I'm trying to create a Service Principal account using the instructions here
https://learn.microsoft.com/en-us/azure/media-services/latest/stream-files-tutorial-with-api#examine-the-code-that-uploads-encodes-and-streams
However when I run the command
az ams account sp create --account-name *media_service_account_name* --resource-group *resource_group_name*
Where media_service_account_name is the name shown for the media service I have created and resource_group_name the name of the resource group shown on the same page.
The problem is I get the message ResourceGroupNotFound:
Resource group 'resource_group_name' could not be found.
I just can't see what I am doing wrong. Any help appreciated.
If you have multiple subscriptions, set your subscription first and then try:
To list all subscriptions - az account list --output table
To set your subscription - az account set --subscription <subscription-id>
I had the same issue and verified the subscription with az account show, but what I was missing is that I was working in powershell and needed to set the correct subscription in powershell.
Verify context: Get-Azcontext
Set context: Set-Azcontext <subscription_id>
You may have multiple subscriptions. Set the subscription to default which you want to use in CLI.
Reference: https://learn.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli?view=azure-cli-latest
Kindly follow these steps to get over an above error:
az login
It will ask you to provide credentials
az account list --o table // Will list all subscription
Set your subscription on which you want to execute query
3. az account set --subscription "VS Subscription"
Hope it will help
I was running a task: AzureCLI#2 in azure pipeline for creating an azure vwan.
I put az account set --subscription xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxx but it still didn't work and was throwing:
ERROR: (ResourceGroupNotFound) Resource group 'test-rg' could not be found.
Then I added --subscription "xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxx" at the end of he az network vwan create even though it wasn't shown in the documentation.
Here's how I did:
az network vwan create --name testwan01 --resource-group test-rg --subscription "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" --type Standard
Hope it helps if you are running it from some orchestration tools like Jenkins or Azure pipelines.
Keep in mind that Resource Groups in Azure are things that you create, so the article was only providing an example of a Resource Group name.
The command to create the service principal expects you to use the resource group that you used to create your media service account.
az ams account sp create --account-name amsaccount --resource-group **amsResourceGroup**
Make sure that you are using the right resource group name that you used when you created your Media Services account first, and use a unique named one in the same region as your account. I usually call az group create before creating a new account to put it into it's own Resource Group along with the storage account I create for it.
Example
Create a new resource group named "MyResourceGroup" in the West US region.
az group create -l westus -n
Hope that helps!
Related
I am trying to use az devops security group membership list --id descriptor.
When I am using this cli I am getting the below error for one of my descriptor:
ERROR: TF400049: The request was aborted because it contained too many requested items 800, maximum allowed is 500.
I checked for continuation token as well but it seems like this cli doesnot support the continuation token.
Azure devops cli : az devops security group membership list
According to the document az devops security group membership list:
Optional Parameters:
--detect
--org --organization
--relationship
--subscription
--debug
--help -h
--only-show-errors
--output -o
--query
--verbose
There is no such parameter to allow us to list all the users. You could add the user voice on the Github https://github.com/Azure/azure-cli.
Or you could try to use the REST API with continuation token to get all the users:
Memberships - List
You should be able to use a JMESQuery with --query to selectively get the results.
I'm following the official docs to create Azure Kubernetes clusters. The docs state that I need to create a service principal first, manually, and provide the client_id and client_secret.
Doing it manually is not an option.
Here is the code for my service principal. It's decorated with links to the most recent Terraform docs for reference.
data "azurerm_subscription" "current" {}
data "azuread_client_config" "current" {}
resource "random_id" "current" {
byte_length = 8
prefix = "ExternalDnsTf"
}
# Create Azure AD App.
# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
resource "azuread_application" "current" {
display_name = random_id.current.hex
owners = [data.azuread_client_config.current.object_id]
}
# Create Service Principal associated with the Azure AD App
# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal
resource "azuread_service_principal" "current" {
application_id = azuread_application.current.application_id
app_role_assignment_required = false
owners = [data.azuread_client_config.current.object_id]
}
# Create Service Principal password
# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password
resource "azuread_application_password" "current" {
application_object_id = azuread_application.current.object_id
}
# Create role assignment for service principal
# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment
resource "azurerm_role_assignment" "current" {
scope = data.azurerm_subscription.current.id
role_definition_name = "Contributor"
# When assigning to a SP, use the object_id, not the appId
# see: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli
principal_id = azuread_service_principal.current.object_id
}
I keep getting the following error in my pipeline: (note, I am the owner of my subscription)
ApplicationsClient.BaseClient.Post(): unexpected status 403 with OData
│ error: Authorization_RequestDenied: Insufficient privileges to complete the
│ operation.
What I'm trying to do is to eliminate the manual steps to setup supporting services. Take ExternalDNS for example. The Azure docs state that I need to use az ad sp create-for-rbac -n ExternalDnsServicePrincipal; az role assignment create --role "Reader" --assignee <appId GUID> --scope <resource group resource id>; az role assignment create --role "Contributor" --assignee <appId GUID> --scope <dns zone resource id>
Ultimately, I'm trying to create the terraform version of the azure cli commands.
Support for create-for-rbac was a feature request on github. That used to work great, but so much has changed, it's not applicable to current API versions. Also, with AAD Graph being deprecated in favor Microsoft Graph API, I wonder if I'm getting snagged on that.
The ExternalDNS docs also suggested Managed Service Identities (MSI). Service principals, MSI, MSGraph API integration, honestly, I don't care which one is used. Whatever is current best-practices is fine so long as I do not have to log into the portal to manually create or give permissions, or manually run az cli commands.
EDIT: Permissions clarification
I'm using Terraform, of course, to provision resources. If I do all of this without terraform (manually or with a bash script), I use azure cli I start setting permissions by doing the following:
az login
az account set -s <my-subscription-id>
I am the owner of my subscription. I can run all commands, create SPs, MSIs, assign roles, etc, with no problem.
In the pipelines, I am using the charleszipp az pipelines terraform plugin. In the logs, I see:
az login --service-principal -t <my-tenant-id> -u *** -p ***
az account set -s <my-subscription-id>
I'm not sure if that makes a difference. I interpret that as ultimately, commands are executed after signing in and setting the account subscription, like I do manually.
Technically, I'm not using a service connection in several of these tasks. However, where one is required, I have created a Service connection and defined its Scope to the subscription level. It's of type Azure Resource Manager.
However, if I click "manage service principal, it takes me to the portal where there are no permissions defined.
While I am the owner of my subscription, I am not the root management group. I'm owned / provisioned by someone else. Ultimately, they have control of Active Directory. I cannot add or edit permissions. If I try to add any under permissions API and select Microsoft Graph, it says that authorization is required. Grant Admin Consent for <parent organization is greyed out.
But why would that be important if I'm the owner of my subscription? If I can do whatever I want via the az cli command line, what's preventing me from doing the same in the pipeline?
I am using user-managed identity for that, it seemed most straightforward and worked fine for me.
resource "azurerm_user_managed_identity", "mi" {
resource_group_name = "rg"
name = "mi"
location = "eastus"
}
resource "azurerm_role_assignment" "ra" {
scope = azurerm_subnet.sn.id // subnet I created earlier
role_definition_name = "Network Contributor" // required with kubenet
principal_id = azurerm_user_managed_identity.mi.principal_id
}
resource "azurerm_kubernetes_cluster" "aks" {
name = "aks"
identity {
type = "UserAssigned"
user_assigned_identity_id = azurerm_user_managed_identity.mi.id
}
<...remaining attributes...>
depends_on = [azurerm_role_assignment.ra] // just to be safe
}
In my project, I want to create a few AzureRM service connections with different levels of access. I want to allow only certain pipelines to use the service connections. And I am aiming to use API or az devops extension to do this. Portal already allows to choose which pipelines are allowed to use the service connection through service connection security settings.
So far I was able to find the relevant permission in the ServiceEndpoints namespace
Name Permission Description Permission Bit
Use Use Service Connection 1
However, I do not know how to grant the permission to the pipeline. I think i should use 'az devops security permission update' from the extension however can not figure what the subject should be in case of a pipeline. Looking at the output of 'az pipelines build definition show' i do not see any unique identifier for a pipeline and documentation for security permission update says subject should be a user of group.
If i want to use the API, i will need to know how to create the descriptor to pass to Set Access Control Lists.
Any hint is appreciated.
Grant permission to pipeline to use a service connection
According to the document az devops security permission, we could use az devops security permission update to update the azure devops security permission:
az devops security permission update --id
--subject
--token
[--allow-bit]
[--deny-bit]
[--detect {false, true}]
[--merge {false, true}]
[--org]
however can not figure what the subject should be in case of a
pipeline.
As the statement for the Parameters, we could to know:
--subject
User Email ID or Group descriptor.
So, if we update the permission to given user, we just need provide the User Email in above command. If we want to update the permission to given group, we need to provide the Group descriptor.
To get the Group descriptor, we could use the az devops security group list.
You could check this thread for some details.
I've been adding permissions to a custom Azure DevOps Services group through the Azure CLI (az devops version 0.11.0) and I've usually been able to do the following:
az devops security permission namespace list, find namespaceId of specific namespace (like EventSubscription)
Get the Project Admin's descriptor
az devops security permission list --id $namespaceId --subject $projectAdmin.descriptor...
Find an allow bit in the ACES dictionary, find the respective token
az devops security permission update... with the new token
But when I run security permission list for the EventSubscription namespace, it returns with empty JSON for the project admins group so I can't find the token. I've tried "$SUBSCRIPTION" as it looked like what a TFS 2010 user used, but that doesn't work.
Questions:
How can I list tokens on the project admins group for the EventSubscription namespace? I tried to see if tfssecurity would pull anything up, but didn't work. Also tried using Fiddler to see if it would find a token but also nothing. Can't use Fiddler with the UI.
Or what token do I use for Azure DevOps to update the EventSubscription permission for a group?
I tested with EventSubscription namespace id and project admins group descriptor as subject parameters and got the same result as you.
$env:AZURE_DEVOPS_EXT_PAT = 'ckdhd6wuma5uw2h35dv37pgdum5eyjviqneineixxxxx'
$output = az devops security permission namespace list | ConvertTo-Json -Depth 100
#get descriptor
$output2 = az devops security group list --scope project | ConvertTo-Json -Depth 100
#eventSubscription namespaceId: 58b176e7-3411-457a-89d0-c6xxx/ Project namespaceId:52d39943-cb85-4d7f-8fa8-c6xxx
$output3 = az devops security permission list --namespace-id 58b176e7-3411-457a-89d0-c6xxxx --subject vssgp.Uy0xLTktMTU1MTM3NDI0NS00MjQ3MDQ2OTMyLTI2ODA1Nzg2MjktMjkxMzgyMjE4MC0yNDQ0MjYxxxxx | ConvertTo-Json -Depth 100
Write-Host $output3
But when I tested with Project namespace id and project admins group descriptor, I can get the token normally.
So I think this could be a problem with the association between the EventSubscription namespace and the project admins group descriptor. Can you share the corresponding operation in the UI? This will help me investigate further.
I have around 100 Azure Web Apps and Azure Functions which I created using Azure PowerShell and CLI, now I need to assign Owner Access to these Web Apps to users (Separate users for each Web Apps)
I am unable to find any sample for this, most sample are pointing to Assigning Resource Group Level Access, but not to the Specific Resource.
The task is achievable in the Azure Portal, just need the PowerShell or CLI command to assign users owner or contributor rights to these specific resources.
If possible please provide a sample command
For Power Shell, you could use New-AzureRmRoleAssignment to do this.
For example.
New-AzureRmRoleAssignment -SignInName "test#hotmail.com" -RoleDefinitionName Owner -Scope "/subscriptions/*************/resourceGroups/shuiapp/providers/Microsoft.Web/sites/shuicli"
or
New-AzureRmRoleAssignment -ObjectId "859f0f40-057b-4afc-9d05-fe8b3933ae87" -RoleDefinitionName Owner -Scope "/subscriptions/*****************/resourceGroups/shuiapp/providers/Microsoft.Web/sites/shuicli"
Note: You could get your user object ID with cmdlet get-azureaduser.
Azure CLI
You could use az role assignment create to do this.
For example.
az role assignment create --assignee <user object id> --role Owner --scope "/subscriptions/3b4d41fa-e91d-4bc7-bc11-13d221b3b77d/resourceGroups/shuiapp/providers/Microsoft.Web/sites/shuicli"
Note: If your user is Azure AD user, you could use az ad user list to get user's object id. If your user is a service principal, you could use az ad sp list to get object id.