Azure Cheat Sheet
CLI
az login [--tenant <id>]
az login --identity # Login with VM service principal
az account set --subscription <name|id>
az account list # List of subscriptions the account has access to
az account show | jq .id # To see active subscription
az account show --output table
Note: Always set or verify your subscription as “az login” without tenant chooses one without saying.
az aks get-credentials --resource-group <group name> --name <name>
Resources / Groups
az resource list
az resource list --name <name>
az resource list -g <resource group>
az group list
az resource show --name MySubnet --resource-group MyResourceGroup --resource-type "Microsoft.Compute/virtualMachines"
az resource delete --name MyVm --resource-group MyResourceGroup --resource-type "Microsoft.Compute/virtualMachines"
Activity Log
Dump operations needed for creating custom AD roles
az monitor activity-log list --start-time 2020-09-08 --offset 7d | jq -r '.[] | .operationName["value"] ' | sort -u
VMs
Get managed identity token via API
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"}
AD
az ad sp list --query "[].appDisplayName"
az ad sp list --show-mine --query "[].{id:appId, tenant:appOwnerTenantId}"
ACR
Make an ACR private
az acr --name <name> --public-network-enabled false
Import docker images into a private ACR (works in Azure Shell)
az acr import -n MyRegistry --source docker.io/library/hello-world:latest -t targetrepository:targettag
AKS
az aks list
az aks list | jq -r '.[].name' # Just names
az aks get-credentials --resource-group <resource group> --name <name> # Get kubectl context
az aks create --name <name> --resource-group <group> --enable-managed-identity [--enable-private-cluster]
Keyvaults
az keyvault secret set --vault-name <vault> --name <secret name> --file <secret file> --encoding ascii --only-show-errors --output none
az keyvault secret show --vault-name <vault> --name <secret name>
az keyvault secret purge --vault-name <vault> --name <secret name>
Policies
- Microsoft built-in policies: https://github.com/Azure/azure-policy
- Community policies: https://github.com/Azure/Community-Policy
- AKS OpenPolicyAgent gatekeeper enforced policies: https://docs.microsoft.com/de-de/azure/governance/policy/concepts/policy-for-kubernetes