I am using following command :
Select-AzureRMSubscription -SubscriptionId $subscriptionID
Set-AzureRmSqlDatabaseAuditingPolicy -ResourceGroupName $resourceGroupName -ServerName $servername -DatabaseName $dbServer.DatabaseName -StorageAccountName $storageAccount
Storage Account and DB server belong to different subscriptions , how can I execute a command that will allow to access resources from multiple subscription
how can I execute a command that will allow to access resources from
multiple subscription
We can share your resource groups to different subscriptions, to achieve this, we should invite user B(subscription 2) to AAD (subscription 1), and grant resource group permission to user B, then we can use PowerShell to get the resource groups.
Here a similar case about you, please refer to it.
You can use following command to select subscription :-
az account set --subscription "Subscription Name or Subscription Id"
Related
I have created an ARM template that I would like to deploy via Powershell to Azure directory where I am guest - meaning, I have contributor access to one particular resource group. How do I do that?
Normally, when using my own subscription, I just go Login-AzureRMSubscription and Select-AzureRMSubscription -SubscriptionId myidblabla and then New-AzureRMResourceGroupDeployment -name blabla -TemplateFile mypath -ResourceGroupName somenmae
But how do I target the directories where I am invited? Using Get-AzureRMSubscriptions, I can see also where I am guest but I cannot switch to them.
Any help with this would be greatly appreciated!
Thanks!
Edit: I have tried to Select-AzureRmSubscription -TenantId but the reply I get is details about my own subscription including my tenant Id and I still cannot see the resource group that I have access to. Note - If I login to the portal, I can easily switch to the directory and see my resource group in the resource group sections and deploy resources to it.
According to your description, we can use this command to login Azure and change directory.
Select-AzureRmSubscription -SubscripitionID <ID of sub> -TenantId <ID of Azure Tenant>
We can actually just specify the tennant ID to select the directory, without a subscription ID.
Select-AzureRmSubscription -TenantId <ID of Azure Tenant>
Normally, I integrate the deployment source to webapp, and then run the 'Sync' button found in the webapp dashboard as and when required to sync the Azure webapp with my onedrive folder.
But, if I want to give a non-Azure user, I mean , who need not be logged in to Azure portal itself, rather could invoke with a demo credential or sort, what should I do? Or, If I want to run it myself from shell, how to approach?
Would it be possible to run the sync from power-shell with service principal or similar ways ( runbooks, http trigger with azure functions for sync ) without actually giving the user a login credential itself?
Update:
1. I read this blog on Kudu but not sure whether it is what I am actually looking for. Please suggest. https://dzimchuk.net/post/azure-web-apps-continuous-deployment
Update 31/Aug:
My workflow got 3 slots dev/stage/mirror. I aim to integrate dev with source repo. So, Sync is enabled at lowest environment.
SiteName : YourWebApp(dev)
State : Running
DefaultHostName : YourWebApp-dev.azurewebsites.net
Id : /subscriptions/1234567890-{my}-{subscription}_{id}/resourceGroups/Default-Web/providers/Microsoft.Web/sites/YourWebApp/slots/dev
Name : YourWebApp/dev
Location : East US
Type : Microsoft.Web/sites/slots
If you install the latest Azure PowerShell, you can run this command to trigger a sync:
Invoke-AzureRmResourceAction -ResourceGroupName {YourResourceGroup} -ResourceType Microsoft.Web/sites -ResourceName YourWebApp -Action sync -ApiVersion 2015-08-01 -Force
Or if you're dealing with a slot, it will look like this:
Invoke-AzureRmResourceAction -ResourceGroupName {YourResourceGroup} -ResourceType Microsoft.Web/sites/slots -ResourceName YourWebApp/YourSlot -Action sync -ApiVersion 2015-08-01 -Force
As far as letting some other user authenticate, you have a couple options:
You can make them a Contributor on that Web App (using RBAC - Role Based Access Control)
You can set up a Service Principal
I am trying to set Azure Rm Subscription (Get-AzureRMSubscription) CurrentStorageAccount to a particular arm storage account (Get-AzureRmStorageAccount) and I am not able to find a cmdlet that does that.
With regular old azure cmdlets I am able to do following to set CurrentStorageAccount as
$subscription = Get-AzureSubscription
Set-AzureSubscription -SubscriptionName $subscription.SubscriptionName -CurrentStorageAccountName "somestorageaccount"
Get-AzureSubscription | select *
This set's it. But I cannot do this inside arm cmdlets.
Another thing that is confusing is that I am using the same subscription eg. Visual Studio Enterprise. And using both arm and regular cmdlets get-azuresubscription I get the same subscription but why is one showing -CurrentStorageAccount and another subscription not showing -CurrentStorageAccount.
To set the default RM subscription for the current session in PowerShell use
Get-AzureRmSubscription –SubscriptionName "MyFavSubscription" | Select-AzureRmSubscription
and to set the default RM storage context for the current session
Set-AzureRmCurrentStorageAccount –ResourceGroupName "MyFavResourceGroup" `
–StorageAccountName "MyFavStorageAccountName"
First, you must set your default subscription.
$SubscriptionName = "MyDefaultSubscription"
Select-AzureSubscription -SubscriptionName $SubscriptionName –Default
In other cases, you can set your default subscription location.
# For example, South Central US
$Location = "South Central US"
Then get your storage account name/s
$StorageAccountName = (Get-AzureStorageAccount)[0].label
Notice the number zero? It indicates the numbering of your storage. The numbering starts with 0. If you use the command Get-AzureStorageAccount, it will list all of your (classic) storage accounts. For that you can choose your desired storage.
Then lastly, set your default storage account.
Set-AzureSubscription -SubscriptionName $SubscriptionName -CurrentStorageAccountName $StorageAccountName
That commandlet is called Set-AzureRMCurrentStorageAccount.
Exactly as you said, set-azureRmCurrentStorageAccount -context $Ctx will set your default Storage account to context. I also can't find any articles to get out explanation on this. I think you can try to use Azure CLI to set your default Azure storage account in environment variables.
I tried to use Login-AzureRmAccount and Add-AzureRmAccount to login to my Azure Accounts. I have two of them, it was easy to add both of them via Add-AzureAccount and manage the active and default one using Select-Azuresubscription.
With the RM cmdlets every time I do Add-AzureRmAccount it overrides the previous authenticated one. This makes it hard for me to switch between a private and a company azure account.
Are there any solutions for that ?
I am using the PowerShell Gallery to update the Azure and AzureRM Modules and using the latest ones.
The official way is to do something like this
$profile1 = Login-AzureRmAccount
$profile2 = Login-AzureRmAccount
Select-AzureRmProfile -Profile $profile2
You can then save the profiles to disk using
Save-AzureRmProfile -Profile $profile1 -Path e:\ps\profile1.json
You can then load with
Select-AzureRmProfile -Path e:\ps\profile1.json
My personal approach though was to create a module that gave a cmdlet with profile1,profile2 etc as parameters. It would then download and decrypt credentials and feed them into Add-AzureRMAccount (this way I can use the same credential file from assorted locations)
Use Login-AzureRMAccout to login two accounts respectively. Then use Get-AzureRmSubscription to check the subscription info and note down the two TenantIds.
To switch between a private and a company azure account, you can specify the TenantId parameter using
$loadersubscription = Get-AzureRmSubscription -SubscriptionName $YourSubscriptionName -TenantId $YourAssociatedSubscriptionTenantId
I am using Powershell Azure cmdlets to do some operation on each subscription I have.
However, all my subscriptions have the same name. So if I do an operation like:
$subs | ForEach-Object {
Select-AzureSubscription -Current -SubscriptionName $_.SubscriptionName
$services = Get-AzureService
Write-Output "$($services .Length) services under $($_.SubscriptionId) subscription"
}
it always works for the same subscription because the subscriptions only differ in subscription ID.
And the Select-AzureSubscription does not have a -SubscriptionId parameter.
Any ideas how can I find a workaround?
Not sure if this was added later, but as of Nov 2015 you can use -SubscriptionId
Write-Host "Selecting Azure subscription using id"
Select-AzureSubscription -SubscriptionId $subscriptionId
If you are an account administrator for your account, you can change the name of your subscription. This way when you or anyone else who has access to the subscription downloads publishsettings, the name will be set the way you want.
http://rickrainey.com/windows-azure-how-tos/how-to-change-the-name-of-your-windows-azure-subscription/
Edit the publishsettings file, giving each subscription a different name. Then re-import. At that point, you'll be able to easily access each one uniquely by name.