Categories
Software Work

Stumbling blocks with Azure CLI on the AzureUSGovernment Cloud

This is foremost a note to my future self, a reference for the next time I get stuck. If someone else finds it via a search engine, bonus!

Using the Azure CLI (command line interface) on Microsoft’s Azure Government cloud is mostly like using their regular, non-gov cloud. Cloud computing on Azure has been a positive experience for me overall. But I’ve gotten burned a few times when the gov cloud operation needs a different command than what’s shown in the official Azure CLI docs.

Each case took me several unhappy hours to figure out. The reason I was seeing a certain error message was unrelated to the reasons other people on the internet were served the same message. No one on StackOverflow asks, “might you be using the Azure gov cloud?”

1) Start by setting your cloud to AzureUSGovernment

I set up Azure Managed Identity for a virtual machine. Then I log into that VM and run az login --identity. I get the unhelpful error message:

No access was configured for the VM, hence no subscriptions were found. If this is expected, use ‘–allow-no-subscriptions’ to have tenant level access.

The solution: run the command az cloud set --name AzureUSGovernment.

This one has tripped me up several times. The first was last year, before I gave up trying to run docker-compose deployments on Azure Container Instances through the compose CLI. I created a GitHub issue with the problem, the solution, and a request that this be added to the compose-cli docs. No response. Now the docker compose integration with ACI is being retired. Seems reasonable, as it had failed to meet my needs.

2) Storage blob accounts have a different URL format on the gov cloud

I was following the quickstart guide for the Azure Blob Storage library for Python. It worked until I got to the part that said to set my account_url like this:

account_url = "https://<storageaccountname>.blob.core.windows.net"

No luck: the storage account was never found. Eventually I was poking around the container in the Azure Portal web UI and noticed that my test file was available for download at a URL that followed a different format. For a Azure Government Cloud storage blob account, the format is:

https://<storageaccountname>.blob.core.usgovcloudapi.net

Note the different domain name. That string worked for my account URL and I could write files to blob storage.

That’s all, though perhaps I’ll extend this post if I stumble over a new aspect of the gov cloud differing from regular Azure.

Leave a Reply

Your email address will not be published. Required fields are marked *