In my specific case I have an Azure subscription with many resources and some are managed by Pulumi or Terraform. They were therefore tagged with "ManagedBy:Pulumi".
How do I use the CLI to get only the resources that do not have the tag "ManagedBy"?
To get all resources in an Azure subscription that do not have a specific tag, you can use the following Azure CLI command:
az resource list --query "[?tags.['<tagName>'] == null]"
In my case:
az resource list --query "[?tags.['ManagedBy'] == null]"
Additionally you can filter the information you want as follows:
az resource list --query "[?tags.['ManagedBy'] == null].{type:type, name:name, id:id}"
Reference:
https://learn.microsoft.com/en-us/cli/azure/query-azure-cli?tabs=concepts%2Cbash
Related
In my release pipeline, I'm running an Azure Cli task with a PowerShell script. In the script, I want to grant the current pipeline SP a list secret permission for one azure Key vault.
For doing this, I will need the ObjectId for the current pipeline SP. Turns out this is the hardest thing ever. The pipeline settings only allow return PrincipaleId, then I tried az ad sp show --id $env:servicePrincipalId --query objectId -o tsv. However, this always returns empty string, I guess since the pipeline is authed by a token, Azure does not allow it to get info about itself.
Wondering how can I get this magic ObjectId for the current pipeline other than just pass the value in from pipeline variable
It was an issue with "objectId" parameter value. I have tried to replicate the same in Azure Portal. Instead of using objectId use id parameter, it will work.
az ad sp show *********** --query id -o tsv
Replicated the same in portal.
Created a new Service principal
here are the service principal details:
Step2:
run the command with objectId parameter, output is empty. When we update with "id" it working as expected.
I am trying to use az devops security group membership list --id descriptor.
When I am using this cli I am getting the below error for one of my descriptor:
ERROR: TF400049: The request was aborted because it contained too many requested items 800, maximum allowed is 500.
I checked for continuation token as well but it seems like this cli doesnot support the continuation token.
Azure devops cli : az devops security group membership list
According to the document az devops security group membership list:
Optional Parameters:
--detect
--org --organization
--relationship
--subscription
--debug
--help -h
--only-show-errors
--output -o
--query
--verbose
There is no such parameter to allow us to list all the users. You could add the user voice on the Github https://github.com/Azure/azure-cli.
Or you could try to use the REST API with continuation token to get all the users:
Memberships - List
You should be able to use a JMESQuery with --query to selectively get the results.
I'm following the official docs to create Azure Kubernetes clusters. The docs state that I need to create a service principal first, manually, and provide the client_id and client_secret.
Doing it manually is not an option.
Here is the code for my service principal. It's decorated with links to the most recent Terraform docs for reference.
data "azurerm_subscription" "current" {}
data "azuread_client_config" "current" {}
resource "random_id" "current" {
byte_length = 8
prefix = "ExternalDnsTf"
}
# Create Azure AD App.
# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
resource "azuread_application" "current" {
display_name = random_id.current.hex
owners = [data.azuread_client_config.current.object_id]
}
# Create Service Principal associated with the Azure AD App
# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal
resource "azuread_service_principal" "current" {
application_id = azuread_application.current.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
# Create Service Principal password
# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password
resource "azuread_application_password" "current" {
application_object_id = azuread_application.current.object_id
}
# Create role assignment for service principal
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
resource "azurerm_role_assignment" "current" {
scope = data.azurerm_subscription.current.id
role_definition_name = "Contributor"
# When assigning to a SP, use the object_id, not the appId
# see: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli
principal_id = azuread_service_principal.current.object_id
}
I keep getting the following error in my pipeline: (note, I am the owner of my subscription)
ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.
What I'm trying to do is to eliminate the manual steps to setup supporting services. Take ExternalDNS for example. The Azure docs state that I need to use az ad sp create-for-rbac -n ExternalDnsServicePrincipal; az role assignment create --role "Reader" --assignee <appId GUID> --scope <resource group resource id>; az role assignment create --role "Contributor" --assignee <appId GUID> --scope <dns zone resource id>
Ultimately, I'm trying to create the terraform version of the azure cli commands.
Support for create-for-rbac was a feature request on github. That used to work great, but so much has changed, it's not applicable to current API versions. Also, with AAD Graph being deprecated in favor Microsoft Graph API, I wonder if I'm getting snagged on that.
The ExternalDNS docs also suggested Managed Service Identities (MSI). Service principals, MSI, MSGraph API integration, honestly, I don't care which one is used. Whatever is current best-practices is fine so long as I do not have to log into the portal to manually create or give permissions, or manually run az cli commands.
EDIT: Permissions clarification
I'm using Terraform, of course, to provision resources. If I do all of this without terraform (manually or with a bash script), I use azure cli I start setting permissions by doing the following:
az login
az account set -s <my-subscription-id>
I am the owner of my subscription. I can run all commands, create SPs, MSIs, assign roles, etc, with no problem.
In the pipelines, I am using the charleszipp az pipelines terraform plugin. In the logs, I see:
az login --service-principal -t <my-tenant-id> -u *** -p ***
az account set -s <my-subscription-id>
I'm not sure if that makes a difference. I interpret that as ultimately, commands are executed after signing in and setting the account subscription, like I do manually.
Technically, I'm not using a service connection in several of these tasks. However, where one is required, I have created a Service connection and defined its Scope to the subscription level. It's of type Azure Resource Manager.
However, if I click "manage service principal, it takes me to the portal where there are no permissions defined.
While I am the owner of my subscription, I am not the root management group. I'm owned / provisioned by someone else. Ultimately, they have control of Active Directory. I cannot add or edit permissions. If I try to add any under permissions API and select Microsoft Graph, it says that authorization is required. Grant Admin Consent for <parent organization is greyed out.
But why would that be important if I'm the owner of my subscription? If I can do whatever I want via the az cli command line, what's preventing me from doing the same in the pipeline?
I am using user-managed identity for that, it seemed most straightforward and worked fine for me.
resource "azurerm_user_managed_identity", "mi" {
resource_group_name = "rg"
name = "mi"
location = "eastus"
}
resource "azurerm_role_assignment" "ra" {
scope = azurerm_subnet.sn.id // subnet I created earlier
role_definition_name = "Network Contributor" // required with kubenet
principal_id = azurerm_user_managed_identity.mi.principal_id
}
resource "azurerm_kubernetes_cluster" "aks" {
name = "aks"
identity {
type = "UserAssigned"
user_assigned_identity_id = azurerm_user_managed_identity.mi.id
}
<...remaining attributes...>
depends_on = [azurerm_role_assignment.ra] // just to be safe
}
Had a quick google, and there appears to be nothing out there.
Can an Azure Pipeline update Azure App Configuration? Or would it make sense to be builds and deployment/run-time config away from each other
The Azure App Configuration Push task works pretty well now :
https://learn.microsoft.com/en-us/azure/azure-app-configuration/push-kv-devops-pipeline
Probably the simplest solution to get this working is by using Azure CLI which you can integrate into your pipelines using the Azure CLI task.
To update, use the az appconfig kv set command.
Set a key using an App Configuration name and label
az appconfig kv set -n {name} --key {key1} --label {label} --value {value1} --content-type {text} --tags {tag1,tag2}
Can an Azure Pipeline update Azure App Configuration?
Apart from the az appconfig kv set in rickvdbosch's answer, you can also consider using Azure Resource Manager which can also be used to manage app settings. See similar hint here.
You can use Override template parameters option in Azure Resource Group Deployment task to update the app configurations in build/release pipeline.
I'm trying to create a Service Principal account using the instructions here
https://learn.microsoft.com/en-us/azure/media-services/latest/stream-files-tutorial-with-api#examine-the-code-that-uploads-encodes-and-streams
However when I run the command
az ams account sp create --account-name *media_service_account_name* --resource-group *resource_group_name*
Where media_service_account_name is the name shown for the media service I have created and resource_group_name the name of the resource group shown on the same page.
The problem is I get the message ResourceGroupNotFound:
Resource group 'resource_group_name' could not be found.
I just can't see what I am doing wrong. Any help appreciated.
If you have multiple subscriptions, set your subscription first and then try:
To list all subscriptions - az account list --output table
To set your subscription - az account set --subscription <subscription-id>
I had the same issue and verified the subscription with az account show, but what I was missing is that I was working in powershell and needed to set the correct subscription in powershell.
Verify context: Get-Azcontext
Set context: Set-Azcontext <subscription_id>
You may have multiple subscriptions. Set the subscription to default which you want to use in CLI.
Reference: https://learn.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli?view=azure-cli-latest
Kindly follow these steps to get over an above error:
az login
It will ask you to provide credentials
az account list --o table // Will list all subscription
Set your subscription on which you want to execute query
3. az account set --subscription "VS Subscription"
Hope it will help
I was running a task: AzureCLI#2 in azure pipeline for creating an azure vwan.
I put az account set --subscription xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxx but it still didn't work and was throwing:
ERROR: (ResourceGroupNotFound) Resource group 'test-rg' could not be found.
Then I added --subscription "xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxx" at the end of he az network vwan create even though it wasn't shown in the documentation.
Here's how I did:
az network vwan create --name testwan01 --resource-group test-rg --subscription "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --type Standard
Hope it helps if you are running it from some orchestration tools like Jenkins or Azure pipelines.
Keep in mind that Resource Groups in Azure are things that you create, so the article was only providing an example of a Resource Group name.
The command to create the service principal expects you to use the resource group that you used to create your media service account.
az ams account sp create --account-name amsaccount --resource-group **amsResourceGroup**
Make sure that you are using the right resource group name that you used when you created your Media Services account first, and use a unique named one in the same region as your account. I usually call az group create before creating a new account to put it into it's own Resource Group along with the storage account I create for it.
Example
Create a new resource group named "MyResourceGroup" in the West US region.
az group create -l westus -n
Hope that helps!