2015年10月21日 星期三

關於Azure CLI Tools 0.9.10+ 的認證問題




記錄一下最近遇到的問題,在ASM mode 下原本上傳檔案到blog storage 只需要AccountName 和 Account Key 就可以了,但是在Azure CLI Tool 在 0.9.7 以後出現了了一個Bug:
Trace source code 發現,必須要先azure account import  {subscription file} 或是 azure login 才能取得某些資訊,不然讀不到這個值就會出現這個錯誤....

不過到了ARM mode 下這個問題也出現了,而且更機車的是,這不是bug 而是change feature,他們為了Security  的因素強制一定要azure login 才行....囧 (我只是要上傳個檔案啊!!)

> azure group list
info:    Executing command group list
+ Listing resource groups
error:   Certificate based Authentication is not supported in current mode: 'arm'. Please authenticate using an organizational account via 'azure login' command.
info:    Error information has been recorded to ~/.azure/azure.err
error:   group list command failed

很多人都遇到類似問題:
在這些issue 中有人提到這是新的架構限制,請參考:Azure automation authenticating to azure using azure active directory

You should now be all set to manage your Azure services with an Azure Active Directory OrgID user and Azure Automation. Going forward, it should be easier to get up and running creating runbooks to automate your cloud processes. As part of this update, we’ve also updated all of our Azure Automation sample and utility runbooks to use this authentication to make it easy to not just get set up but also leverage existing content in our Runbook Gallery.

Probably you are using certificates for authentication. The ARM API uses tokens for authentication. You need to login using org id. azure login -u abc@yourorg.com It will prompt for password. Once you are logged in you should not see the above message. For verification purposes, you can see the tokens and certificates stored in a file named azureProfile.json in .azure directory located in your home directory "C:\Users.azure\azureProfile.json"

那workaround 的方法呢?就是要azure login,打了指令後會出現以下提示訊號讓你去登入:

info:    Executing command login
info:    To sign in, use a web browser to open the page http://aka.ms/devicelogin.
Enter the code B8UCDLERS to authenticate. If you're signing in as an Azure AD application,
use the --username and --password parameters.


這樣真的很麻煩啊 !!!!

---------------------------------
[Update:2015.10.23] 不過微軟的Support 真的很好,馬上就有找出其他方法:

1. 使用其他3rd-party 開發的工具 blobxfer

2. 在使用Azure blog upload 前先export 以下資訊

export AZURE_STORAGE_ACCOUNT=
export AZURE_STORAGE_ACCESS_KEY=
 






張貼留言