我在自托管代理上有一个 Azure Pipeline我使用此任务
- task: AzureCLI@2
displayName: Azure CLI task with Python SDK
inputs:
azureSubscription: 'SUBSCRIPTION-SERVICE-CONNECTION'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
python ./magic-script.py
这样我就可以使用凭据来验证Azure Python SDK:
client = get_client_from_cli_profile(GraphRbacManagementClient)
当我将此过程转移到MS 托管代理时,我收到此错误:
File "/opt/hostedtoolcache/Python/3.7.12/x64/lib/python3.7/site-packages/azure/common/client_factory.py", line 85, in get_client_from_cli_profile
with_tenant=True,
File "/opt/hostedtoolcache/Python/3.7.12/x64/lib/python3.7/site-packages/azure/common/credentials.py", line 98, in get_azure_cli_credentials
cred, subscription_id, tenant_id = profile.get_login_credentials(resource=resource)
File "/opt/hostedtoolcache/Python/3.7.12/x64/lib/python3.7/site-packages/azure/cli/core/_profile.py", line 335, in get_login_credentials
credential = self._create_credential(account, client_id=client_id)
File "/opt/hostedtoolcache/Python/3.7.12/x64/lib/python3.7/site-packages/azure/cli/core/_profile.py", line 592, in _create_credential
return identity.get_service_principal_credential(username_or_sp_id)
File "/opt/hostedtoolcache/Python/3.7.12/x64/lib/python3.7/site-packages/azure/cli/core/auth/identity.py", line 185, in get_service_principal_credential
entry …我在此设置中配置了 Azure 应用程序网关和API 管理https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway - 应用程序网关是公共端点和仅定义的路由传递到 API 管理。
我想使用该ip-filter策略来限制对某些 IP 地址的调用。但是,当呼叫通过应用程序网关传入时,原始客户端 IP 地址将丢失或混淆为 IP 0.0.0.0。
有没有办法保留原始客户端 IP 地址并将其从应用程序网关传递到 API 管理?
我使用一个变量为各种环境定义了变量组,board.subscription该变量指定要在 WebApp 部署中使用的 Azure 服务连接。
部署作业引用这些变量组:
name: $(Date:yyyyMMdd)-$(Rev:r)
trigger:
- master
- dev
- feature/*
- bug/*
stages:
- stage: build
...
- stage: deploy_test
displayName: deploy to TEST
dependsOn: build
variables:
- group: 'Test-Deployment'
jobs:
- template: azure-pipelines/deploy.yml
parameters:
environment: TEST
- stage: deploy_prod
displayName: deploy to PROD
dependsOn: deploy_test
variables:
- group: 'Production-Deployment'
jobs:
- template: azure-pipelines/deploy.yml
parameters:
environment: PROD
然后在deploy.yml文件中使用该变量:
parameters:
environment: ''
agentImage: 'ubuntu-latest'
jobs:
- deployment: ${{ parameters.environment }}
displayName: deploy …要在 Azure 防火墙上创建诊断设置,我想传入日志和指标设置。
我在 2 个变量中定义这些,然后将它们传递到 Azure CLI:
$logsSetting = "[{'category': 'AzureFirewallApplicationRule','enabled': true,'retentionPolicy': {'days': 0,'enabled': false}},{'category': 'AzureFirewallNetworkRule','enabled': true,'retentionPolicy': {'days': 0,'enabled': false}}]"
$metricsSetting = "[{'category': 'AllMetrics','enabled': true,'retentionPolicy': {'days': 0,'enabled': false},'timeGrain': null}]"
az monitor diagnostic-settings create --name $FW_NAME `
--resource $FW_NAME -g $VNET_GROUP --resource-type Microsoft.Network/azureFirewalls `
--resource-group $VNET_GROUP `
--workspace $FW_NAME `
--logs $logsSetting `
--metrics $metricsSetting
执行这个我得到Expecting property name enclosed in double quotes: line 1 column 3 (char 2)。
我试过没有成功
'为"我有一个API应用程序,我已使用Azure Active Directory身份验证进行保护.我希望使用Azure Scheduler调用此API App的操作.我在调度程序操作中输入了租户ID,客户端ID和秘密.
当我安排或完成工作时,我得到:
Http Action - Response from host 'xxxx.azurewebsites.net': 'Unauthorized'
诊断应用程序日志给了我:
JWT validation failed: IDX10214: Audience validation failed. Audiences:
'https://management.core.windows.net/'. Did not match:
validationParameters.ValidAudience: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' or
validationParameters.ValidAudiences: 'https://xxxx.azurewebsites.net'.
使用像这样的ARM模板为我的Function App部署资源时
{
"type": "Microsoft.Web/sites",
"kind": "functionapp",
"name": "[parameters('appNameFunctions')]",
"apiVersion": "2015-08-01",
"location": "West Europe",
"tags": {},
"properties": {
"name": "[parameters('appNameFunctions')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('aspNameFunctions'))]"
},
"resources": [
{
"name": "appsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', parameters('appNameFunctions'))]"
],
"tags": {
"displayName": "fnAppSettings"
},
"properties": {
"AzureWebJobsStorage":"[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountNameFunctions'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions')), '2015-05-01-preview').key1)]",
"AzureWebJobsDashboard":"[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountNameFunctions'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions')), '2015-05-01-preview').key1)]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING":"[concat('DefaultEndpointsProtocol=https;AccountName=',parameters('storageAccountNameFunctions'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions')), '2015-05-01-preview').key1)]",
"WEBSITE_CONTENTSHARE":"[parameters('appNameFunctions')]",
"FUNCTIONS_EXTENSION_VERSION":"~0.8",
"AZUREJOBS_EXTENSION_VERSION":"beta",
"WEBSITE_NODE_DEFAULT_VERSION":"6.5.0"
}
}
],
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('aspNameFunctions'))]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountNameFunctions'))]"
]
}
是否足以设置FUNCTIONS_EXTENSION_VERSION为所需的版本,App Service会自动调整/加载正确的运行时,还是需要调整或执行其他内容?
我正在部署一个带有 VSTS 的 ARM 模板,其中包含一个锁(在我的情况下,锁定功能应用程序的存储帐户)
{
"parameters": {
"name": {
"type": "string"
},
"storageName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageName')]",
"location": "[parameters('location')]",
"properties": {
"accountType": "Standard_LRS"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"name": "[concat(parameters('storageName'), '/Microsoft.Authorization/', parameters('storageName'))]",
"apiVersion": "2015-01-01",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageName'))]"
],
"properties": {
"level": "CannotDelete",
"notes": "One or more function apps were linked to this storage account. You can see all the function apps linked …我想使用这些 vnet/子网部署虚拟网络设置
每个子网都包含在"resources": [...]相应虚拟网络的数组中,并且每个子网都具有 vnet 作为依赖项,如下所示:
{
"apiVersion": "2020-04-01",
"type": "subnets",
"location": "[parameters('location')]",
"name": "ingress",
"dependsOn": [
"[parameters('vnetNameCluster')]"
],
"properties": {
"addressPrefix": "[parameters('subnetPrefixIngress')]"
}
}
然而,在部署虚拟网络时,经常会出现冲突:
{
"error": {
"code": "AnotherOperationInProgress",
"message": "Another operation on this or dependent resource is in progress. To retrieve status of the operation use uri: https://management.azure.com/subscriptions/xxxxxx/providers/Microsoft.Network/locations/westus/operations/yyyyyyyyyyyyyyy?api-version=2020-04-01.",
"details": []
}
}
我可以添加什么依赖项来避免这种冲突?
azure-virtual-network azure-resource-manager azure-rm-template
我正在更改一个使用了几个月的ARM模板(包括链接模板)。成功构建后,在部署时出现错误
New-AzureRmResourceGroupDeployment : A parameter cannot be found that matches parameter name '_artifactsLocationSasToken'
我想利用MSI来访问托管在Azure Service Fabric VMSS中的容器内的应用程序(特别是对我来说:Azure Functions运行时)中的KeyVault。
我需要怎么做才能做到这一点?
azure-service-fabric azure-keyvault azure-vm-scale-set azure-managed-identity