Hot questions for Using Azure in azure cli

Question:

I am trying to automate process of creating a Java appservice using ARM template and then utilize FTP publishing method to upload Java WAR file for Tomcat.

Following does not work in Azure CLI -

$ azure resource show <resource-group> <appservice-name>/publishingcredentials Microsoft.Web/sites/config 2015-08-01

error:   The resource type could not be found in the namespace 'Microsoft.Web' for api version '2015-08-01'

But this works in Azure PowerShell -

$resource = Invoke-AzureRmResourceAction -ResourceGroupName <resource-group> -ResourceType Microsoft.Web/sites/config -ResourceName <appservice-name>/publishingcredentials -Action list -ApiVersion 2015-08-01 -Force
$resource.Properties

I have been referring to namespaces from Resource Explorer https://resources.azure.com but not able to find the right syntax to get FTP username and password that I can use later in the script to upload WAR file.


Answer:

I found an alternative.

If resource group was created manually and FTP Publishing Credentials for any website under the resource group was setup manually. Then this will setup an alternate FTP credential for the resource group - not specific to any website (or may be it is global for the whole account).

Each website once created sets up a different domain on FTP server and the alternate credential works for any website - ftp:///username@waws-prod-sn1-033.ftp.azurewebsites.windows.net.

Now from Jenkin, if we create a new siteName based on git branch name under same resource group, we can use the above pre-configured FTP credential for the new siteName as well to upload the application archive.

I wish there was a way to retrieve at least the alternate credentials using Azure CLI. Resource explorer shows it under - https://management.azure.com/providers/Microsoft.Web/publishingUsers/web?api-version=2015-08-01.

Or even if "siteConfig" properties under ARM template can be setup to configure publishingUsername and publishingPassword. I tried this option but these properties get ignored.

Question:

Can we set Azure AD permission so it can be accessed by any user? For instance I have one clientID within my UserA. Then UserB who is outside my organization will be able to authenticate using clientID of UserA. I think this is possible by setting my app as multi-tenant but not sure what exact permission I need to grant? The permission issue occurs when I'm initializing the Azure: Azure azure = Azure.authenticate(creds).withDefaultSubscription();


Answer:

I think the issue is the user needs to consent the appid, is there a way to automate that?

No, you can't automate that. You need to send an interactive authorization request for this user and resource.

The problem you are running in to is that the tenant you are using to access your app has not added your application to the list of applications that are supported. It's telling you to use the interactive flow as an administrator.

Consent is a two step process:

1) First, the administrator of the tenant must approve the app. This can be done either a) in the Azure portal of the tenant wishing to use the app b) by launching the app and using admin credentials against the app when you sign in.

2) Second, any additional user (non-admin) will be promoted to consent for their individual information when using the app for the first time after the admin has consented that the app can be used.

For more details about how to sign in user with multiple tenant you could refer to this article.

Question:

I need to check whether the provided blob is assigned to the organisation represented by tenant ID. Provided information is: - storage URI - SAS token

My solution is to list all the subscription within the organisation, get the subscription of provided blob and find the match.

The problem is, in Azure SDK i can not find any method to get information about subscription.

The only way I can list the properties about my storage account is to use azure CLI by running command

az storage account show

Is there any way to get subscription information having such parameters? If not, could you suggest me some solution to check blob belongingness?


Answer:

In your case, you need to have the permissions for all the subscriptions in the tenant(e.g. you are the owners of the subscriptions).

My workaround is to call the REST API Subscriptions - List in java(seems there is no sdk to list subscriptions), to call the rest api in java, you could refer to this link.

Then List resource groups in every subscription, after that you can List all storage accounts in a resource group. Then check the storage account if exists in them.

Could you recommend me some other solution to confirm blob belongingness? Maybe I need more input data? If so, what kind of data?

First, your purpose is a reverse search, so we could not know the subscription, resource group. So we could not know the details about the storage account, like the resource id of the storage account, becasue the resource id includes the subscription id and resource group name. So even if you have other input data, which is not related to the storage account directly, we just could use the workaround above.

Question:

i need to created Azure function BlobTrigger using Java to monitor my storage container for new and updated blobs.

tried with below code

import java.util.*;
import com.microsoft.azure.serverless.functions.annotation.*;
import com.microsoft.azure.serverless.functions.*;
import java.nio.file.*;
import java.io.*;
import java.net.URL;
import java.net.URLConnection;
import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter;
import com.microsoft.azure.storage.*;
import com.microsoft.azure.storage.blob.*;

@FunctionName("testblobtrigger")
 public String testblobtrigger(@BlobTrigger(name = "test", path = "testcontainer/{name}") String content) {
     try {
         return String.format("Blob content : %s!", content);

     } catch (Exception e) {
         // Output the stack trace.
         e.printStackTrace();
         return "Access Error!";
     }
 }

when executed it is showing error

Storage binding (blob/queue/table) must have non-empty connection. Invalid storage binding found on method:

it is working when added connection string

public String kafkablobtrigger(@BlobTrigger(name = "test", path = "testjavablobstorage/{name}",connection=storageConnectionString) String content) {

why i need to add connection string when using blobtrigger?

in C# it is working without connection string:

public static void ProcessBlobContainer1([BlobTrigger("container1/{blobName}")] CloudBlockBlob blob, string blobName)
{
    ProcessBlob("container1", blobName, blob);
}

i didn't see any Java sample for Azure functions for @BlobTrigger.


Answer:

After all, connection is necessary for the trigger to identify where the container locates.

After test I find @Mikhail is right. For C#, the default value(in local.settings.json or in application settings in portal) will be used if connection is ignored. But unfortunately there's no same settings for java.

You can add @StorageAccount("YourStorageConnection") below your @FuncionName as it's another valid way to choose. And value of YourStorageConnection in local.settings.json or in portal's application settings is up to you.

You can follow this tutorial, use mvn azure-functions:add to find four(Http/Blob/Queue/TimerTrigger) templates for java.