The main problem is, that I can assign IAM role using the Azure portal, but got an error when trying the same via PowerShell.
This is the result of a portal action:
And I receive following error when I try to do the same via PowerShell:
> New-AzureRmRoleAssignment -ObjectId "d585d0b6-eb2b-4d7c-99b4-7c357219f78d" -RoleDefinitionName "Reader" -ResourceName "datalaketestmh" -ResourceType "Microsoft.DataLakeStore/accounts" -ResourceGroupName "My-Test-Resource-Group"
New-AzureRmRoleAssignment : Principal d585d0b6eb2b4d7c99b47c357219f78d does not exist in the directory 3596192b-fdf5-4e2c-a6fa-acb706c963d8.
At line:1 char:1
+ New-AzureRmRoleAssignment -ObjectId "d585d0b6-eb2b-4d7c-99b4-7c357219 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmRoleAssignment], CloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureRoleAssignmentCommand
Any ideas where to look for the error?
Please use this script to get user ID:
$a = Get-AzureRmADUser | ?{ $_.UserPrincipalName -eq 'username#xxxx.onmicrosoft.com' } | select id
$userid = $a.id.Guid
Then use $userid to assign the role:
New-AzureRmRoleAssignment -ObjectId $userid -RoleDefinitionName "Reader" -ResourceName "datalaketestmh" -ResourceType "Microsoft.DataLakeStore/accounts" -ResourceGroupName "My-Test-Resource-Group"
By the way, please check your Azure PowerShell version, my Azure powershell version is 5.1.1, that script works for me:
PS C:\Users\jason> Get-Module -ListAvailable -Name Azure -Refresh
Directory: C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ServiceManagement
ModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Script 5.1.1 Azure {Get-AzureAutomationCertificate, Get-AzureAutomationConnection, New-AzureAutomationConnection, Remove-AzureAutomationConnection...}
Also you can use SignInName inside of ObjectId, like this:
New-AzureRmRoleAssignment -SignInName john.doe#contoso.com -RoleDefinitionName Owner -Scope "/subscriptions/86f81fc3-b00f-48cd-8218-3879f51ff362/resourcegroups/rg1/providers/Microsoft.Web/sites/site1"
More information about command New-AzureRmRoleAssignment, please refer to this article.
Hope this helps.
Related
So, I'm told if you import your Azure Subscription Publish Setting file into PowerShell...you can use the certificate in the Publish Setting file to create objects in your Azure Subscription.
However, I am getting the following exception trying to create a Resource Group:
New-AzureRmResourceGroup : Run Connect-AzureRmAccount to login.
+ CategoryInfo : CloseError: (:) [New-AzureRmResourceGroup], PSInvalidOperationException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceGroupCmdlet
I Do The Following In My Script:
"Import" the Subscription
"Select" the Subscription
"Get" the Subscription (to view it)
...the subscription is both "Default & Current" (see attached image).
...and yet I still get that message.
SAMPLE CODE:
This code is edited so as not to "give away the farm"...
#Set Subscription
$Subscription_Id = "<not shown>"
Select-AzureSubscription -SubscriptionId $Subscription_Id
Get-AzureSubscription
# CHECK EXISTS: ResourceGroup
$RegionFullName = "South Central US"
$RegionShortName = "scus"
$EnvironmentShortName = "dev"
$ApplicationShortName = "<not shown>"
$ObjectTypeShortName = "rg"
$ResourceGroupFullName = "$($RegionShortName)-$($EnvironmentShortName)-$($ApplicationShortName)-$($ObjectTypeShortName)"
$ResourceGroup = Get-AzureRmResourceGroup -Name $ResourceGroupFullName -ErrorVariable NotPresent -ErrorAction SilentlyContinue
if ($ResourceGroup -eq $Null) {
#CREATE: ResourceGroup
$ResourceGroup = New-AzureRmResourceGroup -Name $ResourceGroupFullName -Location $RegionFullName -Confirm
}
I suppose you are using Import-PublishSettingsFile, but Azure Management Certificates and Publishing Setting files are only intended (for) and (are) limited to managing Azure Service Management (ASM) resources, which are being retired.
In your script, you mixed the ASM and AzureRm powershell modules together. Select-AzureSubscription and Get-AzureSubscription belong to ASM, Get-AzureRmResourceGroup and New-AzureRmResourceGroup belong to AzureRm.
So if you need to use AzureRm command, you need to run Connect-AzureRmAccount to login your account.
I am trying to login to Azure from Azure Automation using my AD credential. However seems like I am doing something wrong and it's throwing error while testing.
$Cred = Get-AutomationPSCredential -Name 'DefaultAzureCredential'
$null = Add-AzureRmAccount -Credential $Cred -ErrorAction Stop -ErrorVariable err
if($err) {
throw $err
}
Get-AzureRmResourceGroup -Name "my-resource-group"
Error:
Get-AzureRmResourceGroup : No subscription found in the context. Please ensure that the credentials you provided are
authorized to access an Azure subscription, then run Login-AzureRMAccount to login.
At line:8 char:1
+ Get-AzureRmResourceGroup -Name "my-resource-group"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzureRmResourceGroup], ApplicationException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.GetAzureResourceGroupCommand
Update:
When I run Get-AzureRm-Context from Azure Automation script it shows me following which is completely different than when I run the same command from Azure Cloud Shell. Should I do things differently ?
Account Environment Subscription Tenant
------- ----------- ------------ ------
AzureCloud
Looking at the error, i do not see an issue with Login or credential. The error is in the get-AzureRmResourceGroup No subscription found in the context.
This happens when credential provided does not have a subscription. If you are sure account has subscription, then the issue might be with the module loaded in Azure Automation.
Having a bit of an issue with Azure and Powershell. I'm just checking to see if a resource group exists and I keep hitting this error. The next step after this is to create the resource group if it does not exist, but that is also throwing the same error. Was hoping someone might be able to suggest some workarounds or fixes.
Please note, I have access to the subscriptions, I can see them and sucessfully set the default subscription as can be seen in the script below.
Full Error Returned
'this.Client.SubscriptionId' cannot be null.
At **********************\envir\create-env.ps1:21 char:1
+ Get-AzResourceGroup -Name $resourceGroup -ErrorVariable $doesNotExist ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzResourceGroup], ValidationException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceGroupCmdlet
I've just installed the Az module, version details below.
Version Name Repository
------- ---- ----------
1.6.0 Az PSGallery
I'm just running a pretty straight forward script (below), I thought it might be something to do with a default subscription not been set, but setting that has made no difference.
$passwd = ConvertTo-SecureString $servicePrincipalKey -AsPlainText -Force
$pscredential = New-Object
System.Management.Automation.PSCredential($servicePrincipalUserName, $passwd)
Connect-AzAccount -ServicePrincipal -Credential $pscredential -TenantId $tenantId
Select-AzureSubscription -Default -SubscriptionName $subscriptioName
Get-AzResourceGroup -Name $resourceGroup -ErrorVariable $doesNotExist
I then get the error listed above.
I found the problem, the Service Principal I had created did not have sufficient access to the subscription as suggested by #4c74356b41, I ended up giving it a role of Contributor and that resolved the problem.
I have problems running a PowerShell CmdLets to get Azure Automation Node Configurations
Cmdlets:
Get-AzureRmAutomationDscNodeConfiguration -ResourceGroupName "ResourceGroup03" -AutomationAccountName "Contoso17" -ConfigurationName "config"
Like Example 2 in https://learn.microsoft.com/en-us/powershell/module/azurerm.automation/get-azurermautomationdscnodeconfiguration?view=azurermps-6.13.0#examples
If i run the cmdlets like Exampe 3 it works with no errors.
The error:
Get-AzureRmAutomationDscNodeConfiguration : There is an unterminated
literal at position 40 in 'properties/configuration/name eq config''.
At line:1 char:1
+ Get-AzureRmAutomationDscNodeConfiguration -ResourceGroupName $rg -
Aut ...
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-
AzureRmAuto...deConfiguration], ErrorResponseException
+ FullyQualifiedErrorId:
Microsoft.Azure.Commands.Automation.Cmdlet.GetAzureAutomationDscNodeConfiguration
If i run the cmdlet without "-ConfigurationName "config" I get no error.
Get-AzureRmAutomationDscNodeConfiguration -ResourceGroupName "ResourceGroup03" -AutomationAccountName "Contoso17"
The output of this cmdlet shows ConfigurationName "config".
ResourceGroupName : XXX
AutomationAccountName : XXX
Name : config.TestNode
CreationTime : 10.03.2019 14.10.44 +01:00
LastModifiedTime : 10.03.2019 14.10.44 +01:00
ConfigurationName : config
RollupStatus : Good
Any idea?
Welcome to Stack Overflow! :)
Good find! I was also able to reproduce it so I have reported this -> https://github.com/Azure/azure-powershell/issues/8738 issue with the concerned Microsoft Azure team.
Note that I have reported the above mentioned issue by referencing to PowerShell Az module cmdlet but not PowerShell AzureRm module cmdlet because as per this -> https://learn.microsoft.com/en-us/powershell/azure/new-azureps-module-az?view=azps-1.4.0 Microsoft article it is recommended to upgrade to Az module from AzureRm module.
For more process related information, please refer below links.
https://github.com/Azure/azure-powershell#reporting-issues-and-feedback
https://github.com/Azure/azure-powershell/issues/new/choose
Meanwhile, as a workaround to accomplish your requirement of getting metadata for DSC node configurations in Automation by specifying the name of DSC configuration for which the cmdlet gets node configuration metadata, you may just use below command.
For PowerShell Az module:
Get-AzAutomationDscNodeConfiguration -ResourceGroupName "ResourceGroup03" -AutomationAccountName "Contoso17" | ?{$_.ConfigurationName -eq "config"}
For PowerShell AzureRm module:
Get-AzureRmAutomationDscNodeConfiguration -ResourceGroupName "ResourceGroup03" -AutomationAccountName "Contoso17" | ?{$_.ConfigurationName -eq "config"}
Hope this helps!! Cheers!! :)
I'm trying to get an automation script up and running in Windows Azure.
I got an error telling the I have to use Select-AzureSubscription.
This one is failing with the following error:
Error: Select-AzureSubscription : The subscription named 'xxx' cannot be found. Use Set-AzureSubscription to
initialize the subscription data.
Parameter name: name
At my-script:15 char:15
+
+ CategoryInfo : CloseError: (:) [Select-AzureSubscription], ArgumentException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Profile.SelectAzureSubscriptionCommand
So I used Set-AzureSubscription but this one is failing as well.
I tried passing the subscription name and the subscription ID.
Did someone managed to properly configure this?
You need to set up authentication to Azure using Add-AzureAccount. See https://msdn.microsoft.com/en-us/library/azure/dn865019.aspx for more details.
Before Selecting subscription you need to add your azure account through any of the methods available. The simplest one is using credentials
$username = "your username"
$password = ConvertTo-SecureString 'yourpassword' –asplaintext –force
$Cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
<#you can also use Azure assets to store the credential and use it directly like
$Cred=Get-AutomationPSCredential -Name $AzureAccountCredentialName
#>
Add-AzureAccount -Credential $Cred
#Now select your subscription