I'm trying to read and write over a newly created azure table, but I kept getting 403 errors.
I'm using the same account that I used to create the table. I also added the account to the contributors group.
I've tested multiple scopes thinking does might be the issue, such as:
https://storage.azure.com/user_impersonation
https://storage.azure.com/.default
https://osnapdbexamsonthecloud.table.core.windows.net/.default
https://osnapdbexamsonthecloud.table.core.windows.net/user_impersonation
but always got the same error
Here is the requeset I'm sending:
PUT https://osnapdbexamsonthecloud.table.core.windows.net/exams(PartitionKey='Osnap',RowKey='test')
Accept: application/json;odata=fullmetadata
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.5
authorization: Bearer CENSORED
Connection: keep-alive
Content-Length: 27
content-type: application/json
Host: osnapdbexamsonthecloud.table.core.windows.net
Origin: http://localhost:3000
Referer: http://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0
x-ms-version: 2019-02-02
{"id":"test","temp":"test"}
And this is the response I get with status code 403:
{"odata.error":{"code":"AuthorizationPermissionMismatch","message":{"lang":"en-US","value":"This request is not authorized to perform this operation using this permission.\nRequestId:b3310a10-b002-0026-5cf5-3364d8000000\nTime:2023-01-29T15:22:15.9056626Z"}}}
Do you have any idea what I'm doing wrong?
I agree with #Gaurav Mantri, you need to assign Storage Table Data Contributor role to your Service Principal on that storage account.
I tried to reproduce the same in my environment and got the below results:
I have one storage account in which I created a table named exams like below:
Now, I generated an access token via Postman with the below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id: <appID>
client_secret: <secret>
grant_type:client_credentials
scope: https://storage.azure.com/.default
Response:
When I used the above token to perform the below operation, I got same error as you like this:
PUT https://sristorage30.table.core.windows.net/exams(PartitionKey='sri',RowKey='test')
Authorization: Bearer <token>
x-ms-version: 2019-02-02
{
"id":"test",
"temp":"test"
}
Response:
To resolve the error, try assigning Storage Table Data Contributor role to your service principal that can be your user account or Azure AD application.
In my case, I assigned that role to the service principal of App type like below:
Go to Azure Portal -> Storage accounts -> Your storage account -> Access control (IAM) -> Add role assignment
If you are performing the operation from your user account, assign that role to the service principal of User type like below:
Related
I created an Azure KeyVault that I want my App Service to be able to access. From what I can tell, the principal of my App Service should have access to the KeyVault, but I always get the following error when trying to retrieve from it. This happens whether I am running locally in Visual Studio or in Azure.
Service request failed. Status: 403 (Forbidden) Content: {"error":{"code":"Forbidden","message":"The policy requires the caller 'appid=MY_APP_ID;oid=MY_PRINCIPAL_ID_STARTING_WITH_1A5 ;iss=https://sts.windows.net/REDACTED_GUID/' to use on-behalf-of (OBO) flow. For more information on OBO, please see https://go.microsoft.com/fwlink/?linkid=2152310","innererror":{"code":"ForbiddenByPolicy"}}} Headers: Pragma: no-cache x-ms-keyvault-region: westus x-ms-client-request-id: REDACTED x-ms-request-id: REDACTED x-ms-keyvault-service-version: 1.2.236.0 x-ms-keyvault-network-info: conn_type=Ipv4;addr=52.155.40.204;act_addr_fam=InterNetwork; Strict-Transport-Security: REDACTED X-Content-Type-Options: REDACTED Content-Length: 387 Cache-Control: no-cache Content-Type: application/json; charset=utf-8 Date: Wed, 21 Apr 2021 20:10:33 GMT Expires: -1 X-Powered-By: REDACTED
I have looked at the linked KB article and it talks about OAUTH`. I am not trying to use OAUTH, so I don't understand why that is relevant.
Here is the access policy in my KeyVault:
Here is the screenshot from the App Service where I configured a principal.
It clearly says at the bottom that it can be configured to access other resources, so I don't understand why it cannot access KeyVault.
Code used to attempt to access.
var kvUri = "https://" + Properties.Settings.Default.KeyVaultName + ".vault.azure.net";
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri(kvUri),credential );
var result = client.GetSecret(secret);
When you set access policy, you need to select service principal with only object id (without app id).
See this similar post answer.
I'm trying to get a user delegation SAS token for Azure Storage, using the REST API.
I've got an account, which has the required roles for the storage account, and the account has authenticated successfully and returned a Bearer token from the login endpoint.
When I request the user delegation key, I keep getting the following error:
<?xml version="1.0" encoding="utf-8"?>
<Error>
<Code>InvalidXmlNodeValue</Code>
<Message>The value for one of the XML nodes is not in the correct format.
RequestId:9b7a22e3-601e-0082-7bee-060981000000
Time:2021-02-19T18:38:48.1286734Z</Message>
<XmlNodeName>Expiry</XmlNodeName>
<XmlNodeValue>2021-02-19T19:30:00</XmlNodeValue>
</Error>
The body I'm submitting is copied from the Azure docs, :
<?xml version="1.0" encoding="utf-8"?>
<KeyInfo>
<Start>2021-02-19T18:30:00</Start>
<Expiry>2021-02-19T19:30:00</Expiry>
</KeyInfo>
Any idea what I'm doing wrong or missing for this to be failing?
The roles assigned on Azure are:
And the request headers:
Authorization: Bearer ...
x-ms-version: 2020-04-08
Content-Type: text/xml
User-Agent: PostmanRuntime/7.26.10
Accept: */*
Postman-Token: df276a57-747c-45dd-a849-15ac6ad7b45b
Host: ....blob.core.windows.net
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 147
The issue might be your token life time is too short to get it effective. My suggestion is, set the expiry time more than 8 hours longer than start time.
The value of the expiry time may be a maximum of seven days from the
start time.
Format your expiry time like this:
2021-02-19T19:30:00Z
Refer to: https://learn.microsoft.com/en-us/rest/api/storageservices/formatting-datetime-values
I am working on an Azure Function API that is protected by Azure AD, it's working fine when I request it with browser once I logged in with a valid account, but when I tried with postman it still shows unauthorized access,
I have got an access token to send with the request, but for the scope property I have given is this value, https://graph.microsoft.com/.default which I think might be the problem. But not sure what I am doing wrong and what to put in the scope field in the get new access tokenoption in postman to authenticate to my API.
HTTP Request Postman Making
GET /api/events/active HTTP/1.1
Host: moya-backend-ascentic.azurewebsites.net
Authorization: Bearer ****IHqMgweN86fDnyL4jvz9P6ZllpjjD9t***
User-Agent: PostmanRuntime/7.13.0
Accept: */*
Cache-Control: no-cache
Postman-Token: 655e0672-4928-409e-a709-841a92ee6f14,22cbf978-f196-4099-ae10-d162d3068507
Host: moya-backend-ascentic.azurewebsites.net
accept-encoding: gzip, deflate
Connection: keep-alive
cache-control: no-cache
The scope should be: your-api-client-id/.default.
Replace your-api-client-id with the client id/application id for your API app in Azure AD.
Now since browser-based login seems to be working, you may have setup the wrong kind of authentication on the API.
If the token still doesn't work, you'll need to setup JWT authentication on the app instead of browser/cookie based.
If you are using v2.0 endpoint, the scope should be {your_client_id}/.default. Just like #juunas said.
If you are using v1.0 endpoint, you only need resource parameter. The resource should be {your_client_id}
Note: If you are using the 'get new access token' function in postman, the Access Token URL should be https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
I have a very basic function app that takes a GET and returns some static text. Eventually I would like it to write a POST body to a queue but to keep it simple the function just returns text. If I keep auth off, I can load the url and get a response in my browser or postman. If I enable aad auth within the function app and create a simple app reg then goto the site in my browser I get prompted for auth and I can login interactively; no worries so far.
I would like to access the function using a secret key for application usage with no interactive login, so within the app reg I go to Keys and generate one. This is where my problems start. If I use postman and configure oauth using my app id and key I can get a token, I have verified this also by doing a POST to https://login.microsoftonline.com//oauth2/token directly and noting the bearer token reply. However when I try an access my function app using the bearer token (either by manually adding an Authorization header or letting postman add it from the oauth 2.0 form) I am always denied with a 401 stating 'You do not have permission to view this directory or page.' when I do a GET to my function app. Can someone point me in the right direction? Thanks in advance.
Example reply from login url
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1525312644",
"not_before": "1525308744",
"resource": "https://<siteaddress>.azurewebsites.net/",
"access_token": "eyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx..etc..."
}
Response from get against function app with token
GET /api/t2 HTTP/1.1
> Host: <sitename>.azurewebsites.net
> Authorization: Bearer eyxxxxxxxxxxxxxxxxxxxxxxxxxxxx.....etc....
> Accept: */*
< HTTP/1.1 401 Unauthorized
< Content-Length: 58
< Content-Type: text/html
< WWW-Authenticate: Bearer realm="<sitename>.azurewebsites.net" authorization_uri="https://login.windows.net/<tenantid>/oauth2/authorize" resource_id="<app reg id>"
< X-Powered-By: ASP.NET
< Date: Thu, 03 May 2018 01:12:43 GMT
I believe you're mixing Azure AD integration with function keys (API key authorization).
The latter is a self-contained authorization mechanism and works by appending
?code=<func-key-from-portal>
to the function URL, or by passing a
x-functions-key: <func-key-from-portal>
header with every request to the function. No OAuth is involved when using function keys.
Example:
GET /api/get-issues HTTP/1.1
Host: {funcapp}.azurewebsites.net
User-Agent: ajax-library-of-the-day
x-functions-key: rkW0PqT.....zcUBQ==
or
GET /api/get-issues?code=rkW0PqT.....zcUBQ== HTTP/1.1
Host: {funcapp}.azurewebsites.net
User-Agent: ajax-library-of-the-day
I'm trying to get access tokens for users in order to use the iOS SDK for integrating in-person signings.
Our DocuSign users are set up as Single sign-on. We have a non-SSO, API user configured with the user settings apiAccountWideAccess and allowSendOnBehalfOf enabled.
I request an access token for the non-SSO, API user as follows:
POST /restapi/v2/oauth2/token HTTP/1.1
Host: demo.docusign.net
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id=<client_id>&scope=api&username=<useranme>&password=<password>
This results in the following response:
{
"access_token": "<access-token>",
"token_type": "bearer",
"scope": "api"
}
I then use the access token from the above response to try to get an access token for an SSO user as follows:
POST /restapi/v2/oauth2/token HTTP/1.1
Host: demo.docusign.net
Authorization: Bearer <access-token-from-response-above>
Accept: application/json
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id=<client_id>&username=<email-address-of-sso-user>&password=&scope=api
This results in the following response:
{
"errorCode": "UNSPECIFIED_ERROR",
"message": "Object reference not set to an instance of an object."
}
I'm following the documentation here (Obtaining access_tokens for Other Account Users).
Is it possible to get access tokens for the REST API on behalf of SSO users?
Unfortunately you can not use the API as a SSO enabled user at this time.
If you need to use the API as a SSO user, you have to have that user on the SSO Exempt list.
Generally integrations use Send On Behalf Of to authenticate as the API user (that on the exempt list) and makes the calls on behalf of the users who have SSO enabled.
The error doesn't indicate the actual issue and I've filed a bug with DocuSign Support to get that portion addressed.