Monitor Azure AppService log stream from Terminal (using Docker)
Information for those who have trouble opening the Azure portal.
1. Enable log stream in Azure AppService
Immediately after creating the AppService, it was turned off, so enable it from the left menu → App Service log. Blobs may be fine, and I'm not sure what the "detailed error message" means.
2. Check the log stream
Select Log Stream from the left menu and check that the log can be displayed on the web screen. The following figure shows how the bot is deployed while waiting for a log.
3. Log in at Terminal
From now on, we'll work in the client's terminal (PowerShell). Maybe it's okay with the command prompt, and it's okay with macOS.
Since installing the Azure CLI is a hassle, use the provided Docker image. At the next command, launch the Azure CLI container and enter bash.
docker run -it mcr.microsoft.com/azure-cli
bash-5.0#
4. Log in to Azure and create what is called a "service principal"
You must log in to Azure from the CLI to access the AppService log stream. Create something called a "service principal" so that you can log in without any interaction with the user.
First, log in to Azure interactively.
bash-5.0# az login
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code GD3M62X89 to authenticate.
Is displayed, access the URL, enter the code, and log in with a browser.
After logging in, run the following command:
bash-5.0# az ad sp create-for-rbac --name <your-service-principal-name>
Give my-first-principal.
When executed,
Since the result like
- appId
- password
- tenant
Make a note of.
5. Set the authority of the service principal
The service principal you created has the "Contributor" role, and you just want to see the log, but it's over-privileged and dangerous, so run the following command to change the role: ..
bash-5.0# az role assignment create --assignee <appId> --role "Website Contributor"
bash-5.0# az role assignment delete --assignee <appId> --role "Contributor"
The role Website Contributor just reads the AppService log. It seems that you can also create and manage websites, but I compromise because I couldn't find any other suitable built-in roles. Perhaps you can only allow more desired functionality in ways other than built-in roles.
6. Log in with the Azure CLI using appId, password, tenant
Log in "non-interactively" with the Azure CLI using the information you noted in step 4.
First, log out.
bash-5.0# az logout
Log in with appId, password, tenant.
bash-5.0# az login --service-principal --username <appId> --password "<password>" --tenant <tenant>
Since password contains symbols etc., it is safer to enclose it in "".
7. Monitor the AppService log stream from the Terminal
bash-5.0# az webapp log tail --name <AppService name>--resource-group <Resource Group name>
The following figure shows an AppService log stream being monitored in Windows Terminal. You can now see the console output of AppService as well as the web screen.
8. Make it possible to call monitoring in one shot
It is troublesome to docker run, az login, and az webapp log, so let's execute it with a single command. It's easier to use docker-compose.
Create an appropriate directory (here, the log directory), create log_tail.sh in it, and write the following contents.
log_tail.sh
#!/bin/bash
az login --service-principal \
--username "c22b88da-35d7-4044-xxx-xxxxxxxx" \
--password "xxxxxxxxxxxxxxxxxxxxx" \
--tenant "da519484-d2e7-4d6b-xxxx-xxxxxxxx" \
--output none
az webapp log tail \
--name mybot001 \
--resource-group my_bot_001_rc
Replace the parameter part with your own environment described above.
We also added --output none to az login. I lost it because it was annoying that the login completion result was output.
Next, create docker-compose.yml in the same directory and write the following contents.
docker-compose.yml
version: '2'
services:
log-tail:
image: mcr.microsoft.com/azure-cli
volumes:
- .:/work
working_dir: /work
command: bash log_tail.sh
Define the container from the Azure CLI image and run log_tail.sh at startup.
Do this in Terminal.
#Go to the log directory and then run
cd log
docker-compose run --rm log-tail
#Run from outside the log directory
cd ..
docker-compose -f ./log/docker-compose.yml run --rm log-tail
Now you can monitor the AppService log in one shot. I'm doing bot development in node.js, so I registered in the scripts in package.json for:
{
"name": "my-bot",
"version": "1.0.0",
"scripts": {
"log-tail": "docker-compose -f ./scripts/log/docker-compose.yml run --rm log-tail",
<Omitted below>
It can be called with npm run log-tail or yarn log-tail. It has become very convenient.
** Note: ** I have written confidential information such as password directly in log_tail.sh, so I should go out to environment variables. .. ..
9. Delete the service principal
If you no longer use it or find it to be abused, remove the service principal and disable non-interactive login.
- First, perform the dialogue
az login. - Next, use
az ad sp list --allto display the list of service principals (Customize output results (https://dev.classmethod.jp/articles/form-aws-cli). -output-by-jmespath /) It seems that you can adjust it to make it easier to see, but it was too difficult for me ...,--display-name my-firstis easy to narrow down). - Find the service principal you want and make a note of the appID.
- To change the password etc., execute
az ad sp credential reset --name <appID>. A new password will be issued. - To delete the principal, run
az ad sp delete --id <appID>.
reference
-Enable diagnostic logging --Azure App Service | Microsoft Docs -[Using Azure Service Principals with Azure CLI | Microsoft Docs](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view= azure-cli-latest # create-a-service-principal) --Azure built-in roles --Azure RBAC | Microsoft Docs -[Sign in using Azure CLI | Microsoft Docs](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest#sign- in-with-credentials-on-the-command-line) -Streaming logs from Azure App Service | Microsoft Docs