I'm trying to update ACL through Azure PowerShell but I'm getting this weird error.
The script is pretty simple but don't understand what is wrong.
First I'm getting the Storage Container by name to be sure the
container already exists.
Then just trying to set ACL permission on
it but got an error saying the container doesn't exist.
Am I missing something?
Edit: Just to avoid confusion, I have full control on this storage account resource. I created it and I'm able to configure this setting through Azure portal but no with power shell.
Browse to Storage Account in the Azure Portal
Access Control (IAM)
Grant Access to this resource section (Add Role Assignments)
Role: Storage Blob Data Contributor
Assign Access to: Use the default values (I.e. User , Group , or Service Principal)
Select: User Name
Save
I tried to reproduce the same in my environment to apply ACL permissions:
Here is the script to apply the ACL permission to your container.
You can get the Azure Storage Account Key
Azure Portal > Storage accounts > YourStorageAccount >Access keys
#Install Storage Module
Install-Module Az.Storage
#Connect to Azure AD
Connect-AzureAD
#Set Context to Storage Account
$StorageContext = New-AzureStorageContext -StorageAccountName 'venkatsa' -StorageAccountKey 'StorageAccount-key'
$Container = Get-AzureStorageContainer -Name 'thejademo' -Context $StorageContext
#Get Container ACL Permissions
Get-AzStorageContainerAcl -Container "thejademo" -Context $StorageContext
#Set ACL permission to Container.
Set-AzStorageContainerAcl -Container "thejademo" -Permission Off -PassThru -Context $StorageContext
Applied ACL permission to my container
Related
I've googled this for hours and found little code snippets in bash and powershell but the ones that don't error completely end up giving me a 403. Here's my script this far.
$resourceGroupName = "MyResourceGroup"
$storageAccountName = "MyStorageAcc"
$containerName = "mynewcontainer"
$storageAccKey = (Get-AzStorageAccountKey -ResourceGroupName $resourceGroupName -AccountName $storageAccountName)[0].value
$storagecontext = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccKey
New-AzureStorageContainer -Name $containerName -Permission Container -Context $storagecontext
I originally didn't get the storage account key, but after that gave me a 403 I started looking into potential reasons for the error and many suggested getting the storage account key. However this still doesn't work. What am I missing?
Update
I found this: https://github.com/Azure/azure-cli/issues/9396, which suggests it's an issue with the ip address you're connecting from. However, I've added my ip address and still get the same issue.
Update 2
I couldn't find a sufficient way to do this through a script so decided to do it as part of the initial creation using the ARM template.
Make sure your user account login the Azure powershell(if using cloud shell, the account is which you login the portal) has the correct RBAC role e.g. Storage Account Contributor at your storage account/group/subscription, if not, follow this to add it.
Besides, you mixed the old AzureRM command New-AzureStorageContainer with the new Az command Get-AzStorageAccountKey, New-AzStorageContext, it may cause you to use a wrong context, change the last line as below.
New-AzStorageContainer -Name $containerName -Permission Container -Context $storagecontext
I have a Gen2 Azure storage account and try to create a stored access policy on a container using Powershell. I am signed into the account and the relevant subscription is selected. I save the context in a variable for further use by the following statements.
Connect-AzAccount
Set-AzContext -Subscription "<subscriptionid>"
$context = New-AzStorageContext -StorageAccountName "MyStorageAccount" -UseConnectedAccount
Creating a stored access policy failed so I added one manually through the portal and tried to get a list of the policies:
Get-AzStorageContainerStoredAccessPolicy -Container "MyContainer" -Context $context
This resulted in an error Get-AzStorageContainerStoredAccessPolicy: The specified resource does not exist., the same error that the "New-AzStorageContainerStoredAccessPolicy" command yielded. Adding the name of the existing policy with the -Policy parameter did not change the outcome, neither did changing the access level on the container.
I think I can also rule out typos as Get-AzStorageContainer "MyContainer" -Context $context gives me the details of the container as expected.
I am unclear as to what resource it is that does not exists, as the container clearly exists and it also contains at least one stored access policy. Can the container stored access policy command not be used on a Gen2 storage account or am I missing something else?
This is because Get/New-AzStorageContainerStoredAccessPolicy isn't supported by Oauth. You can find all operations supported by Oauth https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftstorage.
As a workaround, you can use connection string to do this:
Connect-AzAccount
Set-AzContext -Subscription "<subscriptionid>"
$context = New-AzStorageContext -ConnectionString "<Connection string>"
Get-AzStorageContainerStoredAccessPolicy -Container "<Container Name>" -Context $context
Same issue in Github: https://github.com/Azure/azure-powershell/issues/10391.
I want to create a container (or container group) in Azure Container Instances, pulling the image(s) from Azure Container Registry - but with using a SystemAssigned identity. With that I want to avoid using ACR login credentials, a service principal or a UserAssigned identity.
When I run this script (Azure CLI in PowerShell) ...
$LOC = "westeurope"
$RG = "myresourcegroup"
$ACRNAME = "myacr"
az configure --defaults location=$LOC group=$RG
$acr = az acr show -n $ACRNAME -o json | ConvertFrom-Json -Depth 10
az container create --name app1 --image $($acr.loginServer+"/app1") `
--assign-identity --role acrpull --scope $acr.id `
--debug
... ACI does not seem to recognize that it should be already authorized for ACR and shows this prompt:
Image registry username:
Azure CLI version: 2.14.0
Does this make sense? Is the ACI managed identity supported for ACR?
In your code, when you create an Azure container with a managed identity that is being created at the ACI creating time to authenticate to ACR. I am afraid that you can not do that because there are limitations
You can't use a managed identity to pull an image from Azure Container
Registry when creating a container group. The identity is only
available within a running container.
From Jan 2022 on managed identity is supported on Azure Container Instance to access Azure Container Registry: https://learn.microsoft.com/en-us/azure/container-instances/using-azure-container-registry-mi
#minus_one -solution do not work in my case. Runbook to make container registry. It does need more priviledges than stated in here...
https://github.com/Azure/azure-powershell/issues/3215
This solution will not use managed identity, and it is important to note that we will need owner role at least on the resource group level.
The main idea is to use service principals to get the access using the acrpull role. See the following PowerShell script:
$resourceGroup = (az group show --name $resourceGroupName | ConvertFrom-Json )
$containerRegistry = (az acr show --name $containerRegistryName | ConvertFrom-Json)
$servicePrincipal = (az ad sp create-for-rbac `
--name "${containerRegistryName}.azurecr.io" `
--scopes $containerRegistry.id `
--role acrpull `
| ConvertFrom-Json )
az container create `
--name $containerInstanceName `
--resource-group $resourceGroupName `
--image $containerImage `
--command-line "tail -f /dev/null" `
--registry-login-server "${containerRegistryName}.azurecr.io" `
--registry-username $servicePrincipal.appId `
--registry-password $servicePrincipal.password
Please note that we have created a service principal, so we also need to remove that:
az ad sp delete --id $servicePrincipal.appId
There is a documentation on how to do that:
Deploy to Azure Container Instances from Azure Container Registry
Update:
I think the --registry-login-server ${containerRegistryName}.azurecr.io" option was missing.
I am using Get-AzRoleAssignment to get RBAC details for Data Lake Storage Gen1 resource.
Command :
Get-AzRoleAssignment -ResourceGroupName "test" -ResourceName "testResource" -ResourceType "Microsoft.DataLakeAnalytics/accounts"
Above command gives us list of resources who have access to resource mentioned. Since first use of this command we have removed access for many resources but command still return names for those. I logged out and logged in multiple times to check if its caching issue but no use.
I am trying to assign permissions to the "build administrators" group using the cli.
The specific permission i want to update is the "Delete Team Project" permission.
The documentation is a little difficult to put together since the information is scattered, specially the parts about security tokens and permissions bits.
I am using the az devops security command. The part i am struggling with is getting the correct token and the setting the correct permission bits
I know the namespace I want to use. it is the environment namespace. Found this out by first checking all the namespaces and finding the guid for the environment namespace.
#get list of all namespaces
az devops security permission namespace list -o table
$envnamespace = <guid from above command for the environment namespace>
# first i set my org and token
$orgUrl = "https://dev.azure.com/<MYORG>"
$personalToken = "<MY_PERSONAL_TOKE>"
$projectName = "<my_project>"
# login using PAT
$personalToken | az devops login --organization $orgUrl
# set default organisation
az devops configure --defaults organization=$orgUrl
# get the group descriptor ID for the group "build administrators"
$id = az devops security group list --project $projectName --output json --query "graphGroups[?displayName == '$groupID'].descriptor | [0]" -o tsv --verbose
# now i want to add permissions for the group "build administrators"
# but i am not sure what the token should be and what permission bits to use
I run the following command to see list the permissions on the group. it returns some tokens but they don't make sense to me. How am i meant to know which token is for what permissions. for example how do i know which token is for "Delete Team Project" permission
az devops security permission list --namespace-id $envnamespace --subject $id
The aim next is to run the following command to update permissions
az devops security permission update --namespace-id $envnamespace --subject $id --token $token2 --allow-bit 4 deny-bit 1 --verbose
The --allow-bit and deny-bit i'm not sure exactly what it should be to set the permission to deny
any advice on the correct way to do this would be appreciated.
how do I know which token is for "Delete Team Project" permission
Run az devops security permission namespace list, the namespaceID of "Delete Team Project" is under the "Project" namespace.
You can get the bit and the namespaceID of the specific Delete Team Project namespace (for reference see screenshot shown below).
How am I meant to know which token is for what permissions
For the tokens, you can refer to Security tokens for permissions management for details, there are listed Token examples for different namespaces.
Another example for your reference (reference jessehouwing's blog) :
az login
az extension add --name "azure-devops"
# Find the group identifier of the group you want to set permissions for
$org = "gdbc2019-westeurope"
# There is a weird edge case here when an Azure DevOps Organization has a Team Project with the same name as the org.
# In that case you must also add a query to filter on the right domain property `?#.domain == '?'`
$subject = az devops security group list `
--org "https://dev.azure.com/$org/" `
--scope organization `
--subject-types vssgp `
--query "graphGroups[?#.principalName == '[$org]\Project Collection Administrators'].descriptor | [0]"
$namespaceId = az devops security permission namespace list `
--org "https://dev.azure.com/$org/" `
--query "[?#.name == 'Git Repositories'].namespaceId | [0]"
$bit = az devops security permission namespace show `
--namespace-id $namespaceId `
--org "https://dev.azure.com/$org/" `
--query "[0].actions[?#.name == 'PullRequestBypassPolicy'].bit | [0]"
az devops security permission update `
--id $namespaceId `
--subject $subject `
--token "repoV2/" `
--allow-bit $bit `
--merge true `
--org https://dev.azure.com/$org/