Information for those who have trouble opening the Azure portal.
Immediately after creating the AppService, it was turned off, so enable it from the left menu → App Service log. Blobs may be fine, and I'm not sure what the "detailed error message" means.
Select Log Stream from the left menu and check that the log can be displayed on the web screen. The following figure shows how the bot is deployed while waiting for a log.
From now on, we'll work in the client's terminal (PowerShell). Maybe it's okay with the command prompt, and it's okay with macOS.
Since installing the Azure CLI is a hassle, use the provided Docker image. At the next command, launch the Azure CLI container and enter bash.
docker run -it mcr.microsoft.com/azure-cli
bash-5.0#
You must log in to Azure from the CLI to access the AppService log stream. Create something called a "service principal" so that you can log in without any interaction with the user.
First, log in to Azure interactively.
bash-5.0# az login
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code GD3M62X89 to authenticate.
Is displayed, access the URL, enter the code, and log in with a browser.
After logging in, run the following command:
bash-5.0# az ad sp create-for-rbac --name <your-service-principal-name>
Give my-first-principal
.
When executed,
Since the result like
Make a note of.
The service principal you created has the "Contributor" role, and you just want to see the log, but it's over-privileged and dangerous, so run the following command to change the role: ..
bash-5.0# az role assignment create --assignee <appId> --role "Website Contributor"
bash-5.0# az role assignment delete --assignee <appId> --role "Contributor"
The role Website Contributor just reads the AppService log. It seems that you can also create and manage websites, but I compromise because I couldn't find any other suitable built-in roles. Perhaps you can only allow more desired functionality in ways other than built-in roles.
Log in "non-interactively" with the Azure CLI using the information you noted in step 4.
First, log out.
bash-5.0# az logout
Log in with appId, password, tenant.
bash-5.0# az login --service-principal --username <appId> --password "<password>" --tenant <tenant>
Since password contains symbols etc., it is safer to enclose it in "".
bash-5.0# az webapp log tail --name <AppService name>--resource-group <Resource Group name>
The following figure shows an AppService log stream being monitored in Windows Terminal. You can now see the console output of AppService as well as the web screen.
It is troublesome to docker run, az login, and az webapp log, so let's execute it with a single command. It's easier to use docker-compose.
Create an appropriate directory (here, the log
directory), create log_tail.sh
in it, and write the following contents.
log_tail.sh
#!/bin/bash
az login --service-principal \
--username "c22b88da-35d7-4044-xxx-xxxxxxxx" \
--password "xxxxxxxxxxxxxxxxxxxxx" \
--tenant "da519484-d2e7-4d6b-xxxx-xxxxxxxx" \
--output none
az webapp log tail \
--name mybot001 \
--resource-group my_bot_001_rc
Replace the parameter part with your own environment described above.
We also added --output none
to az login. I lost it because it was annoying that the login completion result was output.
Next, create docker-compose.yml
in the same directory and write the following contents.
docker-compose.yml
version: '2'
services:
log-tail:
image: mcr.microsoft.com/azure-cli
volumes:
- .:/work
working_dir: /work
command: bash log_tail.sh
Define the container from the Azure CLI image and run log_tail.sh
at startup.
Do this in Terminal.
#Go to the log directory and then run
cd log
docker-compose run --rm log-tail
#Run from outside the log directory
cd ..
docker-compose -f ./log/docker-compose.yml run --rm log-tail
Now you can monitor the AppService log in one shot. I'm doing bot development in node.js, so I registered in the scripts in package.json for:
{
"name": "my-bot",
"version": "1.0.0",
"scripts": {
"log-tail": "docker-compose -f ./scripts/log/docker-compose.yml run --rm log-tail",
<Omitted below>
It can be called with npm run log-tail
or yarn log-tail
. It has become very convenient.
** Note: ** I have written confidential information such as password directly in log_tail.sh, so I should go out to environment variables. .. ..
If you no longer use it or find it to be abused, remove the service principal and disable non-interactive login.
az login
. az ad sp list --all
to display the list of service principals (Customize output results (https://dev.classmethod.jp/articles/form-aws-cli). -output-by-jmespath /) It seems that you can adjust it to make it easier to see, but it was too difficult for me ..., --display-name my-first
is easy to narrow down).az ad sp credential reset --name <appID>
. A new password will be issued.az ad sp delete --id <appID>
.-Enable diagnostic logging --Azure App Service | Microsoft Docs -[Using Azure Service Principals with Azure CLI | Microsoft Docs](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view= azure-cli-latest # create-a-service-principal) --Azure built-in roles --Azure RBAC | Microsoft Docs -[Sign in using Azure CLI | Microsoft Docs](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest#sign- in-with-credentials-on-the-command-line) -Streaming logs from Azure App Service | Microsoft Docs