script to shell and removed the "call" command. This script now runs ok in Azure Devops
When I try to deploy an Azure Function to the cloud using... func azure functionapp publish appName --build remote --publish-local-settings
...I receive the following error
Getting site publishing info...
Remote build is a new feature added to function apps.
Your function app appName does not support remote build as it was created before August 1st, 2019.
Please use '--build local' or '--build-native-deps'.
For more information, please visit https://aka.ms/remotebuild
EVEN THOUGH THE APP WAS LITERALLY JUST CREATED IN AZURE PORTAL.
System:
- Running VS Code on Ubuntu 18.04
Steps to reproduce:
Create a new Function App (and support resources) using az cli
Python runtime
Consumption plan
StandardV2 Storage plan
AppInsights
Create new Function (scaffolding) using VS Code Azure Functions extension
Create __init__.py and configure local.settings.json
Open a terminal; cd to Function folder
Run func azure functionapp publish appName --build remote --publish-local-settings
Fails everytime with the message above
Tried so far:
- Substituting --build local.
- Looks like it wants to work, but fails with error
There was an error restoring dependencies. ERROR: cannot install cryptography-2.9.2 dependency: binary dependencies without wheels are not supported when building locally. Use the "--build remote" option to build dependencies on the Azure Functions build server, or "--build-native-deps" option to automatically build and configure the dependencies using a Docker container. More information at https://aka.ms/func-python-publish
Not going to try:
- --build-local-deps because I don't want a docker instance for my Function App
Please advise. This is painful at this point.
In my case, I was provisioning an azurerm_linux_function_app with terraform and got this error. The error turned out to be caused by me forgetting to specify the storage_account_access_key setting. The docs even mention
One of storage_account_access_key or storage_uses_managed_identity must be specified when using storage_account_name.
But terraform does not actually check that when applying your configuration, resulting in a cryptic error message much later in the process.
Here is what was found today:
I initially created the Function App Storage Account with...
# Create a Function App Storage Account
az storage account create \
--name $fa_storage_name \
--resource-group $rg_name \
--access-tier Cool \
--default-action Deny \
--kind StorageV2 \
--subscription $az_sub
--location $az_loc \
--sku Standard_LRS
Changed this to...
# Create a Function App Storage Account
az storage account create \
--name $fa_storage_name \
--resource-group $rg_name \
--location $az_loc \
--sku Standard_LRS
...and was able to get past that error. The way I stumbled onto this was using the --buld local flag. It gave me a MUCH MORE ACCURATE error. Something along the lines of Check your storage account dude.
(thank you Marcelo!)
I'm trying to create an Azure DevOps service endpoint to connect to Azure Resource Manager and to deploy my app into a App Service.
When I go to Azure DevOps > Project Properties and create a Service Endpoint using the UI (Automated dialog) it works fine and my app can be deployed to App Service from a yaml pipeline, BUT, when I try to replicate it thru the Azure CLI it doesn't work (the build fails to deploy complaining about the Service Principal).
This is my code:
az_account=$(az account show)
az_subscription_id=$(echo $az_account |jq -r '.id')
az_subscription_name=$(echo $az_account |jq -r '.name')
az_tenant_id=$(echo $az_account |jq -r '.tenantId')
az_service_principal=$(az ad sp create-for-rbac -n "my-app-service-principal")
az_service_principal_password=$(echo $az_service_principal|jq -r '.password')
az_service_principal_id=$(az ad sp list --all | jq -c '.[] | select( .appDisplayName | contains("my-app-service-principal"))'| jq -r '.objectId')
export AZURE_DEVOPS_EXT_AZURE_RM_SERVICE_PRINCIPAL_KEY=$az_service_principal_password
az devops service-endpoint azurerm create --azure-rm-service-principal-id $az_service_principal_id --azure-rm-subscription-id $az_subscription_id --azure-rm-subscription-name $az_subscription_name --azure-rm-tenant-id $az_tenant_id --name my-app-service-endpoint
How should I create this Service Enpoint programatically with the Azure CLI?
Updated with the Azure DevOps error:
Your script simply creates the Service Principal but it is not giving any permission to the SP.
I would add some lines like these to create a Resource Group and scope permission to it
az_service_principal_appid = $(echo $az_service_principal|jq -r '.appId')
az group create --name myrg --location westeurope
az role assignment create --role Contributor --assignee $az_service_principal_appid --resource-group myrg
Clearly you need to think how to arrange your resources and SPs: you may need many of both depending on your architecture.
Ok, I need to delete image with specific tag from Azure Registry(ACR) using Azure CLI and authenticate with service principals.
I have tried already with bash script to first get service principals, then to login to azure with Azure CLI,(and I can see response that I have successfully logged in, with correct subscription id) and then when I try to execute delete command, I'm being asked
This operation will delete the manifest 'sha256:531d60fe70137820c7f9e589' and all the following images: 'sampleImage:1.0.0'.
Are you sure you want to continue? (y/n): y
and when I hit y, I get : Error: authentication required. Correlation ID: ****
Here is the code :
CLIENT_ID = ****
CLIENT_SECRET = ****
TENANT_ID = ****
az login --service-principal -u $CLIENT_ID -p $CLIENT_SECRET -t $TENANT_ID
REGISTRY_NAME="acrregistryname"
az acr login --name $REGISTRY_NAME
# Delete image from ACR
az acr repository delete --name $REGISTRY_NAME --image sampleImage:1.0.0
What I'm missing here?
expected : delete image successully
actual : Authentication required
For your requirement, actually, there are three conditions you need to pay attention to.
Delete the repository. For this requirement, you just need to have the AcrDelete role of the ACR.
Delete the image by the tag. For this requirement, you need to have at least two permission of the ACR: Access Resource Manager(similar to the Read role) and AcrDelete. So the appropriate role with the least permission is the Contributor role, more privilege is Owner. But the security role is Contributor and it's also recommended.
Delete the image by the manifest digest. For this requirement, it's the same situation as the 2.
So, finally, if you want to delete the whole repository, you need the AcrDelete role of the ACR. If you want to delete some data of the repository, you need the Contributor role of the ACR.
When the role is OK. All steps are below:
CLIENT_ID = ****
CLIENT_SECRET = ****
TENANT_ID = ****
REGISTRY_NAME="acrregistryname"
az login --service-principal -u $CLIENT_ID -p $CLIENT_SECRET --tenant $TENANT_ID
az acr login -n $REGISTRY_NAME
You can choose the step below as you need.
# delete the whole repository
az acr repository delete -n $REGISTRY_NAME --repository repository_name
# delete the image by the tag
az acr repository delete -n $REGISTRY_NAME --image imageName:tag
# delete the image by manifest digest
az acr repository delete -n $REGISTRY_NAME --image imageName#xxxxxxxx
What permissions does your service principal have? Note it will need Owner, Contributor or AcrDelete.
https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles
I've created and successfully tested a Function App that requires the .net Framework because of a legacy library, and is set to use run-time version ~1. I'm looking for the Invoke Url and code, to help automate deployment.
Following this MS article and using the azure-functions-core-tools v2 (npm i -g azure-functions-core-tools#^2), I can see the Invoke Url when publish is called with the --verbose option.
However, because of the .net Framework requirement and run-time version ~1, we're bound to azure-functions-core-tools v1 (npm i -g azure-functions-core-tools#^1) (see here). Executing any of the commands from func azure functionapp does’t include the Invoke Url. The --verbose option is not available.
>func azure functionapp publish <MyApp>
Getting site publishing info...
Publish C:\<MyProject> contents to an Azure Function App. Locally deleted files are not removed from destination.
Creating archive for current directory...
Uploading archive...
Upload completed successfully.
Same for list-functions
>func azure functionapp list-functions <MyApp>
Functions in <MyApp>:
FunctionOne - [httpTrigger]
FunctionTwo - [httpTrigger]
I haven't tried ARM yet.
Is there a way to obtain the Invoke Url for Function Apps on run-time version ~1?
I get the Invoke Url and the code with the following Azure CLI commands:
FUNCTION_CODE=$(az functionapp function keys list -g ${SOLUTION_NAME} -n $FUNCTIONS_NAME --function-name DPSCustomAllocationFunction --query "default")
FUNCTION_CODE=$(echo "$FUNCTION_CODE" | tr -d '"') #Remove "" from result
FUNCTION_URL=$(az functionapp function show --function-name DPSCustomAllocationFunction --resource-group $SOLUTION_NAME --query "invokeUrlTemplate" --output tsv --name $FUNCTIONS_NAME)
FUNCTION_URL=$(echo $FUNCTION_URL|tr -d '\r\n') #Remove breaklines from result
INVOKE_FUNCTION="$FUNCTION_URL?code=$FUNCTION_CODE"
Yo could use the REST API to get it:List Function Secrets, it will response the secret and triggerUrl.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/functions/{functionName}/listsecrets?api-version=2016-08-01
Also you could implement it with the PowerShell GetFunctionInvokeUrl to do it.
You can do this with Azure CLI:
az functionapp function show
az functionapp function show --function-name MyFunction --name MyApp --resource-group MyResourceGroup --query "invokeUrlTemplate" --output tsv