How can I create a Azure AD client secret with the cli the following command seems to delete the already existing "client secret".
az ad sp credential reset --name {name} --end-date 2025-03-04 --credential-description {credential-name}
I was able to use AZ rest in the bash shell
az rest --method POST --headers "Content-Type=application/json" --uri 'https://graph.microsoft.com/v1.0/myorganization/applications/{id}/addPassword' --body '{"passwordCredential":{"displayName":"test","endDateTime":"2032-05-11T07:29:41.763Z","startDateTime":"2021-11-11T08:29:41.763Z"}}'
Related
I'm trying to add a rule to enable requests from a devops pipeline to an azure function app.
I run the following az cli command (either from the pipeline or from a VS Code terminal window)
az functionapp config access-restriction add -g rg-name-here -n func-name-here --rule-name devopsRB --action Allow --ip-address "51.142.236.175/27" --priority 146
This gives back the following error:
51.142.236.175/27 has host bits set
If I add the same rule via the Azure portal it works ok.
Anyone see what I'm doing wrong?
The error 51.142.236.175/27 has host bits set also occurred to me. But I ran Azure CLI task with command
az functionapp config access-restriction add -g GROUP -n NAME --rule-name RULEname --action Allow --ip-address 51.142.0.0/27 --priority 300
successfully. Consider using 51.142.0.0/27.
To make parameters using key vaults available for my azure webapp I've executed the following
identity=`az webapp identity assign \
--name $(appName) \
--resource-group $(appResourceGroupName) \
--query principalId -o tsv`
az keyvault set-policy \
--name $(keyVaultName) \
--secret-permissions get \
--object-id $identity
Now I want to create an azure postgres server taking admin-password from a key vault:
az postgres server create \
--location $(location) \
--resource-group $(ResourceGroupName) \
--name $(PostgresServerName) \
--admin-user $(AdminUserName) \
--admin-password '$(AdminPassWord)' \
--sku-name $(pgSkuName)
If the value of my AdminPassWord is here something like
#Microsoft.KeyVault(SecretUri=https://<myKv>.vault.azure.net/secrets/AdminPassWord/)
I need the single quotes (like above) to get the postgres server created. But does this mean that the password will be the whole string '#Microsoft.KeyVault(SecretUri=https://<myKv>.vault.azure.net/secrets/AdminPassWord/)' instead of the secret stored in <myKv> ?
When running my pipeline without the quotes (i.e. just --admin-password $(AdminPassWord) \) I got the error message syntax error near unexpected token ('. I thought that it could be consequence of the fact that I have't set the policy --secret-permissions get for the resource postgres server. But how can I set it before creating the postgres server ?
The expresssion #Microsoft.KeyVault(SecretUri=https://<myKv>.vault.azure.net/secrets/AdminPassWord/) is used to access the keyvault secret value in azure web app, when you configure it with the first two commands, the managed identity of the web app will be able to access the keyvault secret.
But if you want to create an azure postgres server with the password, you need to obtain the secret value firstly and use it rather than use the expression.
For Azure CLI, you could use az keyvault secret show, then pass the secret to the parameter --admin-password in az postgres server create.
az keyvault secret show [--id]
[--name]
[--query-examples]
[--subscription]
[--vault-name]
[--version]
I'm trying to create an ARM template so I can create all of my resources that already exist in one azure subscription to another new subscription. For example, if I have something in the testing environment, I would like to create new resources in a different environment for me to be able to deploy code after. However, I am very new to Azure and powershell and ARM templates and therefore, am looking for guidance on where to begin and how to achieve this goal.
I've already read up on powershell.
I know how to move resources from one resource group to another or even different Azure subscriptions.
so generally you would create an ARM Template to do this. When you need to change something you add\remove resources to it, then you would deploy it to different environments. This would be similar to how you promote your application across environment. First you deploy it to dev, test it. Then you deploy it to test and do more rigorous testing, perhaps performance testing. Then you deploy it to production.
If you are looking for examples, here's the official examples repo. The official docs might help as well.
Azure Resource Manager templates are the preferred way of automating the deployment of resources to ARM. Learn how to deploy resources with Resource Manager templates and Azure PowerShell , you can refer to this official document.
To deploy to a subscription, use New-AzDeployment:
New-AzDeployment -Location <location> -TemplateFile <path-to-template>
If you want to deploy Azure Resource Manager Templates with azure devops, you can refer to these ( blog, blog). One of the concepts about devops is automation, if you don’t want to manually recreate everytime your environment through the portal , this is a good try.
you can take a look at Azure Citadel self-paced ARM template lab
If you really want to start with ARM Templates you need to parameterise all values in the template azuredeploy.json and build out your parameters file azuredeploy.parameters.json with the parameters that you need to change between environments such as name, location, sku/size etc.
Although if you're just starting out I recommend going straight to Azure CLI. It's simple, easily repeatable and you can deploy whole solutions in a few commands. This creates a Resource Group, SQL Logical Server with DB and App Service Plan with Web App.
Dev
az group create --name "rg-d-01" --location "australiaeast"
az appservice plan create --name "asp-d-01" --resource-group "rg-d-01" --location "australiaeast" --sku "S1"
az webapp create --name "awa-d-01" --plan "asp-d-01" --resource-group "rg-d-01"
az sql server create --name "sql-d-01" --resource-group "rg-d-01" --location "australiaeast"
az sql db create --server "sql-d-01" --resource-group "rg-d-01" --name "sqldb-d-01" --service-objective S0
Test
az group create --name "rg-t-01" --location "australiaeast"
az appservice plan create --name "asp-t-01" --resource-group "rg-t-01" --location "australiaeast" --sku "S1"
az webapp create --name "awa-t-01" --plan "awhp-t-01" --resource-group "rg-t-01"
az sql server create --name "sql-t-01" --resource-group "rg-t-01" --location "australiaeast"
az sql db create --server "sql-t-01" --resource-group "rg-t-01" --name "sqldb-t-01" --service-objective S0
Prod
az group create --name "rg-p-01" --location "australiaeast"
az appservice plan create --name "asp-p-01" --resource-group "rg-p-01" --location "australiaeast" --sku "S1"
az webapp create --name "awa-p-01" --plan "awhp-p-01" --resource-group "rg-p-01"
az sql server create --name "sql-p-01" --resource-group "rg-p-01" --location "australiaeast"
az sql db create --server "sql-p-01" --resource-group "rg-p-01" --name "sqldb-p-01" --service-objective S0
I have a Scala rest service on Finatra and would like to authenticate users accessing my rest service using Azure Active Directory.
Currently, I can do a curl to get the access token:
curl -s -X POST https://login.microsoftonline.com/tenant id/oauth2/token -d grant_type=password -d username=$username -d password=$pass -d resource=$resID -d client_id=$id -d client_secret=$key
But it requires the user to pass his password as a parameter which is a security concern.
Is there a way to authenticate the user using Azure AD with taking in the password (I am pretty sure this is not possible) or asking him to sign in?
It is not recommended to use your user and password to login Azure account. You had better create service principal to sign in your Azure account. Please refer to this link: Use portal to create an Azure Active Directory application and service principal that can access resources.
Also, you could use Azure CLI 2.0 to create this.
az ad sp create-for-rbac --name {appId} --password "{strong password}"
Example:
az ad sp create-for-rbac --name shuiexample --password "Password012!!"
You could get result like below:
{
"appId": "bca24913-026d-4020-b9f1-add600bf9045",
"displayName": "shuiexample1234",
"name": "http://shuiexample1234",
"password": "*******",
"tenant": "*******"
}
Sign in using the service principal.
APPID="bca24913-026d-4020-b9f1-add600bf9045"
PASSWORD="******"
TENANTID="*******"
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=$APPID&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=$PASSWORD&grant_type=client_credentials' 'https://login.microsoftonline.com/$TENANTID/oauth2/token'
I am trying to get started using IBM Bluemix and want to use the Cloud Foundry CLI to login and manage my applications. But I cannot figure out how to login using the cf command. I think what I am missing is the API endpoint I need to provide for the cf login command:
cf login -a [API_URL] -u [USERNAME] -p [PASSWORD]
I suspect I use my IBM ID username and password, but I'm not sure about the API_URL. Seems like this should be an easy question to search, but I have not been able to find an answer.
You set the api endpoint like this:
cf api https://api.ng.bluemix.net
and then you login with cf login.
Alternatively you can use the European endpoint:
cf api https://api.eu-gb.bluemix.net
EDIT:
Alternatively, as you were implying, you can pass the API endpoint to cf login directly via the -a option:
cf login -a https://api.ng.bluemix.net -u <ibm.com id>
Found the answer to my question. The API endpoint for IBM bluemix is https://api.ng.bluemix.net. That was the key piece of information I was missing to login to IBM Bluemix using the Cloud Foundry CLI:
cf login -a https://api.ng.bluemix.net -u <IBM ID Name> -p <IBM ID Password>
I'm impressed with how easy the rest of the cf command is to manage apps.