brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7c72e4e5fb5bacefb9678e414b5b6a805a8c26ae
oam/knowledge base/azure/cli.md

18 KiB
Raw Blame History

Azure CLI

Queries (az … --query …) use the JMESPath query language for JSON.

Table of contents

  1. TL;DR
  2. Installation
  3. Extensions
  4. Pipelines
  5. AKS
  6. APIs
  7. Further readings
  8. Sources

TL;DR

# Install the CLI.
asdf plugin add 'azure-cli' && asdf install 'azure-cli' '2.43.0'
brew install 'azure-cli'
docker run -v "${HOME}/.azure:/root/.azure" 'mcr.microsoft.com/azure-cli:2.40.0'
pip install 'azure-cli'
pipx install 'azure-cli'

# Disable certificates check upon connection.
# Use it for proxies with doubtful certificates.
export AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1

# Login to Azure.
az login
az login -u 'username' -p 'password'
az login --identity --username 'client_id__or__object_id__or__resource_id'
az login --service-principal \
  -u 'app_id' -p 'password_or_certificate' --tenant 'tenant_id'

# Check the CLI status.
az self-test

# Gather information on the current user.
az ad signed-in-user show
az ad signed-in-user list-owned-objects

# Gather information on another user.
az ad user show --id 'user@email.org'

# Check a User's permissions.
az ad user get-member-groups --id 'user@email.org'

# Get the ID of a Service Principal from its Display Name.
az ad sp list --query 'id' -o 'tsv' --display-name 'service_principal_name'

# Get the Display Name of a Service Principal from its ID.
az ad sp show --query 'displayName' -o 'tsv' \
  --id '12345678-abcd-0987-fedc-567890abcdef'

# Show information about an Application.
# The ID must be an application id, object id or identifier uri.
az ad app show --id '12345678-abcd-0987-fedc-567890abcdef'

# Get the Display Name of an Application from its ID.
az ad app show --query 'displayName' -o 'tsv' \
  --id '12345678-abcd-0987-fedc-567890abcdef'

# Get the Principal (Object) ID of a Managed Identity from its Name.
az identity show --query 'principalId' -o 'tsv' \
  --resource-group 'resource_group_name' --name 'managed_identity_name'

# Get the name of a Managed Identity from its Principal (Object) ID.
az identity list -o 'tsv' \
  --query "[?(@.principalId=='managed_identity_principal_id')].name"

# Get a Resource Group's ID.
az group show 'resource_group_name'

# List Subscriptions available to the current User.
az account list --refresh --output 'table'

# Get the current User's default Subscription's ID.
az account show --query 'id' --output 'tsv'

# Get the ID of a Subscription from its Name.
az account show --query 'name' -o 'tsv' -s 'subscription_id'

# Get the Name of a Subscription from its ID.
az account show --query 'id' -o 'tsv' -n 'subscription_name'

# Get the current User's default Subscription.
az account set --subscription 'subscription_uuid__or__name'

# Set the current User's default Resource Group.
az configure --defaults 'group=resource_group_name'

# List available Locations.
az account list-locations -o 'table'

# Create an Access Token for the current User.
az account get-access-token
az account get-access-token --query 'accessToken' -o 'tsv'

# List role assignments.
az role assignment list
az role assignment list --all
az role assignment list --resource-group 'resource_group'
az role assignment list … --scope 'scope_id' --role 'role_id_or_name'

# List role assignments with scope for a User or Managed Identity.
# By default, it will only show role assignments for the current subscription.
az role assignment list --subscription 'subscription_id' \
  --all --include-inherited --assignee 'user_or_managed_identity_object_id' \
  --query '[].{role: roleDefinitionName, scope: scope}' -o 'tsv'

# Give Principals permissions on Key Vaults.
az keyvault set-policy -n 'key_vault_name' --object-id 'principal_object_id' \
  --secret-permissions 'get' 'list' 'set' --certificate-permissions 'all'
az keyvault set-policy -n 'key_vault_name' --spn 'service_principal_name' …
az keyvault set-policy -n 'key_vault_name' --upn 'user_principal_name'# List the names of all keys in Key Vaults.
az keyvault key list --query '[].name' -o 'tsv' --vault-name 'key_vault_name'

# Create or update passwords in Key Vaults.
az keyvault secret set \
  --vault-name 'key_vault_name' --name 'secret_name' --value 'plain_text'
az keyvault secret set … --expires '2024-04-10T12:19:54Z'

# Get passwords from Key Vaults.
az keyvault secret show --query 'value' \
  --name 'secret_name' --vault-name 'key_vault_name'

# Get Key ID and Access Policy of Disk Encryption Sets.
az disk-encryption-set show --ids 'id' \
  --query "{
    \"keyId\": activeKey.keyUrl,
    \"accessPolicyId\": join('/', [activeKey.sourceVault.id, 'objectId', identity.principalId])
  }"

# List all the available SKUs for VMs.
az vm list-skus
az vm list-skus -l 'location'

# List all the SKUs supporting an ephemeral OS disk.
az vm list-skus -l 'location' -o tsv \
  --query "[?capabilities[?name=='EphemeralOSDiskSupported' && value=='True']]"

# List the Virtual Machine images available in Azure Marketplace.
# Or check https://az-vm-image.info .
# Suggested to use '--all' to avoid useless filtering at MSFT side.
az vm image list --all
az vm image list -l 'westus' --offer 'RHEL' -p 'RedHat' -s '8_5' --all

# Show a Virtual Machine's details.
az vm show -g 'resource_group_name' -n 'vm_name'

# Delete a Virtual Machine.
az vm delete -g 'resource_group_name' -n 'vm_name'

# Assess updates in a Linux Virtual Machine.
az vm assess-patches  -g 'resource_group_name'  -n 'vm_name'

# Install security updates in a Linux Virtual Machine.
# Do not reboot.
# Max 4h of operation.
az vm install-patches -g 'resource_group_name'  -n 'vm_name' \
  --maximum-duration 'PT4H' --reboot-settings 'Never' \
  --classifications-to-include-linux 'Security'

# Get the status of the Agent in a Virtual Machine.
az vm get-instance-view -g 'resource_group_name'  -n 'vm_name' \
  --query 'instanceView.vmAgent.statuses[]' -o 'table'

# Wait until a Virtual Machine satisfies a condition.
az vm wait -g 'resource_group_name'  -n 'vm_name' --created
az vm wait … --updated --interval '5' --timeout '300'
az vm wait … --custom "instanceView.statuses[?code=='PowerState/running']"
az vm wait … --custom "instanceView.vmAgent.statuses[?code!='ProvisioningState/Updating']"

# Wait for a Virtual Machine Agent to be Ready.
az vm wait -g 'resource_group_name'  -n 'vm_name' \
  --custom "instanceView.vmAgent.statuses[?code=='ProvisioningState/succeeded']"

# List all the available SKUs for PostgreSQL flexible DB servers.
az postgres flexible-server list-skus --location 'westeurope' -o 'table'

# List LogAnalytics' Workspaces.
az monitor log-analytics workspace list --query '[].name' \
  --resource-group 'resource_group_name'

# List available Resource Providers.
az provider list
az provider list --expand

# Enable a Resource Provider.
az provider register -n 'Microsoft.Confluent' --accept-terms
az provider register -n 'Microsoft.Automation' -m 'management_group_id'

# List the available properties of the 'ContainerService' Resource Provider.
az provider show -o 'tsv' --namespace 'Microsoft.ContainerService' \
  --expand 'resourceTypes/aliases' --query 'resourceTypes[].aliases[].name'

# Disable a Resource Provider.
az provider unregister -n 'Microsoft.Confluent'

# List available CLI extensions.
az extension list-available --output 'table'

# Add extensions to the CLI.
az extension add --name 'extension_name'
az extension add --source 'url__or__local_path'

# Update extensions.
az extension update --name 'extension_name'
az extension add --source 'updated__url__or__local_path'

# Remove installed extensions.
az extension remove --name 'extension_name'

# Validate a bicep template to create a Deployment Group.
# Leverages the `bicep` utility.
az deployment group validate \
  -n 'deployment_group_name' -g 'resource_group_name' \
  -f 'template.bicep' -p 'parameter1=value' parameter2="value"

# Check what a bicep template would do.
az deployment group what-if …

# Create a Deployment Group from a template.
az deployment group create …

# Cancel the current operation on a Deployment Group.
az deployment group cancel \
  -n 'deployment_group_name' -g 'resource_group_name'

# Delete a Deployment Group.
az deployment group delete \
  -n 'deployment_group_name' -g 'resource_group_name'

# Delete Log Analytics Workspaces.
az monitor log-analytics workspace delete -y -f 'y' \
  -g 'resource_group_name' -n 'law_name'

# Delete Disk Encryption Sets.
az disk-encryption-set delete -g 'resource_group_name' -n 'des_name'

# Login to an ACR.
az acr login --name 'acr_name'

# Diagnose container registry connectivity issues.
# Requires Docker being running.
# Will run a hello-world image locally.
az acr check-health -n 'acr_name' -s 'subscription_uuid_or_name'

# List helm charts in an ACR.
az acr helm list -n 'acr_name' -s 'subscription_uuid_or_name'

# Get the 5 latest versions of a helm chart in an ACR.
az acr helm list -n 'acr_name' -s 'subscription_uuid_or_name' -o 'json' \
| jq \
  --arg CHART_REGEXP 'chart_name_or_regex' \
  'to_entries
    | map(select(.key|test($CHART_REGEXP)))[].value[]
    | { version: .version, created: .created }' - \
| yq -sy 'sort_by(.created) | reverse | .[0:5]' -

# Push a helm chart to an ACR.
az acr helm push -n 'acr_name' 'chart.tgz' --force

# List the available Features in a Subscription.
az feature list

# Show the details of a Feature.
az feature show -n 'AKS-ExtensionManager' --namespace 'Microsoft.ContainerService'

# List Policies.
az policy definition list
az policy definition list -o 'tsv' --query "[?(@.name=='policy_name')]"
az policy definition list -o 'tsv' --query "[?(@.displayName=='policy_display_name')].name"

# Show a Policy's definition.
az policy definition show -n 'policy_name'

# List Policies metadata.
az policy metadata list

# List Policy Initiatives.
az policy set-definition list
az policy set-definition list -o 'tsv' --query "[?(@.name=='initiative_name')]"
az policy set-definition list --management-group 'management_group_id' \
  -o 'tsv' --query "[?(@.displayName=='initiative_display_name')].name"

# Show an Initiative's definition.
az policy set-definition show -n 'initiative_name'

# Show the servers in the default HTTP backend of an Application Gateway.
az network application-gateway show-backend-health -o 'table' \
  -g 'resource_group_name' -n 'agw_name' \
  --query 'backendAddressPools[].backendHttpSettingsCollection[].servers[]'

# Check if the current User is member of a given Group.
az rest -u 'https://graph.microsoft.com/v1.0/me/checkMemberObjects' \
  -m post -b '{"ids":["group_id"]}'

# Check if a Service Principal is member of a given Group.
az rest -u 'https://graph.microsoft.com/v1.0/servicePrincipals/service_principal_id/checkMemberObjects' \
  -m post -b '{"ids":["group_id"]}'

# Query the Graph APIs for a specific Member in a Group.
az rest -m 'get' \
  -u 'https://graph.microsoft.com/beta/groups/group_id/members?$search="displayName:group_display_name"&$select=displayName' \
  --headers 'consistencylevel=eventual'

# Remove a Member from an AAD Group.
# If '/$ref' is missing from the request, the user will be **deleted from AAD**
# if the appropriate permissions are used, otherwise a '403 Forbidden' error is
# returned.
az rest -m 'delete' \
  -u 'https://graph.microsoft.com/beta/groups/group_id/members/member_id/$ref'

# List a User's PATs.
# 'displayFilterOptions' are 'active' (default), 'all', 'expired' or 'revoked'.
# 'displayFilterOptions' can be negated ('!revoked').
# If more then 20, or up to 100 using the '$top' url parameter, results are
# paged and a 'continuationToken' will be returned.
az rest -m 'get' \
  --headers Authorization='Bearer ey…pw' \
  -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1'
az rest … -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1&displayFilterOption=revoked&isSortAscending=false'
az rest … -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \
  --url-parameters 'api-version=7.1-preview.1' 'displayFilterOption=expired' continuationToken='Hr…in='

# Create PATs.
az rest -m 'post' \
  -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \
  --url-parameters 'api-version=7.1-preview.1' \
  --headers Authorization='Bearer ey…pw' Content-Type='application/json' \
  -b '{
    "displayName": "new-pat",
    "scope": "pat-scope",
    "validTo": "2021-12-31T23:46:23.319Z",
    "allOrgs": false
  }'

# Extend PATs.
# Works with expired PATs too, but not revoked ones.
az rest -m 'put' \
  -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \
  --url-parameters 'api-version=7.1-preview.1' \
  --headers Authorization='Bearer ey…pw' Content-Type='application/json' \
  -b '{
	  "authorizationId": "01234567-abcd-0987-fedc-0123456789ab",
	  "validTo": "2021-12-31T23:46:23.319Z"
  }'
az rest … -b @'file.json'

# Revoke PATs.
az rest -m 'delete' \
  -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \
  --url-parameters \
    'api-version=7.1-preview.1' \
    'authorizationId=01234567-abcd-0987-fedc-0123456789ab' \
  --headers Authorization='Bearer ey…pw'

# Automatically renew the first 100 non revoked Devops PATs.
# The others are in the next pages and not being able to deactivate pagination
# just su*ks bad.
# Assumes the command uses the GNU version of each tool (see `date`).
ORGANIZATION_NAME='organization_name' \
TOKEN="$(az account get-access-token --query 'accessToken' -o 'tsv')" \
VALID_TO="$(date -d '+13 days' '+%FT%T.00Z')" \
&& az rest -m 'get' \
     -u "https://vssps.dev.azure.com/${ORGANIZATION_NAME}/_apis/tokens/pats" \
     --url-parameters \
       'api-version=7.1-preview.1' \
       'displayFilterOption=!revoked' \
       '$top=100' \
     --headers "Authorization=Bearer ${TOKEN}" \
     --query 'patTokens[].authorizationId' \
     -o 'tsv' \
| parallel -qr -j '100%' \
    az rest -m 'put' \
      -u "https://vssps.dev.azure.com/${ORGANIZATION_NAME}/_apis/tokens/pats" \
      --url-parameters \
        'api-version=7.1-preview.1' \
      --headers \
        "Authorization=Bearer ${TOKEN}" \
        'Content-Type=application/json' \
      -b "{ \"authorizationId\": \"{}\", \"validTo\": \"${VALID_TO}\" }"

Installation

pip install 'azure-cli'
brew install 'azure-cli'
asdf plugin add 'azure-cli' && asdf install 'azure-cli' '2.43.0'
docker run -it -v "${HOME}/.ssh:/root/.ssh" 'mcr.microsoft.com/azure-cli'

Extensions

The Azure CLI can load extensions, practically Python wheels that aren't shipped as part of the CLI itself but run as CLI commands.
You could create your own CLI interface.

# List available CLI extensions.
az extension list-available --output 'table'

# Add extensions to the CLI.
az extension add --name 'extension_name'
az extension add --source 'url__or__local_path'

# Update extensions.
az extension update --name 'extension_name'
az extension add --source 'updated__url__or__local_path'

# Remove installed extensions.
az extension remove --name 'extension_name'

When you run a command for an extension which is not currently installed, CLI recognizes it and tries to automatically install the extension. This feature is called dynamic install, and is enabled by default since version 2.12.0.

# Configure if and how to use the 'dynamic install' feature.
az config set 'extension.use_dynamic_install=yes_prompt'
az config set 'extension.use_dynamic_install=yes_without_prompt'
az config set 'extension.use_dynamic_install=no'
az config set 'extension.run_after_dynamic_install=no'

Pipelines

See DevOps.

AKS

See AKS.

APIs

One can directly call the APIs with the rest command:

az rest \
  -m 'post' \
  -u 'https://graph.microsoft.com/v1.0/me/checkMemberObjects' \
  --headers Authorization='Bearer ey…pw' \
  -b '{"ids": ["group_id"]}'

az rest \
  -m 'delete' \
  -u 'https://graph.microsoft.com/beta/groups/group_id/members/member_id/$ref'

az rest \
  -m 'put' \
  -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats?api-version=7.1-preview.1' \
  --headers \
    'Authorization=Bearer ey…pw' \
    'Content-Type=application/json' \
  -b '{
	  "authorizationId": "01234567-abcd-0987-fedc-0123456789ab",
	  "validTo": "2021-12-31T23:46:23.319Z"
  }'

az rest \
  -m 'get' \
  -u 'https://vssps.dev.azure.com/organization_name/_apis/tokens/pats' \
  --url-parameters \
    'api-version=7.1-preview.1' \
    'displayFilterOption=expired' \
    'continuationToken=Hr…in='

Further readings

Sources

All the references in the further readings section, plus the following: