I have a build agent set up on a VM in Azure, that is linked to our Visual Studio Online.
I then have an Azure Powershell build step that runs a script that tries to execute New-AzureResourceGroup.
This results in the following:
New-AzureResourceGroup : Unauthorized
113 ##[error]At C:\BuildAgents\agent\_work\[...]\Deploy-AzureResourceGroup.ps1:47 char:1
114 ##[error]+ New-AzureResourceGroup -Name $ResourceGroupName -Location $ResourceGroupLocation ...
115 ##[error]+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
116 ##[error]+ CategoryInfo : CloseError: (:) [New-AzureResourceGroup], CloudException
117 ##[error]+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Resources.NewAzureResourceGroupCommand
I can run these scripts locally with no problem.
I have tried importing a publish settings file in the script, but it seems New-AzureResourceGroup is not allowed authentication this way.
I run the build agent as a service under a local user account (not network service).
Does anyone know how to allow the build agent execute New-AzureResourceGroup?
I hope to be able to do a full continuous deployment including setting up and managing everything needed in Azure, including the resource groups.
UPDATE
According to the article below:
"If you connect using this method [publish settings file], you can only use the Azure Service Management (or the ASM mode) commands."
https://azure.microsoft.com/en-us/documentation/articles/xplat-cli-connect/
I'm assuming this applies to Azure powershell as well.
So, is there really no way of managing resources in azure without using account based authentication?
UPDATE
Thanks to #bmoore-msft for providing the missing piece. I'll just add another screen shot of the link I needed to find to set up the build to run under an actual account.
In Azure Resource Manager you do have to use Azure Active Directory authentication, no certs. So that applies to cli, PowerShell, REST APIs, etc.
In VSO there is a build task for Azure PowerShell. When you use that task you specify a "connection" or subscription to execute the task as... so you save the creds in VSO. You could use a regular PowerShell task, but then you would have to secure the creds yourself.
Finally, when you set up the account connection in VSO, it must be an orgID, MSAs are not supported (PowerShell limitation). Service Principal support is coming.
I also had a lot of trouble using the Azure Resource Manager with VSO.
I finally found a working solution to my problem by creating a Service Principal account with enough rights on the Azure subscription to deploy from Visual Studio Online.
I used this blog post from David Ebbo to create the Service Principal Account: http://blog.davidebbo.com/2014/12/azure-service-principal.html
In VSO I removed the "Azure PowerShell" step and replaced it with a "PowerShell" step. In the PowerShell script I start with logging in the Service Principal account and then deploy my applications using Azure Resource Manager.
More details of my findings can be found on the MSDN forum: https://social.msdn.microsoft.com/Forums/azure/en-US/d5a940e0-ed83-46ff-9efc-045fb9522c5b/ad-auth-from-azure-powershell-in-vso-fails-with-accessingwsmetadataexchangefailed?forum=azurescripting
Related
I am using powershell to connect to azure interactively, where i will give my username and password and script will fetch the secrets from the key vault . I am not suppose to use the app id here . I was using azure module and powershell 5.1 where the Connect-AzAccount command used to work , open a browser and let me feed my details .
From last 3 days , i am seeing the below error . It is not showing up any browser window
WARNING: Unable to acquire token for tenant 'organizations' with error 'InteractiveBrowserCredential authentication
failed: Retry failed after 4 tries.'
I have tried to delete the azure context files and try again but facing the same issue
You may try the suggestion in comment.
If not,it may occur due to different reasons,some times it may also be due to network issue and delay.
Some work arounds that you may try.
Please clear the cache and try running the following command in order :
Install-Module Az Import-Module Az Connect-AzAccount with” Windows PowerShell ISE".
As you were saying it worked previously, It may have had upgraded to newer version say 2.2.8.Try down grading the Az.Accounts package to version example:1.6.Or you may try the other way around by upgrading.
PowerShell developer reference for Azure Functions | Microsoft Docs
Try to install AZ module on your PowerShell and set your execution policy to remote signed.
Give your tenant ad directly Connect-AzAccount -TenantId cf2a0-*******
Try "Connect-AzAccount -UseDeviceCode" or "Connect-AzureAd"
Check if Grant API permissions to read or read/write on Azure Active Directory to the application.ex:Directory.ReadWriteAll is done. Make sure Managed Service Identity (MSI) has been turned on, and in Keyvault is granted the MSI access policies.And check if user is assigned role .
Try to run your powershell as admin, update the module with Update-Module -Name Az, then login again.
You may use "Connect-AzAccount -Identity -ErrorAction Stop" To catch the error
If issue is not resolved you may raise a support request.
References:
Troubleshoot Azure Automation runbook issues| Microsoft Docs
Using Azure Key Vault with PowerShell
Other SO reference
We were originally using Start-AzureWebsite and Stop-AzureWebsite in a powershell script to start and stop web apps in Azure before publishing. In the VSO build it was using Azure Powershell, the connection type was Azure Classic. Microsoft recommended switching to Start-AzureRmWebApp and Stop-AzureRmWebApp which uses the Azure Resource Manager. We modified the Azure Powershell step in the build to have a connection type of Azure Resource Manager, and selected the correct subscription. When it calls our external script using the script path, it appears as though the authentication is not being passed on to the script, we get the error "Run Login-AzureRmAccount to login." when it tries to execute the command to start/stop the websites. How do we get the authentication to persist down to the script being called?
Not sure why the connection get lost, it should work if you dotsource the script to invoke it. However:
I would suggest to create a service principal within the AAD that is linked to your subscription and grant it access to your web app. Then you should use the existing Azure App Service Manage Task to start / stop your app:
By the way, starting / stopping / deploying a web app should be part of a Release Definition / Step - not build.
-
Turns out instead of using Connect-AzureRMAccount i needed to be using Add-AzureRmAccount, once i changed that i can now connect and start/stop App Services! Thank you for the help. – Link
I have a VSTS release pipeline which provisions a new function app with a Managed Service Identity. My solution includes a shared key vault instance for my app secrets. Key vault allows a maximum of 16 access control entries so I've taken the approach of creating an Azure AD group for applications which I will add application service principals to. All straight forward and workable in PowerShell locally, but I'm not able to figure out a way to do this using hosted build servers in the VSTS release pipeline and a Run Powershell In Azure release task.
The Azure CLI is at version 1.X on the Hosted build server and 2.x on the Hosted 2017 build server
* 1.x doesn't appear to offer AD group manipulation or graph API access
* 2.x does offer az ad group member add but the hosted 2017 build has a problem with New-AzureStorageTable which is used elsewhere in my pipeline, so I can't use it
Similarly, the Azure RM powershell module on the Hosted build server is very old and doesn't appear to support group membership manipulation. The version on the Hosted 2017 server (which I can't use) has commands like Get-AzureRmADGroup but nothing to add a user to that group.
The cmdlet Add-AzureADGroupMember, available in the AAD powershell would be a nice solution, but it's not available on either the Hosted or Hosted 2017 build servers.
I've considered both automation runbooks and direct HTTPS posts to the graph API using the OAuth token available in the release pipeline, but want to stay with PowerShell to keep the number of technologies in my release pipeline as small as possible. I'd also prefer to avoid storing credentials in a secured manner for use in a PowerShell command like Login-AzureRmAccount and rely on the identity of the Service Endpoint I defined for my release pipeline.
Suggestions appreciated.
Since the Hosted agent can’t meet your requirements, you can configure a private build agent (it’s free) on your machine: Deploy an agent on Windows.
Regarding Add-AzureADGroupMember cmdlet, you can install it by calling Install-Module -Name AzureAD through Azure PowerShell task, which works fine on Hosted agent.
Script:
Install-PackageProvider -Name NuGet -Force -Scope CurrentUser
Install-Module -Name AzureAD -Force -Verbose -Scope CurrentUser
I am trying to run a task on TFS which requires AD set up. I managed to set up all connections, but for some reason Subscription on TFS is not selected.
I am not sure to what account do I have to log in, to set default subscription. -Default parameter is deprecated btw.
Task add-on I am trying to use is downloadable here:
https://marketplace.visualstudio.com/items?itemName=rbengtsson.appservices-start-stop&showReviewDialog=true
TFS build error:
I tried to set up via power-shell:
I have tested the Azure AppServices Stop task on my side, and found this task works perfectly with Azure Classic Connection Type, but while used Azure Resource Manager Connection Type, I got the same error message as you.
According to the source code of Azure AppServices Stop task on GitHub, this task actually uses Azure Power Shell below to stop the service:
$website = Get-AzureWebsite -Name $WebAppName
Stop-AzureWebsite -Name $WebAppName
It seems Stop-AzureWebsite only works with Azure Classic, as we can't find it in Using Azure PowerShell with Azure Resource Manager.
In conclusion, if you want to use Azure AppServices Stop task, you need to choose Azure Classic Connection Type:
Using the latest version of AzureRM Powershell you now can use Azure Resource Manager connection type and use commands like:
Start-AzureRmWebApp
Stop-AzureRmWebApp
I never used Azure PowerShell before, but now I'm running a command to have Azure reserve a static IP address:
New-AzureReservedIP –ReservedIPName "137.117.11.18" –Label "people-dns-ip" –Location "US West"
And then I'm getting this error: New-AzureReservedIP : No default subscription has been designated.
So, I was trying to figure out what is the or just set to default... using the command Select-AzureSubscription I can see that The subscription name BizSpark doesn't exist.
Not sure how to print the value of Get-AzureSubscription on the screen, but in my Azure portal is says: SUBSCRIPTION NAME BizSpark
Any idea how to resolve this? or maybe this option is limited for BizSpark users??
To use Azure Powershell at very first you should use
Add-AzureAccount
it will give you a popup where you can login with you azure credentials. this way you will connect to your Azure subscription in Azure Powershell
Need to add your azure account to be able to manage assets:
If for some reason method 1 doesn't work, try method 2.
Method 1:
At powershell, run:
Add-AzureAccount
Method 2:
At powershell, run:
Get-AzurePublishSettingsFile
Sign in to the Windows Azure Management Portal, and then follow the instructions to download your Windows Azure publishing settings.
Again at powershell, run:
Import-AzurePublishSettingsFile <mysettings>.publishsettings
Replace with the file name of the publishsettings file that you downloaded in the previous step and correct the path if necessary.