This article answers commonly asked questions about Azure Developer CLI.
General
How do I uninstall Azure Developer CLI?
There are different options for uninstalling azd
depending on how you originally installed it. Visit the installation page for details.
What's the difference between the Azure Developer CLI and the Azure CLI?
Azure Developer CLI (azd
) and Azure CLI (az
) are both command-line tools, but they help you do different tasks.
azd
focuses on the high level developer workflow. Apart from provisioning/managing Azure resources, azd
helps to stitch cloud components, local development configuration, and pipeline automation together into a complete solution.
Azure CLI is a control plane tool for creating and administering Azure infrastructure such as virtual machines, virtual networks, and storage. The Azure CLI is designed around granular commands for specific administrative tasks.
What is an environment name?
Azure Developer CLI uses an environment name to set the AZURE_ENV_NAME
environment variable that's used by Azure Developer CLI templates. AZURE_ENV_NAME is also used to prefix the Azure resource group name. Because each environment has its own set of configurations, Azure Developer CLI stores all configuration files in environment directories.
├── .Azure [This directory displays after you run add init or azd up]
│ ├── <your environment1> [A directory to store all environment-related configurations]
│ │ ├── .env [Contains environment variables]
│ │ └── main.parameters.json [A parameter file]
│ └── <your environment2> [A directory to store all environment-related configurations]
│ │ ├── .env [Contains environment variables]
│ │ └── main.parameters.json [A parameter file]
│ └──config.json
Can I set up more than one environment?
Yes. You can set up a various environments (for example, dev, test, production). You can use azd env
to manage these environments.
Where is the environment configuration (.env) file stored?
The .env file path is <your-project-directory-name>\.azure\<your-environment-name>\.env
.
How is the .env file used?
In Azure Developer CLI, the azd
commands refer to the .env file for environment configuration. Commands such as azd deploy
also update the .env file with, for example, the db connection string and the Azure Key Vault endpoint.
I have run `azd up` in Codespaces. Can I continue my work in a local development environment?
Yes. You can continue development work locally.
- Run
azd init -t <template repo>
to clone the template project to your local machine. - To pull down the existing env created using Codespaces, run
azd env refresh
. Make sure you provide the same environment name, subscription and location as before.
How is the azure.yaml file used?
The azure.yaml file describes the apps and types of Azure resources that are included in the template.
What is the behavior of the `secretOrRandomPassword` function?
The secretOrRandomPassword
function retrieves a secret from Azure Key Vault if parameters for the key vault name and secret are provided. If these parameters aren't provided or a secret can't be retrieved, the function returns a randomly generated password to use instead.
The following example demonstrates a common use case of the secretOrRandomPassword
in a main.parameters.json
file. The ${AZURE_KEY_VAULT_NAME}
and sqlAdminPassword
variables are passed as parameters for the names of the Key Vault and secret. If the value can't be retrieved, a random password is generated instead.
"sqlAdminPassword": {
"value": "$(secretOrRandomPassword ${AZURE_KEY_VAULT_NAME} sqlAdminPassword)"
}
The output of secretOrRandomPassword
should also be saved to Key Vault using Bicep for future runs. Retrieving and reusing the same secrets across deploys can prevent errors or unintended behaviors that can surface when repeatedly generating new values. To create a Key Vault and store the generated secret in it, use the Bicep code below. You can view the full sample code for these modules in the Azure Developer CLI GitHub repository.
module keyVault './core/security/keyvault.bicep' = {
name: 'keyvault'
scope: resourceGroup
params: {
name: '${take(prefix, 17)}-vault'
location: location
tags: tags
principalId: principalId
}
}
module keyVaultSecrets './core/security/keyvault-secret.bicep' = {
name: 'keyvault-secret-sqlAdminPassword'
scope: resourceGroup
params: {
keyVaultName: keyVault.outputs.name
name: 'sqlAdminPassword'
secretValue: sqlAdminPassword
}
}]
This Bicep setup enables the following workflow for managing your secrets:
- If the specified secret exists, it's retrieved from Key Vault using the
secretOrRandomPassword
function. - If the secret doesn't exist, a Key Vault is created, and the randomly generated secret is stored inside of it.
- On future deploys, the
secretOrRandomPassword
method retrieves the stored secret now that it exists in Key Vault. The Key Vault won't be recreated if it already exists, but the same secret value will be stored again for the next run.
Can I use Azure Free Subscription?
Yes, but each Azure location can only have one deployment. If you've already used the selected Azure location, you'll see the deployment error:
InvalidTemplateDeployment: The template deployment '<env_name>' isn't valid according to the validation procedure. The tracking ID is '<tracking_id>'. See inner errors for details.
You can select a different Azure location to fix the issue.
My app hosted with Azure App Service is triggering a "Deceptive site ahead" warning. How can I fix it?
This might happen because of our method for naming resources.
Our 'Azure Dev' authored templates allow for configuring the name of the resource. To do so, you can add an entry to the main.parameters.json
in the infra
folder. For example:
"webServiceName": {
"value": "my-unique-name"
}
This entry creates a new resource named "my-unique-name" instead of a randomized value such as "app-web-aj84u2adj" the next time you provision your application. You can either manually remove the old resource group using the Azure portal or run azd down
to remove all previous deployments. After removing the resources, run azd provision
to create them again with the new name.
This name will need to be globally unique, otherwise you will receive an ARM error during azd provision
when it tries to create the resource.
Command: azd provision
How does the command know what resources to provision?
The command uses Bicep templates, which are found under <your-project-directory-name>/infra
to provision Azure resources.
Where can I find what resources are provisioned in Azure?
Go to https://portal.azure.com and then look for your resource group, which is rg-<your-environment-name>
.
How do I find more information about Azure errors?
We use Bicep templates, which are found under <your-project-directory-name>/infra
, to provision Azure resources. If there are issues, we include the error message in the CLI output.
You can also go to https://portal.azure.com and then look for your resource group, which is rg-<your-environment-name>
. If any of the deployments fail, select the error link to get more information.
For other resources, see Troubleshoot common Azure deployment errors - Azure Resource Manager.
Is there a log file for `azd provision`?
Coming soon. This feature is planned for a future release.
Command: azd deploy
Can I rerun this command?
Yes.
How does azd find the Azure resource to deploy my code to?
During deploy, azd
first discovers all the resource groups that make up your application by looking for groups tagged with azd-env-name
and with a value that matches the name of your environment. Then, it enumerates all the resources in each of these resource groups, looking for a resource tagged with azd-service-name
with a value that matches the name of your service from azure.yaml
.
While we recommend using tags on resources, you can also use the resourceName
property in azure.yaml
to provide an explicit resource name. In that case, the above logic isn't run.
How do I deploy specific services in my project while skipping others?
When deploying your project, you can choose to deploy specific services either by specifying the service name in the command (i.e. azd deploy api
) or by navigating to a subfolder that contains just the service(s) you want to deploy. When doing so, all other services will be listed as - Skipped
.
If you don't want to skip any services, be sure to either run your command from the root folder or add the --all
flag to your command.
Command: azd up
Can I rerun `azd up`?
Yes. We use the incremental deployment mode.
How do I find the log file for `azd up`?
Coming soon. This feature is planned for a future release.
Command: azd pipeline
What is an Azure service principal?
An Azure service principal is an identity that's created for use with apps, hosted services, and automated tools to access Azure resources. This access is restricted by the roles that are assigned to the service principal, which gives you control over which resources can be accessed and at which level. For more information about authenticating from Azure to GitHub, see Connect GitHub and Azure | Microsoft Docs.
Do I need to create an Azure service principal before I run `azd pipeline config`?
No. The azd pipeline config
command takes care of creating the Azure service principal and performing the necessary steps to store the secrets in your GitHub repo.
What are all the secrets stored in GitHub?
The command stores four secrets in GitHub: AZURE_CREDENTIALS, AZURE_ENV_NAME, AZURE_LOCATION, and AZURE_SUBSCRIPTION_ID. You can override the value of each secret by going to https://github.com/<your-GH-account>/<your-repo>/secrets/actions
.
What is OpenID Connect (OIDC), and is it supported?
With OpenID Connect, your workflows can exchange short-lived tokens directly from Azure.
While OIDC is supported as the default for GitHub Actions and Azure Pipeline (set as federated), it isn't supported for Azure DevOps or Terraform.
- For Azure DevOps, explicitly calling out
--auth-type
asfederated
will result in an error. - For Terraform:
- If
--auth-type
isn't defined, it will fall back toclientcredentials
and will result in a warning. - If
--auth-type
is explicitly set tofederated
, it will result in an error.
- If
How do I reset the Azure service principal that's stored in GitHub Actions?
Go to https://github.com/<your-GH-account>/<your-repo>settings/secrets/actions
, and then update AZURE_CREDENTIALS
by copying and pasting the entire JSON object for the new service principal. For example:
{
"clientId": "<GUID>",
"clientSecret": "<GUID>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
(...)
}
Where is the GitHub Actions file stored?
The GitHub Actions file path is <your-project-directory-name>\.github\workflows\azure-dev.yml
.
In the azure-dev.yml file, can I deploy just the code in the build step?
Yes. Replace run: azd up --no-prompt
with run: azd deploy --no-prompt
.
Where can I find the log for the GitHub Actions job that I triggered when I ran `azd pipeline config`?
Go to https://github.com/<your-GH-account>/<your-repo>/actions
, and then refer to the log file in the workflow run.
Building a container application locally
Why am I unable to locally run the container app that I'm building?
When building container applications locally, you need to run azd auth login
in the container for the application to work
with the AzureDeveloperCliCredential
. Alternatively, you could configure your application to use a service principal
instead of the AzureDeveloperCliCredential
.