Azure Kubernetes Private Key Location - azure

I've used this command to deploy a Kubernetes cluster in Azure:
az acs create -n acs-cluster -g acsrg1 -d applink789 --generate-ssh-keys
Everything is working- I can connect to the cluster with kubectl. Now I want to define an SSH step in a Continuous Delivery pipeline. The documentation indicates that this command created a public/private key pair. Where is the private key stored? I've looked in the .ssh, .kube, and .azure folders in my home directory but I can't tell if any of those values are the private key.

Figured it out- the documentation says the keys will be generated if they are missing. If the id_rsa keypair is present in the .ssh hidden directory, it is used. Connected with Putty using the azureuser default account.

Related

Trying to Update ssh key to existing user in azure linux vm whcih has been created using SSH Key Service via Azure portal

I am trying to use Add-AzVMSshPublicKey cmdlet to update ssh key on existing Azure linux VM , command executed without an issue but key hasnt been updated on server.
Is there any other way available where i can able to achieve OR any Azure cli command to do same ?
The Add-AzVMSshPublicKey cmdlet is used to add the public keys for SSH for a virtual machine, when only creating the VM. If you use the command with Update-AzVM, the command will error. So it does not use to add the keys after VM is created.
The following example updates the SSH key for the user azureuser on the VM named myVM.
az vm user update \
--resource-group myResourceGroup \
--name myVM \
--username azureuser \
--ssh-key-value ~/.ssh/id_rsa.pub
You can use the above CLI commands to append the new public key text to the ~/.ssh/authorized_keys file for the admin user on the VM. This does not replace or remove any existing SSH keys. You can SSH into that VM to remove the old public key if you would like to remove it.
Read Manage administrative users, SSH, and check or repair disks on Linux VMs using the VMAccess Extension with the Azure CLI for more details.
Alternatively, you can reset the SSH key from the Azure portal---> reset password.

Where are auto generated SSH keys stored in Windows using azure cli --generate-ssh-keys

I am trying to create linux VM with azure cli from local machine. I was able to create VM using following command but now when I want to ssh into the VM, I need to have public key on my local machine?
How can I get the required public key to connect to vm using ssh azureuser#publicIpAddress? Where are the ssh keys generated by --generate-ssh-keys and how to get it?
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image UbuntuLTS \
--admin-username azureuser \
--generate-ssh-keys
I used PowerShell 7.0 with elevated privileges to run the above command
Solved
Update 1:
SSH keys are generated in c:\users\.ssh\ when you use --generate-ssh-keys switch
If there are already file with name id_rsa & id_rsa.pub then it might be conflicting and you can use another switch --ssh-key-values /path/to/public/key to specify different file name
After that if you get Permissions for 'private-key' are too open error then follow steps mentioned here
From MSDN for --generate-ssh-keys:
Generate SSH public and private key files if missing. The keys will be stored in the ~/.ssh directory.
Which will by default create a private id_rsa and public id_rsa.pub SSH key pair in the ~/.ssh directory if they don't exist. If you already have existing SSH keys in that location, it will just use those and not overwrite them.
On Windows this is the C:\Users\username\.ssh directory.
Additionally, you could also pass in a specific SSH public key path with --ssh-key-values:
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image UbuntuLTS \
--admin-username azureuser \
--ssh-key-values /path/to/public/key
This is particularly useful if you have created SSH keys in another location with ssh-keygen.
As #Ash pointed out in the comments, you could have a look at Generate keys automatically during deployment for more information.
You can find it under
C:\Users\<<your-user-name>>\.ssh
When you create a VM for the first time you get the below message as well
SSH key files 'C:\Users\<<your-user-name>>\.ssh\id_rsa' and
'C:\Users\<<your-user-name>>\.ssh\id_rsa.pub' have been generated under ~/.ssh
to allow SSH access to the VM. If using machines without permanent
storage, back up your keys to a safe location.
For subsequent VM creations, the same key pair is used and you don't see the message again.
(I verfied using Windows OS, creating a linux VM with RedHat:RHEL:7-RAW:7.4.2018010506 image via Azure CLI)

How to configure users/keys to allow Ansible to run against multiple hosts?

I'm currently using a sandbox environment to help gain an understanding of Linux and Ansible.
I have a rhel 7.6 VM where Ansible is installed/ran from that i connect to via moba. I then have 2 test VMs that i'd like to run Ansible against.
I cannot SSH from the Ansible VM to either of the test VM's (Permission denied public key) but i can connect directly to the test VM's.
How do i set up the keys/hosts? does the private key need to be uploaded to the Ansible VM?
Try to deploy ~/.ssh/id_rsa.pub key from Ansible control machine to one of your VM's in a file ~/.ssh/authorized_keys. Copy the contents of ~/.ssh/id_rsa.pub from the Ansible control machine in ~/.ssh/authorized_keys on the target host. You may use the ssh-copy-id command to perform this for you so long as you have access to the target host via some method.
another method different from best practice id_rsa.pub deployment is configuring inventory vars for your hosts/groups by setting ansible_user, ansible_ssh_pass (with vault usage), ansible_become_user, ansible_become_pass (with vault usage)

What is the best way to provide a private SSH key in Azure DevOps Pipeline?

I am building an Azure DevOps pipleline using Terraform. The pipeline creates a Linux server and then logs into the Linux server to update packages and install Apache.
I am currently storing the private key in my BitBucket repo (I know, this is not best practice), which are then pulled down onto the build agent server and then I login to the new server with the following command:
ssh -f -q -o BatchMode=yes -o StrictHostKeyChecking=no -i ../private_key.pem ubuntu#$ip sudo apt update -y
What is the best way to store and then retrieve the private key within Azure DevOps?
Two options I can think of:
1) Create an ssh service connection in azure DevOps. Reference the service connection in your pipeline. https://medium.com/#sibeeshvenu/ssh-deployment-task-in-azure-pipelines-b0e2923bd7b4
2) Store the SSH key as an Azure Key Vault secret and then download the secret using the Azure CLI during the build.
az keyvault secret download --name mysshkey --vault-name mykeyvault --file ~/.ssh/id_rsa
Authenticate the Azure CLI using a service principal, and supply the credentials to the pipeline using a variable group.
I found that Azure DevOps provides you a feature to upload secret files are part of the build. You can see more information here:
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/secure-files?view=azure-devops

"Incorrect padding" when trying to create managed Kubernetes cluster on Azure with AKS

I am working through the instructions outlined here to try and set up a Couchbase cluster on Azure Container Service (AKS). That tutorial is using terminal/Mac, and I'm using Powershell/Windows.
I'm getting an error before I even get to the Couchbase part. I successfully created a resource group (which I called "cb_ask_spike", and yes it does appear on the Portal) from the command line, but then I try to create an AKS cluster:
az aks create --resource-group cb_aks_spike --name cbakscluster
I also tried:
az aks create --resource-group cb_aks_spike --name cbakscluster --generate-ssh-keys
In both cases, I get an error:
az aks create: error: Incorrect padding
I don't know what this error message means, and I can't seem to find any reference to it in the documentation or anywhere. What am I doing wrong?
I'm using azure-cli v2.0.31.
I am fairly confident that I solved why I'm getting this error, and I've updated issue 6142 on azure-cli. At this time, I believe this is a bug, and it's not fixed, but there is a workaround.
First it's important to note that --generate-ssh generates a new ssh key in ~/.ssh
I had a hunch that since ~ for me is "C:\Users\Matthew Groves" that the space in the path was causing the problem. Sure enough, I created a new account called "mgroves". ~ is now "C:\Users\mgroves" and voila, I don't get the "incorrect padding" error message anymore.
So, the workaround is either to use a new account (huge pain) or rename the folder (this is what I have done, and it's also a huge pain and I'm still finding little problems here and there all throughout my system because of it.
In addition to the now approved answer there is a solution that doesn't require you to change any directory or account name and is also easy to implement as well.
As correctly stated in the other answers the Azure CLI cannot handle the actual location where the generated SSH keys will be stored if there is a space in the path. I.e. C:\Users\Admin Account\.ssh\.
When using the az aks create command you can either use --generate-ssh-keys to let the Azure CLI handle it, OR you can specify an already existing SSH key with --ssh-key-value.
I used Git Bash to generate a new SSH key pair in the C:\Users\Admin Account\.ssh\ directory:
ssh-keygen -f ~/.ssh/aks-ssh
Now create the Azure AKS cluster while pointing to this new SSH key with:
az aks create \
--resource-group YourResourceGroup \
--name YourClusterName \
--node-count 3 \
--kubernetes-version 1.16.8 \
--ssh-key-value ~\.ssh\aks-ssh.pub
And you are good to go!
Just verified today using az cli in Powershell for version 2.0.31. You might need to first run the az group and then create az aks command. Screenshot for your reference.

Resources