Currently the Deployment Group 'Register' script needs to be run interactively by providing information like tags, Token, account credentials etc.
It becomes a tedious task to run this interactive script on hundreds of machines to register them into Azure Pipeline Deployment Group.
Is there a way, where we can run in non-interactive mode by passing the required information as a parameter to script?
For e.g. .\scriptToAddToDeploymentGroup.ps1 <--tags appServer, domainController, etc> <--token 43875783457834545>
Can we automate this task from command line by passing parameter
values?
For this issue , the answer is yes.
You could add tags and token as parameters to the Registration script. For details ,please refer to this document.
If you chose --auth pat:
--token <token> - specifies your personal access token
--deploymentGroupTags <tags> - used with --addDeploymentGroupTags to specify the comma separated list of tags for the deployment group agent - for example "web, db"
For example:
\config.cmd --deploymentgroup --deploymentgroupname "xxx" --agent $env:COMPUTERNAME --runasservice --work '_work' --url 'https://dev.azure.com/xx/' --projectname 'xxx'
Related
In my release pipeline, I'm running an Azure Cli task with a PowerShell script. In the script, I want to grant the current pipeline SP a list secret permission for one azure Key vault.
For doing this, I will need the ObjectId for the current pipeline SP. Turns out this is the hardest thing ever. The pipeline settings only allow return PrincipaleId, then I tried az ad sp show --id $env:servicePrincipalId --query objectId -o tsv. However, this always returns empty string, I guess since the pipeline is authed by a token, Azure does not allow it to get info about itself.
Wondering how can I get this magic ObjectId for the current pipeline other than just pass the value in from pipeline variable
It was an issue with "objectId" parameter value. I have tried to replicate the same in Azure Portal. Instead of using objectId use id parameter, it will work.
az ad sp show *********** --query id -o tsv
Replicated the same in portal.
Created a new Service principal
here are the service principal details:
Step2:
run the command with objectId parameter, output is empty. When we update with "id" it working as expected.
I'm trying to login to Azure Subscription using Service Principal from Azure DevOps build Pipeline PowerShell task.
The reason I need to log in is, I need to execute a few Log analytics queries from the same PowerShell task, hence it requires authentication to the subscription.
Service Principal ID and Key are in Key Vault as secrets. I need to read them as plain text to pass and authenticate with Azure Subscription.
The problem is, I'm not able to read them as plain text or plain string as it comes as an encrypted string value in the Azure DevOps PowerShell task. I can't seem to find ways in order to read them as plain text directly.
I can't use the below command
(Get-AzKeyVaultSecret -VaultName $vaultName -Name $secretName).SecretValueText
because we need to be authenticated already to Azure Subscription to execute the other modules' commands.
Tried the below (i.e) Value for $Encrypted (Service Principal ID) is in KeyVault as plain text When I used the below it said, Input was not in a correct format
$AppId = (ConvertTo-SecureString $Encrypted) $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($AppId) $AppId = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
Looking for any other ways to accomplish this task.
Found out an answer for this. I was using PowerShell task type as AzurePowerShell#2
But changed that to task: AzurePowerShell#4 which made things very easier as I already have Service Connection, i can authenticate to subscription using that and also can read and pass the Key Vault secrets successfully.
you need to mention azurePowerShellVersion: LatestVersion in build task, it worked simply.
Also this eliminated the requirement of using Service principal and now i can authenticate to subscription using Azure DevOps Service connection.
I am creating a cloudformation stack using a SAM template and the CLI. I have successfully done this using an account that gets all the required permissions from policies directly attached to it. It's poor security practice to give this account all these permissions so I've created a role with the same policies attached and want to use that for deployment instead. However, even though I pass my role through the --role-arn parameter the command is still looking to the account for the permissions.
Here are the commands I've tried using:
aws cloudformation deploy --template-file TemplatePackaged.yaml --stack-name TestStack --capabilities CAPABILITY_IAM --region us-east-1 --role-arn arn:aws:iam::666488004797:role/LambdaApplicationCreateRole
or
sam deploy --template-file TemplatePackaged.yaml --stack-name TestStack --capabilities CAPABILITY_IAM --region us-east-1 --role-arn arn:aws:iam::666488004797:role/LambdaApplicationCreateRole
Unless the user logged into the cli has the required permissions I get the error with either command:
An error occurred (AccessDenied) when calling the DescribeStacks
operation: User: arn:aws:iam::666488004797:user/DummyUser1 is not
authorized to perform: cloudformation:DescribeStacks on resource:
arn:aws:cloudformation:us-east-1:666488004797:stack/Melissa/*
How do I get the deploy command to use the role passed in the --role-arn parameter to get the permissions it needs?
After a lot of reading and trial and error I found that Manoj's answer is correct, but the tricky part is the argument that one needs to pass as xyz in his answer. Here is what I had to in order to pass a role:
I had to configure the role that I wanted to pass on the AWS CLI's config file as a profile. The parameter --profile that Manoj mentioned only works with profiles configured in this file (to the best of my knowledge). The way to configure a role as a profile is using the command:
aws configure --profile arbitraryName
What follows after profile is just a label or variable that you will use to refer to your role when you want to pass it, you can give it any name but ideally you would name it the same as the role it will hold. Running this command will prompt you for a couple of fields. As far as I know roles don't have access_key or secret_access_key so just hit enter to skip these as well as the region and output, you don't need those for your role. Next you will set fields that roles actually need by using these commands:
aws configure set profile.arbitraryName.role_arn roleArn
aws configure set profile.arbitraryName.source_profile cliProfile
The roleArn is the arn of the role you are configuring into the CLI,the cliProfile is a user already configured in the CLI that has rights to assume the role. Once this is done, whenever you want to pass the configured role in a command you just need to add --profile arbitraryName as the last parameter of your command and the command will use permissions from the role that was passed.
*Interesting to know, passing a role this way does an implicit aws sts assume-role. If you know where your .aws folder is you can go in and see a folder named cli, which contains a json file with the temporary credentials that are created when a role is assumed.
I had to do a lot of reading to figure this out, I hope this answer will save someone else some time.
there could be multiple approaches.
Assume the role and use profile for deploying aws cloudformation
aws cloudformation deploy --template-file TemplatePackaged.yaml --stack-name TestStack --profile xyz
Launch an EC2 instance with an instance profile which is having access to cloudformation, you don't have to explicitly specify role arn or profile details
aws cloudformation deploy --template-file TemplatePackaged.yaml --stack-name TestStack
I have an Azure Active Directory app and it has various reply URLs. I've being adding reply URLs manually in the Azure portal AAD-> register-app-> settings-> reply-URLS.
My goal is to be able to run an azure pipeline task that can retrieve the reply URL I need from an azure app service( which I know how to do) and add it to the reply URL list from the register app in AAD with a command. Using either Azure-cli, Azure-powershell or Powershell from azure pipeline task list.
If there's another way of doing it with another task I'm open to suggestions.
This is what i tried:
This is what the log/debug output:
I guess that a better questions is:
How Can I give privileges to an Azure CLI task from Azure DevOps to achieve the task from previous problem?
Your question has changed a bit after your edit, so I've tried to revise and answer both parts.. i.e. adding reply URLs through script and something to possibly help with privileges issues:
Adding Reply URLs to your application through PowerShell script
Make use of application object's ReplyUrls list and Set-AzureADApplication command. Here's a quick sample script:
# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
# reply URL to add
$newURL = "https://mynewurl"
# Existing reply URLs list
$replyURLList = $app.ReplyUrls;
$replyURLList.Add($newURL)
Set-AzureADApplication -ObjectId $app.ObjectId -ReplyUrls $replyURLList
Assigning correct privileges for execution of script
To execute your script as part of pipeline, this article provides very detailed step-by-step instructions: Set up continuous deployment in Azure Pipelines
I would point you to option 1 in the article, which talks about creating a separate application/service principal for executing the script. Once you do that, you can assign the required privileges to this service principal that will be used to execute the script and resolve your current issue of insufficient privileges.
Screenshot for important parts from article:
For step h, you can follow the first link to register application from Azure Portal.
Once you have the separate application/service principal created for executing script, please go to it's settings > Required Permissions
"Windows Azure Active Directory" should already be available in list of APIs (if not, you can click Add button to add it)
Pick the appropriate privilege under application permissions.
Make sure you go through Admin consent at the end of this process by clicking on the "Grant permissions" button at the end of this process.
I'm trying to create a Service Principal account using the instructions here
https://learn.microsoft.com/en-us/azure/media-services/latest/stream-files-tutorial-with-api#examine-the-code-that-uploads-encodes-and-streams
However when I run the command
az ams account sp create --account-name *media_service_account_name* --resource-group *resource_group_name*
Where media_service_account_name is the name shown for the media service I have created and resource_group_name the name of the resource group shown on the same page.
The problem is I get the message ResourceGroupNotFound:
Resource group 'resource_group_name' could not be found.
I just can't see what I am doing wrong. Any help appreciated.
If you have multiple subscriptions, set your subscription first and then try:
To list all subscriptions - az account list --output table
To set your subscription - az account set --subscription <subscription-id>
I had the same issue and verified the subscription with az account show, but what I was missing is that I was working in powershell and needed to set the correct subscription in powershell.
Verify context: Get-Azcontext
Set context: Set-Azcontext <subscription_id>
You may have multiple subscriptions. Set the subscription to default which you want to use in CLI.
Reference: https://learn.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli?view=azure-cli-latest
Kindly follow these steps to get over an above error:
az login
It will ask you to provide credentials
az account list --o table // Will list all subscription
Set your subscription on which you want to execute query
3. az account set --subscription "VS Subscription"
Hope it will help
I was running a task: AzureCLI#2 in azure pipeline for creating an azure vwan.
I put az account set --subscription xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxx but it still didn't work and was throwing:
ERROR: (ResourceGroupNotFound) Resource group 'test-rg' could not be found.
Then I added --subscription "xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxx" at the end of he az network vwan create even though it wasn't shown in the documentation.
Here's how I did:
az network vwan create --name testwan01 --resource-group test-rg --subscription "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --type Standard
Hope it helps if you are running it from some orchestration tools like Jenkins or Azure pipelines.
Keep in mind that Resource Groups in Azure are things that you create, so the article was only providing an example of a Resource Group name.
The command to create the service principal expects you to use the resource group that you used to create your media service account.
az ams account sp create --account-name amsaccount --resource-group **amsResourceGroup**
Make sure that you are using the right resource group name that you used when you created your Media Services account first, and use a unique named one in the same region as your account. I usually call az group create before creating a new account to put it into it's own Resource Group along with the storage account I create for it.
Example
Create a new resource group named "MyResourceGroup" in the West US region.
az group create -l westus -n
Hope that helps!