I have a Jenkins running on Ubuntu.
I want to create jobs that will kick-off Azure xplat-cli commands.
How do I authenticate Jenkins?
We achieved the same using this article: https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/#authenticate-service-principal-with-password---azure-cli
Briefly you have to create a new application record within Azure Active Directory that will have its own login and password. Then you should grant required permissions to that account. After that you can perform a fully non-interactive login command that works for ARM model.
Related
I have generated a zip file of a Node.JS-based web app in Gitlab, and I am trying to deploy it as an Azure "web app" using az webapp deploy. This works fine on my local machine where I am logged in, but I can't for the life of me figure out how I can log in to Azure from the Gitlab runner, so that I can run that same command. I've tried:
Using the Publish Profile (already need to be logged in for that!)
Creating a managed identity with roles on the app (but I don't have access to AD)
Creating the managed system identity in the app's "Identity" pane (can't find any associated password?!)
Generating a JWT token to store in Gitlab as described in this question (I don't have access to the App Registrations functionality)
I don't want to use Azure to rebuild the application using the webhook system, I already have a known-working ZIP package that I want to deploy. My only hangup is logging in.
How can I log in to Azure -- i.e. what incantations do I have to provide to az login -- from a Gitlab CI runner, in order to deploy my website from a zipped Gitlab artifact to the App Service?
(note: I am a teacher and trying to figure this out for my students; it is possible that I am working with a somehow-limited Azure but my local IT doesn't support us for this and of course neither will Microsoft.)
If you cannot access the app registrations as discussed in a similar question and have no federation configured, your only options are to use a username and password (e.g. a user's username and password to authenticate to AAD), use a device code flow, or self-host your GitLab runner on Azure with a managed identity.
Using username and password
To use username is password is straightforward:
az login --tenant $YOUR_TENANT_ID -u $YOUR_USERNAME -p $YOUR_PASSWORD
However, this may not be possible if you normally do not login to Azure using a username and password (for example, you use OAuth or other federated login for the Azure portal and users have no passwords set). In which case, you will need to use the device code flow.
Using device code
To use device code flow, you will need to monitor the job output, copy the URL shown, and login from your browser every time your job runs. In your job, add the following:
az login --tenant $YOUR_TENANT_ID --use-device-code
In the job output you will see a message similar to the following:
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code YOUR-CODE-WILL-APPEAR-HERE to authenticate
Copy the code from the message, open your browser to the device login page and enter the code to allow your job to proceed.
Note: It is possible for organizations to disable this login method, in which case you will see an error when trying to login this way.
Self-hosting GitLab runner on Azure with a managed identity
Lastly, if you're not able to use any of the above methods, you can deploy the GitLab runner to Azure itself as an application that uses a managed identity (for example on AKS, ACI, or on a VM with a managed identity).
For example, you can configure a shell runner on an Azure VM. Azure VMs with a managed identity will not require az login to perform az cli commands.
Creating the managed system identity in the app's "Identity" pane (can't find any associated password?!)
The reason you can't find any associated password is because managed identities can only be leveraged from Azure services -- for example, Azure VMs using a managed identity are able to use az cli without logging in.
I have an app running on a local machine that I want to be able to run a powershell script to turn on my Azure Vm's. I have a runbook in my subscription to turn them on and have the functionality to run the runbook. from the Powershell script. My only problem right now is authenticating to my Azure subscription. I have a Automation account and the connection and certificate that comes with it but I'm a bit confused as to whether or not I can use this to perform this functionality.
you could use service principal auth, or certificate auth (well, azure ad user auth as well, but somehow microsoft thinks its not safe enough).
Basically go through this link: https://blogs.msdn.microsoft.com/benjaminperkins/2017/01/20/execute-an-azure-powershell-arm-script-without-prompting-for-credentials
ps. one fine option for locally running script: Enable-AzureRmContextAutosave, which would allow you to auth once and after that just reuse that auth on you local powershell
I'm trying to login a different tenant from portal cloud shell bash with "az login --tenant mytenant.onmicrosoft.com" it gives error : azure cloud shell automatically authenticates the user it was initially launched under. As a result az login is disabled. How can I solve this problem any ideas?
azure cloud shell automatically authenticates the user it was
initially launched under. As a result az login is disabled.
It is a by design behavior.
You could switch Azure AD in the upper right corner of Azure portal, then open cloud shell, in this way, Azure cloud shell will authenticates with that telnet.
Also you can download Azure CLI on your PC, more information about install CLI 2.0, please refer to this article.
Is there a way to authenticate to Azure without any login on an Azure VM? Same feature like amazon instance profile so I can run azure commands without authentication
I don't think it is possible to communicate with Azure cloud without authentication like AWS using the instance profile. In Azure you have to use service principle with respective role(Reader, contributor or owner) assigned. Once service principle is created you can use it for authentication with Azure SDK or REST API. You can automate once you have service principle details.
You can use Azure CLI.
The authentication can be done using the Publish Settings file.
This is useful if you wish to use Azure CLI commands in a script etc.
You can download the file by using
azure account download
Make sure you keep this file safe as it provides direct access to your azure account.
Then authentication is a simple process of importing the file using
azure account import /path/to/.publishsettings_file
Now deployment commands can be run on the command line without logging in.
Scroll to the section public settings file in the link for more info on how to use the publish settings file.
I am trying to spin up a Kubernetes cluster using my Microsoft Azure account. I'm following this guide:
https://github.com/kubernetes/kubernetes/blob/release-1.0/docs/getting-started-guides/coreos/azure/README.md#lets-go
At some point, the guide instructs to execute this command:
./azure-login.js -u <your_username>
I am pretty new to Azure, and I don't know what this username is. I have an e-mail that I use to login to the Azure Portal, where I can start virtual machines.
The issue was that apparently one needs to have an organization account in order to use the Azure CLI tool. I had set up my account as an individual, with an e-mail address, so the tool wasn't working.
The solution was to convert my account to an organizational one by playing with the Active Directory service here, as explained here:
https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-work-id-from-personal/
A simple peek at azure-login.js (located in the same folder as the link you posted) shows:
require('child_process').fork('node_modules/azure-cli/bin/azure', ['login'].concat(process.argv));
So... it's calling the azure cli: azure login username
And username would be your email address for your Azure subscription (the same email address you'd login with in the portal). You'd then be prompted for your password.