Azure CLI support for Serial Console?

[sangram-pawar]

Serial Console feature is a charm when comes to triaging/debugging the production issues as well as during development cycles.

An enhancement would be to make this feature available via Azure CLI so we don't have to log in to the portal to connect to the console.

[cloudbooster]

Thanks @sangram-pawar we have this in our roadmap and will provide updates in the upcoming releases.

[mvogelsang]

Hi my company is definitely in need of a functionality like this. being able connect to a machine without giving it a public address or putting it on a network with a publicly available gateway would be huge. a command like "az vm serial MY_INSTANCENAME" and "az vm scp /local/file_ user@remote_instance" would be fantastic. It's been a year. Is there any general update on this?

[eschwartz]

For reference / comparison: AWS Session Manager allows something like this via the CLI: https://docs.aws.amazon.com/cli/latest/reference/ssm/start-session.html

[asinn826]

Hey @mvogelsang, @eschwartz, we're currently investigating this work and seeing what we can do to make az cli serial console happen. It's looking promising, so I wanted to check in and see if you folks had any requirements/input/feedback to share for us to take into consideration.

[dwizzle204]

This work moved past investigation phase?

[asinn826]

@dwizzle204 thanks for checking in. We have had to deprioritize this work for now due to other items that demanded our immediate attention. FWIW this is still in our backlog but I don't have an eta when we'll get to it.

[asinn826]

One more note I'll add - it is currently possible to download a read-only serial log of a VM by going to the VM's boot diagnostics storage account, going to the boot diagnostics blob within the storage account, and downloading the serial log in the blob. You can do this both within the portal (within the boot diagnostics blade) or via CLI (https://docs.microsoft.com/en-us/cli/azure/storage/blob?view=azure-cli-latest#az-storage-blob-download, you'll need parameters like the name of the storage account and a connection string).

[dwizzle204]

Thanks for the update.

The goal was to provide console ability to VM support teams through a SPN instead of their individual portal accounts.

Side question is their a direct RBAC permissions that grants serial console access without giving the Virtual Machine Contributor role?

[asinn826]

I see - programmatic access to serial console outside of the portal isn't available unfortunately and it might be a while before we have a chance to tackle that work item. I think it might be possible to grant a service principal access to a storage account and programmatically pull the serial logs, but that doesn't give any interactivity with the console itself.

Regarding RBAC - technically, serial console only requires Microsoft.Compute/virtualMachines/*/write, Microsoft.Compute/virtualMachines/*/read, and Microsoft.Storage/storageAccounts/* so you could create a custom role with those actions and the then assign the custom role to identities. However, we are working on updates to our resource provider that will ultimately remove the need for creating a custom role in favor of a native Serial Console role. So for now you could create a custom role but know that it might get broken once we roll out our resource provider improvements (this is still roughly a few months out).

[ccater]

My company loves Azure, but we actually run a custom OS on the platform, enabling serial access using the CLI similar to what is available on GCP would allow us to do more amazing debugging!

Thanks please enable this feature!

[andyleejordan]

Is this issue in particular about interacting with the serial console (sending commands to it?)

If someone else (like me) comes along and is simply wondering how to easily download the serial console log for inspection, it's amazingly available:

az vm boot-diagnostics get-boot-log -n vmName -g resourceGroupName

[ccater]

Is this issue in particular about interacting with the serial console (sending commands to it?)

If someone else (like me) comes along and is simply wondering how to easily download the serial console log for inspection, it's amazingly available:

az vm boot-diagnostics get-boot-log -n vmName -g resourceGroupName

Yes, its ideally about interacting with the serial console using a linux based tool that we can program against would be ideal.

[mbifeld]

Azure CLI now supports connecting to Serial Console. Documentation here: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/serial-console-overview#access-serial-console-via-azure-cli. Closing issue