|
Size: 210
Comment:
|
← Revision 26 as of 2024-03-04 04:46:47 ⇥
Size: 3567
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 4: | Line 4: |
| * Link [[SaltCloudAzure]] , [[k8s/Azure]], [[Azure/Ml]] == Notes on Azure == * Azure blocks all ICMP - cant traceroute or tcptrace * All ICMP blocked results in no Path MTU discovery, and default Azure VM MTU to 1,400. == Azure IAM and roles == * [[https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles]] == AZ cli tool == * AZ cli {{{ $ docker run -it microsoft/azure-cli az login }}} * In the AZ cli, create a principal account to be used by automation [[https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest]] === AZ cli SP (Service Principal) === * SP is userid used by a app with limited access. * List roles for ID:"06a.....68" on subscription "Non-prod" {{{ az role assignment list --all --assignee "06a.....68" --subscription "Non-prod" }}} * Logged in to AZ with your own account you can create a SP and give it access to a RG e.g. {{{ az role assignment list --assignee "06a.....68" --resource-group rg-k8s --subscription "Non-prod" }}} == AZ find all public IP's / VM's == * {{{ az account list | grep name export azsub=<"subscription"> # az network public-ip list --subscription "$azsub" az vm list-usage --location australiaeast -o table az vm show --show-details --ids $(az vm list --subscription "$azsub" --query "[].id" -o tsv) | jq . # az vm show --show-details --ids $(az vm list --subscription "$azsub" --query "[].id" -o tsv) | jq " [ .[] | { rg: .resourceGroup, hw: .hardwareProfile.vmSize, name: .name, loc: .location, powerState: .powerState, } ] | to_entries[] | [ .key, .value]" # }}} === AZ find a image === * 2018 - https://docs.microsoft.com/en-us/cli/azure/vm/image?view=azure-cli-latest * az configure --defaults location= * az vm image list-publishers --location == Azure docker, login to private ACR image/container registry == * https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication 1. az acr login --name <acrName> 1. docker login myregistry.azurecr.io (use admin account if enabled and one of 2 pwds) 1. docker login myregistry.azurecr.io (use [[https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal|service principal]] ) == Powershell == |
|
| Line 8: | Line 64: |
| * Run azure * https://shell.azure.com/ {{{ $ azure login info: Executing command login - Authenticating...info: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code HAY8K6VD6 to authenticate. info: Added subscription Free Trial + info: login command OK pieter@Azure:~$ }}} * Get details {{{ $ az account show }}} * Create a service account {{{ $ az ad sp create-for-rbac --name "SALT-ADMIN" { "appId": "a0a000-0000-00000-0000-20", "displayName": "SALT-ADMIN", "name": "http://SALT-ADMIN", "password": "20000000-0000-0000-0000-000000000005", "tenant": "20000000-0000-0000-0000-000000000003" } }}} {{{ # az ad sp show --id http://SALT-ADMIN }}} {{{ # az ad sp credential reset --name http://SALT-ADMIN }}} * create ResourceGroup {{{ az group create -n testRG -l "Australia East" }}} saltazurekeyringsecret |
Azure Cloud (Microsoft)
Link SaltCloudAzure , k8s/Azure, Azure/Ml
Notes on Azure
- Azure blocks all ICMP - cant traceroute or tcptrace
- All ICMP blocked results in no Path MTU discovery, and default Azure VM MTU to 1,400.
Azure IAM and roles
AZ cli tool
AZ cli
$ docker run -it microsoft/azure-cli az login
In the AZ cli, create a principal account to be used by automation https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest
AZ cli SP (Service Principal)
- SP is userid used by a app with limited access.
List roles for ID:"06a.....68" on subscription "Non-prod"
az role assignment list --all --assignee "06a.....68" --subscription "Non-prod"
Logged in to AZ with your own account you can create a SP and give it access to a RG e.g.
az role assignment list --assignee "06a.....68" --resource-group rg-k8s --subscription "Non-prod"
AZ find all public IP's / VM's
az account list | grep name export azsub=<"subscription"> # az network public-ip list --subscription "$azsub" az vm list-usage --location australiaeast -o table az vm show --show-details --ids $(az vm list --subscription "$azsub" --query "[].id" -o tsv) | jq . # az vm show --show-details --ids $(az vm list --subscription "$azsub" --query "[].id" -o tsv) | jq " [ .[] | { rg: .resourceGroup, hw: .hardwareProfile.vmSize, name: .name, loc: .location, powerState: .powerState, } ] | to_entries[] | [ .key, .value]" #
AZ find a image
2018 - https://docs.microsoft.com/en-us/cli/azure/vm/image?view=azure-cli-latest
- az configure --defaults location=
- az vm image list-publishers --location
Azure docker, login to private ACR image/container registry
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication
az acr login --name <acrName>
- docker login myregistry.azurecr.io (use admin account if enabled and one of 2 pwds)
docker login myregistry.azurecr.io (use service principal )
Powershell
- Powershell on Linux using docker
$ docker pull mcr.microsoft.com/powershell
$ docker run -it microsoft/powershell
- Run azure
$ azure login info: Executing command login - Authenticating...info: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code HAY8K6VD6 to authenticate. info: Added subscription Free Trial + info: login command OK pieter@Azure:~$
Get details
$ az account show
Create a service account
$ az ad sp create-for-rbac --name "SALT-ADMIN" { "appId": "a0a000-0000-00000-0000-20", "displayName": "SALT-ADMIN", "name": "http://SALT-ADMIN", "password": "20000000-0000-0000-0000-000000000005", "tenant": "20000000-0000-0000-0000-000000000003" }# az ad sp show --id http://SALT-ADMIN
# az ad sp credential reset --name http://SALT-ADMIN
create ResourceGroup
az group create -n testRG -l "Australia East"
saltazurekeyringsecret ...