Skip to content

AZ CLI

Account

Login

az account login --output table

Login to AAD

az login --scope https://graph.microsoft.com//.default --use-device-code --output table

Set subscription

az account set --subscription 8b20XXXX-XXXX-XXXX-XXXX-e255

Or using alias:

set_sub_SUB_NAME

I plan to write more on this kind aliases in one my other docs

Resource groups

Prerequisite for the following tasks is subscription set.

List groups

az group list --query '[].name' -o tsv

Save the required group name as env variable

AZ_RG_NAME='tfstates'

Storage accounts

List accounts

az storage account list --query '[].name' -o tsv

Save the required storage account name as env variable

AZ_SA_NAME='gdp19prodtfstates'

Get account key

AZ_SA_KEY=$(az storage account keys list --account-name $AZ_SA_NAME --resource-group $AZ_RG_NAME --query "[0].{value:value}" --output tsv)

List containers

az storage container list --account-name $AZ_SA_NAME --account-key $AZ_SA_KEY --query '[].name' -o tsv

Save the required container name as env variable

AZ_SA_CO_NAME='tfstates'

List blobs

az storage blob list --account-name $AZ_SA_NAME --account-key $AZ_SA_KEY --container-name $AZ_SA_CO_NAME --query "[].{name:name}" --output tsv

Create a snapshot for a blob

az storage blob snapshot --account-name $AZ_SA_NAME --account-key $AZ_SA_KEY --container-name $AZ_SA_CO_NAME --name prod-03-gdp-base.tfstate

Manually add subnets to Storage Accounts FW

az storage account network-rule add -g alz-gdp-dph4dadevenv-gdp-base-customer-rg --account-name datalake2gprodmjkdq2 --subnet /subscriptions/c807d85d-12ae-474e-89ad-32f960be7a9a/resourceGroups/rgp-p-we1-sharedservices-aks2/providers/Microsoft.Network/virtualNetworks/vnet-p-we1-03/subnets/sub-p-we1-aks2-44.142.14.0-23

az storage account network-rule add -g alz-gdp-dph4dadevenv-gdp-base-customer-rg --account-name datalake2gprodmjkdq2 --subnet /subscriptions/c807d85d-12ae-474e-89ad-32f960be7a9a/resourceGroups/rgp-p-we1-sharedservices-aks/providers/Microsoft.Network/virtualNetworks/vnet-p-we1-02/subnets/sub-p-we1-aks-44.133.40.0-22

Get all IPs that accessed to the storage account

 az monitor activity-log list --offset 30d --subscription $AZ_SUB_NAME --resource-id $AZ_SA_IS | egrep 'ipaddr|clientIpAddress' | sort -u
 ```

### Accessing storage accounts from within the pod

For this purpose we will use the image gdp-cli

```bash

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gdp-cli-deployment
  namespace: gdp-svc-jupyterhub-bi
  labels:
    app: gdp-cli
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gdp-cli
  template:
    metadata:
      labels:
        app: gdp-cli
        aadpodidbinding: prodazesbiqubprodh56xw-msi-binding
    spec:
      containers:
        - name: gdp-cli
          command:
            - bash
            - -c
            - "sleep 3600"
          image: AZ_ACR_FQDN/gdp-cli
          resources:
            requests:
              cpu: 10m
              memory: 32Mi
            limits:
              cpu: 100m
              memory: 512Mi 


root@gdp-cli-deployment-544fdd486-mrpgz:/# curl "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -H "Metadata: true"

root@gdp-cli-deployment-544fdd486-mrpgz:/# az storage blob list --account-name $SA_NAME --auth-mode "login" -c data-aria --query "[].name"
[
  "df_test.pq",
  "df_test.pq/_SUCCESS",
  "df_test.pq/part-00000-9fc51678-1e59-444b-a4eb-33b9c4e34065-c000.snappy.parquet",
  "flow.log",
  "test",
  "test/test.txt",
  "text.txt"
]

Get Storage Account Auth Key and create a snapshot

export SUB_NAME="my_awesome_sub"
export SA_RG_NAME="my_awesome_rg"
export SA_NAME="my_awesome_sa"
export CONTAINER_NAME="my_awesome_container"
export BLOB_NAME="my_awesome_blob"


az account set -s $SUB_NAME

export SA_KEY1=$(az storage account keys list --resource-group $SA_RG_NAME --account-name $SA_NAME --query "[?contains(keyName, 'key1')].value" -otsv)
az storage blob snapshot --account-name $SA_NAME --container-name $CONTAINER_NAME --name $BLOB_NAME --auth-mode key --account-key $SA_KEY1

AKS

Prerequisite for the following tasks are:

List clusters

az aks list --resource-group $AZ_RG_NAME --query '[].name' -o tsv

Save the cluster name as env variable

AZ_AKS_CL_NAME=awesome_cluster

Get credentials with admin privileges for kubectl

az aks get-credentials --resource-group $AZ_RG_NAME --name $AZ_AKS_CL_NAME --admin

Get credentials for kubectl for all clusters you have

How many times it happened to you that you got to a bunch of new AKS clusters and you have to get their kubeconfigs by running the same command over and over again. Here is a simple loop that will help you to get the credentials for all clusters you have in all your subscriptions.

for s in $(az account list --output tsv | awk '{print $6" "$3;}' | sort -f | awk '{print $1;}'); do
    az account set --subscription $s
    echo $s
    for cluster in $(az aks list -ojson | jq -r '.[]|[.name + "#" + .resourceGroup]|@tsv'); do
        export AZ_AKS_CL_NAME=$(echo $cluster | cut -d '#' -f 1)
        export AZ_RG_NAME=$(echo $cluster | cut -d '#' -f 2)
        az aks get-credentials --resource-group $AZ_RG_NAME --name $AZ_AKS_CL_NAME --overwrite-existing
    done
done

The above loop can be rewritten in a form of nested loops in case there is need for something like that.

Find out if the addon blob csi driver is enabled in cluster

> az aks show  -n  $AZ_AKS_CL_NAME -g $AZ_RG_NAME | jq -r ".storageProfile.blobCsiDriver"
{
  "enabled": false
}

Enable the addon blob csi driver

az aks update --enable-blob-driver -n $AZ_AKS_CL_NAME -g $AZ_RG_NAME
Please make sure there is no open-source Blob CSI driver installed before enabling. (y/N): y
 / Running ..

Disable the addon blob csi driver

 az aks update --disable-blob-driver -n $AZ_AKS_CL_NAME -g $AZ_RG_NAME
Please make sure there are no existing PVs and PVCs that are used by Blob CSI driver before disabling. (y/N): y
{
  "aadProfile": {
    "adminGroupObjectIDs": [
      ...

Pretty printed aks node pools configuration

for l in $(az aks nodepool list --resource-group $AZ_RG_NAME --cluster-name $AZ_AKS_CL_NAME | jq -r '["Name", "AutoScaling", "Count", "MinCount", "MaxCount", "MaxPods"], (.[]|[.name, .enableAutoScaling, .count, .minCount, .maxCount, .maxPods])|@csv'); do printf "|%-20s | %-15s | %+8s | %+8s | %+8s| %+8s|\n" $(echo $l| tr "," " "| tr -d "\""); done

Upgrade control plane only

 az aks upgrade --kubernetes-version  1.25.6  --resource-group $AZ_RG_NAME --name  $AZ_AKS_CL_NAME --control-plane-only

Fix failed upgrade pipeline - nodepool version

 az aks nodepool list  --resource-group $AZ_RG_NAME --cluster-name $AZ_AKS_CL_NAME --query "[].{Name:name}" -otsv
❯ az aks nodepool upgrade --resource-group $AZ_RG_NAME --cluster-name $AZ_AKS_CL_NAME --node-image-only --name $NODEPOOL_NAME

Azure network

List endpoints in subscription

az network private-endpoint list --subscription gdp-20-westeurope-prod | jq -r '.[] | .id[15:51] as $subId | .customDnsConfigs[] | [ $subId, .name, .ipAddresses[0], .fqdn ] | @tsv'

Cleaning private dns zone - a records

subName='PLEASE USE THE CORRECT SUB NAME'
dnsZone=$(az network private-dns zone list --subscription ${subName} --query "[?contains(name, 'AZ_CLOUD_DOMAIN_SUFFIX')].{name:name}" -o tsv)
dnsRG=$(az network private-dns zone list --subscription ${subName} --query "[?contains(name, 'AZ_CLOUD_DOMAIN_SUFFIX')].{resourceGroup:resourceGroup}" -o tsv)

az network private-dns record-set a list \
  --resource-group ${dnsRG} \
  --zone-name ${dnsZone}  \
  --query "[?aRecords[0].ipv4Address == '44.142.46.8'].name" -o tsv | \
  xargs -t -L 1 -P 3 az network private-dns record-set a delete \
  --resource-group ${dnsRG}\
  --zone-name ${dnsZone}  \
  -y \
  --name || true

Cleaning private dns zone - txt records

az network private-dns record-set txt list --resource-group ${dnsRG} \
  --zone-name ${dnsZone} --subscription ${subName} \
  --query "[?contains(txtRecords[0].value[0],'owner=default')].{name:name}" -o tsv | \
  xargs -I {name} -t -P10 az network private-dns record-set txt delete \
  --resource-group ${dnsRG} --zone-name ${dnsZone} \
  --subscription ${subName} --yes --name {name}

Check if subscription has a certain route in any of the routing tables

 az account  set --subscription 2e02f0e9-XXX-XXXX-XXXX-XXXXXXXX
❯ for l in $(az network vnet list --query "[].{name:name, rg:resourceGroup}" -otsv); do
    resourceGroup=$(echo $l | awk -F "\t" '{print $2;}')
    vnetName=$(echo $l | awk -F "\t" '{print $1;}')
    #az network route-table list  --resource-group "${resourceGroup}"
    for rtName in $(az network route-table list  --resource-group "${resourceGroup}"  --query "[].{name:name}"  -otsv); do
        az network route-table route list --route-table-name "${rtName}" --resource-group "${resourceGroup}" | jq '.[].name'
    done
done | grep "to-scc-afw"

List private endpoints for storage accounts in one subscription

for rg in $(az group list --query "[?starts_with(name, 'alz-gdp-')].name" -o TSV); do
  az network private-endpoint list -g $rg | jq '.[]|.customDnsConfigs|map(select(.fqdn | match("blob|file|dfs")))' | jq -rC 'select(. | length > 0)|.[] | [.fqdn, .ipAddresses[0]] | @tsv';
done | column -t

List private endpoints for storage accounts in one subscription - xarg version

az group list --query "[?starts_with(name, 'alz-gdp-')].name" -o TSV | xargs -n1 -P5 az network private-endpoint list --resource-group | jq '.[]|.customDnsConfigs|map(select(.fqdn | match("blob|file|dfs")))' | jq -rC 'select(. | length > 0)|.[] | [.fqdn, .ipAddresses[0]] | @tsv' |  column -t

List private endpoints for storage accounts in one subscription - PowerShell version

((az group list  -o json | ConvertFrom-Json ) |? name -match "^alz-gdp-.*").name | % -Parallel {az network private-endpoint list --resource-group $_ -ojson | ConvertFrom-Json}).customDnsConfigs |? fqdn -Match "blob|file|dfs"

List private endpoints of postgres databases without a CT DNS record

for s in $(az account list --output tsv | awk '{print $6" "$3;}' | egrep -v 'sharedservices|del1eam|devops|deletgdptest|gdp-65-westeurope-prod_dataroom-mvp' | sort -f | awk '{print $1;}'); do
    az account set --subscription $s
    for psn in $(az postgres server list --query '[].[name]' -otsv);do
        for f in $(az network private-endpoint list --query "[?name == '$psn-endpoint'].customDnsConfigs[0].fqdn" -otsv|grep $psn);do
            a_recorder=$(dig  +short $f A | tr "\n" " ")
            echo $a_recorder | grep -q '44\.'
            [[ $? -ne 0 ]] && echo "$f\n\tA:\t$a_recorder"
        done
    done
done

List subnets and route tables for one subscription

OIFS=$IFS
IFS=$'\n'
for l in $(az network vnet list --query "[].{name:name, rg:resourceGroup}" -otsv); do
    resourceGroup=$(echo $l | awk -F "\t" '{print $2;}')
    vnetName=$(echo $l | awk -F "\t" '{print $1;}')
    #echo "$vnetName $resourceGroup"
    for subnetName in $(az network vnet subnet list --resource-group "${resourceGroup}" --vnet-name "${vnetName}" --query "[?contains(name, 'int')].{name:name,ap:addressPrefix}" -otsv); do
        sn=$(echo "$subnetName" | column -t | awk -F"-" '{print $4;}')
        az network route-table show -g "${resourceGroup}" -n "rt-p-we1-${sn}"
    done
done
IFS=$OIFS

List all pubint networks and IP ranges

for s in $(az account list --output tsv | awk '{print $6" "$3;}' | egrep -v 'sharedservices|del1eam|devops|deletgdptest|gdp-65-westeurope-prod_dataroom-mvp' | sort -f | awk '{print $2;}'); do
    az account set --subscription $s
    OIFS=$IFS
    IFS=$'\n'
    for l in $(az network vnet list --query "[].{name:name, rg:resourceGroup}" -otsv); do
        resourceGroup=$(echo $l | awk -F "\t" '{print $2;}')
        vnetName=$(echo $l | awk -F "\t" '{print $1;}')
        #echo "$vnetName $resourceGroup"
        for subnetName in $(az network vnet subnet list --resource-group "${resourceGroup}" --vnet-name "${vnetName}" --query "[?contains(name, 'pubint')].{name:name,ap:addressPrefix}" -otsv); do
            echo "$resourceGroup\t$subnetName" | column -t
        done
    done
    IFS=$OIFS
done

List all vnet subnets and IP ranges

for s in $(az account list --output tsv | awk '{print $6" "$3;}' | egrep -v 'SUBNAME1|SUBNAME2' | sort -f | awk '{print $2;}'); do
    az account set --subscription $s
    OIFS=$IFS
    IFS=$'\n'
    for l in $(az network vnet list --query "[].{name:name, rg:resourceGroup}" -otsv); do
        resourceGroup=$(echo $l | awk -F "\t" '{print $2;}')
        vnetName=$(echo $l | awk -F "\t" '{print $1;}')
        #echo "$vnetName $resourceGroup"
        for subnetName in $(az network vnet subnet list --resource-group "${resourceGroup}" --vnet-name "${vnetName}" --query "[?contains(name, 'int')].{name:name,ap:addressPrefix}" -otsv); do
            echo "$resourceGroup\t$subnetName" | column -t
        done
    done
    IFS=$OIFS
done

AZ VMs

List SKU

az vm image list --all --publisher Canonical --location westeurope | jq '[.[] | select(.sku | match("20_04-lts-gen2"))]'

List all VMs for all subscriptions

for s in `az account subscription list --query "[?contains(displayName, 'gdp') || contains(displayName, 'dsp') || contains(displayName, 'GDP') || contains(displayName, 'DSP')].displayName" -o TSV`; do \
for g in `az group list --query "[*].name" -o TSV  --subscription $s | grep -Ev '^MC_'`; do \
for v in `az vm list --query "[*].name" -o TSV --subscription $s --resource-group $g`; do echo "$s - $g: $v" \
done; \
done; \
done

Azure PostgreSQL

List postgres server configuration

 az postgres server configuration list -g alz-gdp-dpmidcorp-gdp-base-customer-rg --server-name dpmidcorp-int --query "[].{name:name, value:value}" -oTSV | sort | egrep 'work_mem|maintenance_work_mem|effective_cache_size'
autovacuum_work_mem -1
effective_cache_size 4194304
maintenance_work_mem 2097151
work_mem 204800 az postgres server configuration list -g alz-gdp-dpmidcorp-gdp-base-customer-rg --server-name dpmidcorp-prod --query "[].{name:name, value:value}" -oTSV | sort | egrep 'work_mem|maintenance_work_mem|effective_cache_size'
autovacuum_work_mem -1
effective_cache_size 4194304
maintenance_work_mem 2097151
work_mem 204800

ACR

Login to ACR with HELM

 export AZ_ACR_NAME='<ACR_NAME>' export AZ_ACR_FQDN="${AZ_ACR_NAME}.azurecr.io" accessToken=$(az acr login --name $AZ_ACR_NAME  --expose-token | jq -r '.accessToken') echo $accessToken | helm registry login $AZ_ACR_FQDN \
            --username 00000000-0000-0000-0000-000000000000 \
            --password-stdin
Login Succeeded

Importing images to the ACR

 accessToken=$(az acr login --name <ACR_NAME>  --expose-token | jq -r '.accessToken')
WARNING: You can perform manual login using the provided access token below, for example: 'docker login loginServer -u 00000000-0000-0000-0000-000000000000 -p accessToken' docker login loginServer -u 00000000-0000-0000-0000-000000000000 -p $accessToken az acr login --name AZ_ACR_FQDN
❯ az acr import --name <ACR_NAME>  --source index.docker.io/prometheus-operator/prometheus-operator:v0.53.1  --username 0XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXd --password SP_PASSWORD

Azure AD - Service principals and applications

Resetting the credentials for PROXY OIDC

Warn

This functionality is removed from newer versions of AZ CLI

 kgd -n gdp-ingress traefik-forward-auth -oyaml
❯ az ad app credential reset --id $OBJECT_ID -p $PASSWORD --years 2 az ad app show --id 5fXXXXXX-XXXX-XXXX-XXXX-XXXX29291b8e
❯ k delete pod -n gdp-ingress traefik-forward-auth-669f696d69-rgr9c

List the serivce principal with the know displayName

 https_proxy="http://PROXY_FQDN:80" az ad sp list --display-name alz-gdp-dlab-aks

Reset credentials (to do this we need to run it from jenkins pods) - deprecated

The password we can get from IAM-STAGE tfstate file. The filed is ``

az ad app credential reset --id OBJECT_ID --password PASSWORD --years 2

List expired passwords for SPs

date_warn=$(date -u +"%FT%H:%M:%S.%sZ" -d "$(date +"%Y-%m-%d") + 30 day")
now_date=$(date -u +"%FT%H:%M:%S.%sZ")
while read -r name app expiryDate; do
if [[ "${name}" != "*msi*" ]]; then
if [[ ${now_date} > ${expiryDate} ]]; then
    message="*EXPIREDrm .zshrc! AAD APPLICATION ${name} with AppID ${app} have credential that has expired. Expiry Date: ${expiryDate}"
elif [[ ${date_warn} > ${expiryDate} ]]; then
    message="AAD APPLICATION ${name} with appID ${app} have credential that will expire in less than 30 days. Expiry Date: ${expiryDate}"
else
    message=""
fi
[[ ! -z ${message} ]] && echo ${message}
fi
done <<< "$(az ad app list --filter "startswith(displayName, 'alz-gdp')" --query "[?contains(displayName,'dns') || contains(displayName,'aks')][displayName, objectId, passwordCredentials[].endDate[]|[0]]" -o tsv)"

Get role assignments for AAD Group

export AZ_SUB_NAME="<Your subscription name>"
export AAD_GROUP_NAME="<Your AAD group name>"
AZ_GR_ID=$(az ad group show -g $AAD_GROUP_NAME --query="id" -otsv)
az role assignment list --all --assignee $AZ_GR_ID --query "[].{roleName:roleDefinitionName, scope:scope}" --subscription $AZ_SUB_NAME -o table

LogAnalytics

LogAnalytics query to get the biggest users of the LogAnalytics

find where TimeGenerated between(startofday(ago(30d))..startofday(now())) project _ResourceId, _BilledSize, _IsBillable
| where _IsBillable == true 
| summarize BillableDataBytes = sum(_BilledSize) by _ResourceId 
| sort by BillableDataBytes nulls last

General

List enabled features in your subscription

 az feature list --query "[?(properties.state != 'NotRegistered')].{NAME:name,STATE:properties.state}" -otable                                                                                                                                                     dsp5-westeurope-dev 16:07:37
NAME                                                    STATE
------------------------------------------------------  ------------
Microsoft.AzureStackHCI/SoftwareAssuranceEnabled        Registered
Microsoft.Network/AllowUpdateAddressSpaceInPeeredVnets  Unregistered
Microsoft.ContainerService/PodSecurityPolicyPreview     Registered
...
Microsoft.Storage/HnsSnapshot                           Pending