Recent posts

2 posts tagged with "azure"

View All Tags

Azure CLI Notes

Khaled Hikmat

Khaled Hikmat

Software Engineer

This is just a note about Azure CLI login options.

Option 1:#

Login interactively via a browser

az login

Option 2:#

The best way to login is to use an Azure Service Principal though. So I registered an application in Azure Directory i.e. AzureCliScriptApp and assigned a service principal. I will use this service principal to login.

Create a service principal:#

Make sure you are in the same tenant that you want to authenticate against. If not, use 'az account set --subscription "your-subs"' to set the account.

To display the Azure Directory apps:

az ad app list --display-name AzureCliScriptApp

The above will yield the app id ...a big string that looks like this: e68ab97f-cff2-4b50-83d5-eec9fe266ccc

az ad sp create-for-rbac --name e68ab97f-cff2-4b50-83d5-eec9fe266ccc --password s0me_passw0rd
{
"appId": "some-app-id-you-will-use-to-sign-in",
"displayName": "e68ab97f-cff2-4b50-83d5-eec9fe266ccc",
"name": "http://e68ab97f-cff2-4b50-83d5-eec9fe266ccc",
"password": "s0me_passw0rd",
"tenant": "your-tenant-id"
}

To login with service principal:

az login --service-principal -u some-app-id-you-will-use-to-sign-in -p s0me_passw0rd --tenant your-tenant-id

Useful Commands:#

List all subscriptions

az account list --output table

Set the default account

az account set --subscription "Mosaic"

List the Clouds

az cloud list --output table
az cloud show --name AzureCloud --output json

Kubernetes#

if you are using the Azure CLI to provision a Kubernetes cluster, you should use this command if you used the service principal to login

az aks create --resource-group $rgName --name $k8sClusterName --service-principal $spAppId --client-secret $spPassword --node-count $k8sNodesCount --generate-ssh-keys

Where: $rgName is the PowerShell variable that holds the resource group name $k8sClusterName is the PowerShell variable that holds the k8s cluster name $spAppId is the PowerShell variable that holds the service principal app id $spPassword is the PowerShell variable that holds the service principal password $k8sNodesCount is the PowerShell variable that holds the k8s cluster desired nodes count

Refer to this doc for more information

Point to Site Connectivity in Azure

Khaled Hikmat

Khaled Hikmat

Software Engineer

This PowerShell script creates self-signed root and client certificates, export them and import what is needed:

# Assume you are on Windows 10
$myPassword = "some_password";
$certsPath = "C:\YourDir\Certificates"
$certNamePrefix = "YourNameP2S";
$date = Get-date "2040-01-01";
# Create a self-signed ROOT cert
$rootCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=$($certNamePrefix)Cert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign -NotAfter $date
# Export the cert to base64 so it can be uploaded to the Point-to-Site VPN connection: refer to https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
# Upload the .cer ending with '_Encoded'
Export-Certificate -Cert $rootCert -FilePath "$certsPath\$($certNamePrefix)Cert.cer"
Start-Process -FilePath 'certutil.exe' -ArgumentList "-encode $certsPath\$($certNamePrefix)Cert.cer $certsPath\$($certNamePrefix)Cert_Encoded.cer" -WindowStyle Hidden
# NOTE: Download the VPN Client from Azure AFTER you upload the encoded certificate i.e. .cer file
# Generate a client certificate from the self-signed certificate
# NOTE: The self-siged root cert and the client cert must have the same subject!!!
$clientCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=$($certNamePrefix)Cert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") -NotAfter $date
# Export the client certificate as PFX
Export-PfxCertificate -Cert $clientCert -ChainOption BuildChain -FilePath "$certsPath\$($certNamePrefix)Cert.pfx" -Password $(ConvertTo-SecureString -String $myPassword -AsPlainText -Force)
# Import the PFX client cert into the user store
Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\my\ -FilePath "$certsPath\$($certNamePrefix)Cert.pfx" -Exportable -Password $(ConvertTo-SecureString -String $myPassword -AsPlainText -Force)

I hope it helps someone.