az iot ops
Note
This reference is part of the azure-iot-ops extension for the Azure CLI (version 2.46.0 or higher). The extension will automatically install the first time you run an az iot ops command. Learn more about extensions.
This command group is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Manage Azure IoT Operations.
Azure IoT Operations is a set of highly aligned, but loosely coupled, first-party Kubernetes services that enable you to aggregate data from on-prem assets into an industrial-grade MQTT Broker, add edge compute and set up bi-directional data flow with a variety of services in the cloud.
By default IoT Operations CLI commands will periodically check to see if a new extension version is available.
This behavior can be disabled with az config set iotops.check_latest=false.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az iot ops asset |
Manage assets. |
Extension | Preview |
| az iot ops asset create |
Create an asset. |
Extension | Preview |
| az iot ops asset data-point |
Manage data points in an asset. |
Extension | Preview |
| az iot ops asset data-point add |
Add a data point to an asset. |
Extension | Preview |
| az iot ops asset data-point list |
List data points in an asset. |
Extension | Preview |
| az iot ops asset data-point remove |
Remove a data point in an asset. |
Extension | Preview |
| az iot ops asset delete |
Delete an asset. |
Extension | Preview |
| az iot ops asset endpoint |
Manage asset endpoint profiles. |
Extension | Preview |
| az iot ops asset endpoint certificate |
Manage owned certificates in an asset endpoint. |
Extension | Preview |
| az iot ops asset endpoint certificate add |
Add an owned certificate to an asset endpoint. |
Extension | Preview |
| az iot ops asset endpoint certificate list |
List owned certificates in an asset endpoint. |
Extension | Preview |
| az iot ops asset endpoint certificate remove |
Remove an owned certificate in an asset endpoint. |
Extension | Preview |
| az iot ops asset endpoint create |
Create an asset endpoint. |
Extension | Preview |
| az iot ops asset endpoint delete |
Delete an asset endpoint. |
Extension | Preview |
| az iot ops asset endpoint query |
Query the Resource Graph for asset endpoints. |
Extension | Preview |
| az iot ops asset endpoint show |
Show an asset endpoint. |
Extension | Preview |
| az iot ops asset endpoint update |
Update an asset endpoint. |
Extension | Preview |
| az iot ops asset event |
Manage events in an asset. |
Extension | Preview |
| az iot ops asset event add |
Add an event to an asset. |
Extension | Preview |
| az iot ops asset event list |
List events in an asset. |
Extension | Preview |
| az iot ops asset event remove |
Remove an event in an asset. |
Extension | Preview |
| az iot ops asset query |
Query the Resource Graph for assets. |
Extension | Preview |
| az iot ops asset show |
Show an asset. |
Extension | Preview |
| az iot ops asset update |
Update an asset. |
Extension | Preview |
| az iot ops check |
Evaluate cluster-side runtime health of deployed IoT Operations services. |
Extension | Preview |
| az iot ops init |
Bootstrap, configure and deploy IoT Operations to the target arc-enabled cluster. |
Extension | Preview |
| az iot ops mq |
MQ specific tools. |
Extension | Preview |
| az iot ops mq get-password-hash |
Generates a PBKDF2 hash of the passphrase applying PBKDF2-HMAC-SHA512. A 128-bit salt is used from os.urandom. |
Extension | Preview |
| az iot ops mq stats |
Show dmqtt running statistics. |
Extension | Preview |
| az iot ops support |
IoT Operations support command space. |
Extension | Preview |
| az iot ops support create-bundle |
Creates a standard support bundle zip archive for use in troubleshooting and diagnostics. |
Extension | Preview |
| az iot ops verify-host |
Runs a set of cluster host verifications for IoT Operations deployment compatibility. |
Extension | Preview |
az iot ops check
Command group 'iot ops' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Evaluate cluster-side runtime health of deployed IoT Operations services.
The command by default shows a human friendly summary view of the selected service.
More detail can be requested via --detail-level.
{Supported service APIs}
- akri.sh/[v0]
- dataprocessor.iotoperations.azure.com/[v1]
- deviceregistry.microsoft.com/[v1beta1]
- layerednetworkmgmt.iotoperations.azure.com/[v1beta1]
- mq.iotoperations.azure.com/[v1beta1]
- opcuabroker.iotoperations.azure.com/[v1beta1].
az iot ops check [--as-object {false, true}]
[--context]
[--detail-level {0, 1, 2}]
[--ops-service {akri, dataprocessor, deviceregistry, lnm, mq, opcua}]
[--post {false, true}]
[--pre {false, true}]
[--resource-name]
[--resources {asset, assetendpointprofile, assettype, broker, brokerlistener, configuration, datalakeconnector, dataset, diagnosticservice, instance, kafkaconnector, lnm, mqttbridgeconnector, pipeline}]Examples
Basic usage. Checks `mq` health with summary output.
az iot ops checkEvaluates `mq` like prior example, however output is optimized for CI.
az iot ops check --as-objectChecks `dataprocessor` health and configuration with detailed output.
az iot ops check --svc dataprocessor --detail-level 1Same as prior example, except constraining results to the `pipeline` resource.
az iot ops check --svc dataprocessor --detail-level 1 --resources pipelineUse resource name to constrain results to `pipeline` resource exactly matching name `pipeline`.
az iot ops check --svc dataprocessor --resources pipeline --resource-name pipelineUse resource name to constrain results to resource names that start with `pipeline-name`.
az iot ops check --svc dataprocessor --detail-level 1 --resource-name pipeline-name*Use '?' glob pattern to constrain results to resource names that contain `pipeline` and end with a single character.
az iot ops check --svc dataprocessor --detail-level 1 --resource-name pipeline?Optional Parameters
Output check content and validations in a CI friendly data structure.
Kubeconfig context name to use for k8s cluster communication. If no context is provided current_context is used.
Controls the level of detail displayed in the check output. Choose 0 for a summary view (minimal output), 1 for a detailed view (more comprehensive information), or 2 for a verbose view (all available information).
The IoT Operations service deployment that will be evaluated.
Run post-deployment checks.
Run pre-requisite checks to determine if the minimum requirements of a service deployment are fulfilled.
Only run checks for the specific resource name. The name is case insensitive. Glob patterns '' and '?' are supported. Note: Only alphanumeric characters, hyphens, '?' and '' are allowed.
Only run checks on specific resource kinds. Use space-separated values.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az iot ops init
Command group 'iot ops' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Bootstrap, configure and deploy IoT Operations to the target arc-enabled cluster.
For additional resources including how to arc-enable a cluster see https://learn.microsoft.com/en-us/azure/iot-operations/deploy-iot-ops/howto-prepare-cluster.
az iot ops init --cluster
--resource-group
[--ca-dir]
[--ca-file]
[--ca-key-file]
[--ca-valid-days]
[--cluster-namespace]
[--context]
[--custom-location]
[--disable-rotation {false, true}]
[--disable-rsync-rules {false, true}]
[--dp-instance]
[--ensure-latest {false, true}]
[--kubernetes-distro {k3s, k8s, microk8s}]
[--kv-id]
[--kv-spc-secret-name]
[--location]
[--mq-authn]
[--mq-backend-part]
[--mq-backend-rf]
[--mq-backend-workers]
[--mq-broker]
[--mq-frontend-replicas]
[--mq-frontend-server]
[--mq-frontend-workers]
[--mq-insecure {false, true}]
[--mq-instance]
[--mq-listener]
[--mq-mem-profile {high, low, medium, tiny}]
[--mq-mode {auto, distributed}]
[--mq-service-type {clusterIp, loadBalancer, nodePort}]
[--no-block {false, true}]
[--no-deploy {false, true}]
[--no-progress {false, true}]
[--no-tls {false, true}]
[--opcua-discovery-url]
[--rotation-int]
[--runtime-socket]
[--show-template {false, true}]
[--simulate-plc {false, true}]
[--sp-app-id]
[--sp-object-id]
[--sp-secret]
[--sp-secret-valid-days]
[--target]Examples
Minimum input for complete setup. This includes Key Vault configuration, CSI driver deployment, TLS config and deployment of IoT Operations.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id /subscriptions/2cb3a427-1abc-48d0-9d03-dd240819742a/resourceGroups/myresourcegroup/providers/Microsoft.KeyVault/vaults/mykeyvaultSame setup as prior example, except with the usage of an existing app Id and a flag to include a simulated PLC server as part of the deployment. Including the app Id will prevent `init` from creating an app registration.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --simulate-plcTo skip deployment and focus only on the Key Vault CSI driver and TLS config workflows simple pass in `--no-deploy`. This can be useful when desiring to deploy from a different tool such as Portal.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --no-deployTo only deploy IoT Operations on a cluster that has already been prepped, simply omit `--kv-id` and include `--no-tls`.
az iot ops init --cluster mycluster -g myresourcegroup --no-tlsUse `--no-block` to do other work while the deployment is on-going vs waiting for the deployment to finish before starting the other work.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --no-blockTo avoid calling MS Graph such as for CI scenarios where the logged-in to az cli service principal permissions are limited or an existing service principal should be re-used, provide all of `--sp-app-id`, `--sp-object-id` and `--sp-secret`. These values should reflect the desired service principal that will be used for the Key Vault CSI driver setup.
az iot ops init --cluster mycluster -g myresourcegroup --kv-id $KEYVAULT_ID --sp-app-id a14e216b-6802-4e9c-a6ac-844f9ffd230d --sp-object-id 224a7a3f-c63d-4923-8950-c4a85f0d2f29 --sp-secret $SP_SECRETRequired Parameters
Target cluster name for IoT Operations deployment.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Optional Parameters
The local directory the generated test CA and private key will be placed in. If no directory is provided no files will be written to disk. Applicable when no --ca-file and --ca-key-file are provided.
The path to the desired CA file in PEM format.
The path to the CA private key file in PEM format. !Required! when --ca-file is provided.
Option to control the duration in days of the init generated x509 CA. Applicable if --ca-file and --ca-key-file are not provided.
The cluster namespace IoT Operations infra will be deployed to. Must be lowercase.
Kubeconfig context name to use for k8s cluster communication. If no context is provided current_context is used.
The custom location name corresponding to the IoT Operations deployment. The default is in the form '{cluster_name}-ops-init-cl'.
Flag to disable secret rotation.
Resource sync rules will not be included in the deployment.
Instance name for data processor. The default is in the form '{cluster_name}-ops-init-processor'.
Ensure the latest IoT Ops CLI is installed, raising an error if an upgrade is available.
The Kubernetes distro to use for Akri configuration. The selected distro implies the default container runtime socket path when no --runtime-socket value is provided.
Key Vault ARM resource Id. Providing this resource Id will enable the client to setup all necessary resources and cluster side configuration to enable the Key Vault CSI driver for IoT Operations.
The Key Vault secret name to use as the default SPC secret. If the secret does not exist, it will be created with a cryptographically secure placeholder value.
The ARM location that will be used for provisioned RPSaaS collateral. If not provided the connected cluster location will be used.
The mq authN name. The default is 'authn'.
MQ backend partitions.
MQ backend redundancy factor.
MQ backend workers.
The mq broker name. The default is 'broker'.
MQ frontend replicas.
The mq frontend server name. The default is 'mq-dmqtt-frontend'.
MQ frontend workers.
When enabled the mq deployment will include a listener bound to port 1883 with no authN or authZ. The broker encryptInternalTraffic setting will be set to false. For non-production workloads only.
The mq instance name. The default is in the form 'init-{hash}-mq-instance'.
The mq listener name. The default is 'listener'.
MQ memory profile.
MQ mode of operation.
MQ service type.
Return immediately after the IoT Operations deployment has started.
The IoT Operations deployment workflow will be skipped.
Disable init progress bar.
The TLS configuration workflow will be skipped.
Configures an OPC-UA server endpoint for Akri discovery handlers. If not provided and --simulate-plc is set, this value becomes 'opc.tcp://opcplc-000000.{cluster_namespace}:50000'.
Rotation poll interval.
The default node path of the container runtime socket. If not provided (default), the socket path is determined by --kubernetes-distro.
Flag when set, will output the template intended for deployment.
Flag when set, will configure the OPC-UA broker installer to spin-up a PLC server.
Service principal app Id. If provided will be used for CSI driver setup. Otherwise an app registration will be created. Required if the logged in principal does not have permissions to query graph.
Service principal (sp) object Id. If provided will be used for CSI driver setup. Otherwise the object Id will be queried from the app Id - creating the sp if one does not exist. Required if the logged in principal does not have permissions to query graph. Use az ad sp show --id <app Id> --query id -o tsv to produce the proper object Id. Alternatively using Portal you can navigate to Enterprise Applications in your Entra Id tenant.
The secret corresponding to the provided service principal app Id. If provided will be used for CSI driver setup. Otherwise a new secret will be created. Required if the logged in principal does not have permissions to query graph.
Option to control the duration in days of the init generated service principal secret. Applicable if --sp-secret is not provided.
Target name for ops orchestrator. The default is in the form '{cluster_name}-ops-init-target'.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az iot ops verify-host
Command group 'iot ops' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Runs a set of cluster host verifications for IoT Operations deployment compatibility.
Intended to be run directly on a target cluster host. The command may prompt to apply a set of privileged actions such as installing a dependency. In this case the CLI must be run with elevated permissions. For example
sudo AZURE_EXTENSION_DIR=~/.azure/cliextensions az iot ops verify-host.
az iot ops verify-host [--no-progress {false, true}]Optional Parameters
Disable visual representation of work.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for