I am unable to do anything with my Azure account such as create servers or databases or anything. It seems like it all revolves around resource groups which I cannot create> I get this error:
It's especially tough because I can't even use a cloud shell since I get this:
Requesting a Cloud Shell.
PowerShell may take up to a minute.Failed to provision a Cloud Shell: {"code":"AuthenticationFailed","message":"Authentication failed. The 'Authoriza
tion' header is missing."}
Any idea what this could mean?
Do you have a valid subscription?
If you do make sure you have the right permissions to it.
Cloud shell need to create a storage to work. If you can't create any resource on subscription cloud shell will surely fail.
Related
I just subscribed to Azure with my Github student, then I start to learn its feature with no error in cloud shell, then I try in the other day my cloud shell pop up this error message:
Requesting a Cloud Shell.Failed to provision a Cloud Shell:
{
"code":"TenantDisabled",
"message":"Cloud Shell has been disabled in directory ...
}
This doesn't seem like a common error unless Cloud Shell has been specifically disabled in your environment. If you see this happening consistently, try removing all your Cloud Shell resources, i.e., the associated Resource group, Storage account and File share and re-configure it again.
For every new fileshare that we create in Azure Storage account we get a connect option
,
if we click connect we get the below options,
is it possible to get that piece of code to mount this fileshare through terraform? I could not find it anywhere. Any help on this would be appreciated
Of course, it's possible. You just need to copy the code into a script and then use the VM extension to execute inside the VM. It's not complex at all. Here is an example.
But there is one thing you need to pay attention to, the VM extension only supports the non-interactive script. For example, the connect code for the Linux, the command sudo is an interactive command, so it's not recommended to use in the VM extension. You can get more details about the VM extension here.
I have two separate Azure accounts.
One for each project in which I am involved, these accounts are totally independent, that is, they do not share any type of resource and do not have the same domain. They are from two totally different companies.
I find that both accounts respond to me at the time of login from PowerShell and I can access those resources.
Both work with Kubernetes (kubectl) but only one of the two accounts is shown. Whatever you do always shows the content of co-owners of one and not the other.
I have the Azure CLI (v.2.0.76) and the PS version is (5.1)
someone know how to I can do?
EDIT with pictures -
Although the account is default, I am not able to access the kubernetes of the same
PS Default Account
Services from the other account..not the default account
services from other cluster
I just found the solution.
When we access from PS with Az Login and select the account, it allows us to access all the resources of that account (the one that is predetermined)
What I have done is basically see the
kubectl config view
This returns the result of all the clusters that it finds with its context. The next thing we have to do is tell kubectl what CONTEXT we want to work with in the following way:
kubectl config use-context "CONTEXT NAME"
And thats it.
A little context: I'm having to migrate a project from AWS, where I'm currently using ECS, to Azure, where I'll be using AKS since their ACS (ECS equivalent) is deprecated.
This is a regular Django app, with its configuration variables being fetched from a server-config.json hosted on a private S3 bucket, the EC2 instance has the correct role with S3FullAccess,
I've been looking into reproducing that same behavior but with Azure Blob Storage instead, having achieved no success whatsoever :-(.
I tried using the Service Principal concept and adding it to the AKS Cluster with Storage Blob Data Owner roles, but that doesn't seem to work. Overall it's been quite the frustrating experience - maybe I'm just having a hard time grasping the right way to use the permissions/scopes. The fact that the AKS Cluster creates its own resource group is something unfathomable - but I've attempted attaching the policies to it as well, to no avail. I then moved onto a solution indicated by Microsoft.
I managed to bind my AKS pods with the correct User Managed Identity through their indicated solution aad-pod-identity, but I feel like I'm missing something. I assigned Storage Blob Data Owner/Contributor to the identity, but still, when I enter the pods and try to access a Blob (using the python sdk), I get a resource not found message.
Is what I'm trying to achieve possible at all? Or will I have to change to a solution using Azure Keyvault/something along those lines?
first off all, you can use AKS Engine which is more or less ACS for Kubernetes now.
As for the access to the blob storage, you dont have to use Managed Service Identity, you can just use account name\key ( which is a bit less secure, but a lot less error prone and more examples exist ). The fact that you are getting resource not found error most likely means your auth part is fine, you just dont have access to the resource, according to this storage blob contributor should be fine if you assigned it at a proper scope. For this to work 100% just give your identity contributor access at subscription level, this way its guaranteed to work.
I've found an example of using python with MSI (here). You should start with that (and grant your identity contributor access) and verify you can list resource groups. when that works making reading blobs working should be trivial.
I am trying to understand how can I run a python application inside azure container that can spin up various resources like VM, route-table inside resource group of Azure.
http://azure-sdk-for-python.readthedocs.io/en/latest/
Looks like the examples provided in azure python sdk sets authentication stuff like credentials, subscription ID, etc.
Is there a way to avoid setting up of this information by using Role Based Access Control ? What if I provide container an Contributor access to the resource group, in that case, would i able to avoid setting up authentication variables and still achieve creating resources or atleast read/access resources in resource group ?
No, how do you think that would work? In order to be able to create\read\modify resources you need permissions (else anyone would be able to do that). There is no way to do that without some sort of Auth.