How can I programmatically get a particular Personal Access Token by name in a notebook from within Databricks? I don't need to see the token, I just need to be able to pass it to another function.
Related
I am currently experimenting with Databricks. I'd like to leverage the Python SQL Connector to allow external APIs to access certain tables through Databricks.
Using the Python SQL Connector requires the use of a Personal Access Token to authenticate with Databricks.
The issue here is I do not want the access token for a service to be tied to my personal identity, ideally I'd like the access token to be attached to a service identity. Databricks only allows me to create users with a first name, last name, and email. Is creating a service identity even possible to externally access tables?
Thanks.
Yes, it's really possible. You need to create a service principal (via REST API or Terraform provider), add it to corresponding group that has access to data (via REST API, UI, or Terraform provider), give it permission to use personal access token (via REST API or Terraform provider), and then generate a token for it (via REST API or Terraform provider).
I need to give permission for one application to access some data from another account. I do OAuth2 authentication, but in the v2.0 we need to pass not resources, but scopes. For example I want to start/stop VirtualMachines, or just List them, what would be the proper scope for this?
I have found just this reference but I guess it is not valid for new flow https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftaad
If you are signing in as yourself (i.e. with a signed-in user), then the scope value you want to request is https://management.azure.com/user_impersonation. After signing in (and granting consent, if needed), access to Azure resources will be dependent on the permissions the signed-in user.
If instead this is a secure server doing unattended access, then you simply use the "place-holder" scope parameter value https://management.azure.com/.default (as a way of indicating that you want an access token to https://management.azure.com).
I am trying to create a new user for an application which uses CosmosDB. From the documentation, it expose a service method to create a new user.
I believe the created user can access the Cosmos DB provided the users are updated with certain permission to the collections
And my query,
Is there a service method to create a user with password? If not, any alternatives to do the same?
Is there a way to see the created users in Data Explorer rather than List Users?
1.Is there a service method to create a user with password? If not, any alternatives to do the same?
As I know, no such method in cosmos db. Based on this document, Azure Cosmos DB uses two types of keys to authenticate users and provide access to its data and resources. User and permission is resource token type here. It's meant to avoid the risk of master key exposure. It is authenticated by token,can't be password.
If do want to use password for authentication, maybe you just have to protect the token by password with your own logical code. Other words, you get the above resource token first then manage the mapping relationships between user and resource token by yourself.
2.Is there a way to see the created users in Data Explorer rather than List Users?
It can't be found on the portal now.You need to list users and permissions using sdk or rest api. You could commit feedback here to ask azure cosmos team to add this feature.
I'm using Azure App Service with authentication using Google and Microsoft account.
I can access mysite/.auth/me, without an issue upon login in.
But to refresh token, /.auth/refresh is returning me following exception.
You do not have permission to view this directory or page.
Not sure what access to be granted here in Azure blade.
The error message is actually a bit misleading. It's not that you don't have permission to access the API, but rather there are probably no refresh tokens in your token store. The way to acquire refresh tokens during user login is a little different for each provider. More details here:
https://cgillum.tech/2016/03/07/app-service-token-store/
In order for this to work, the token store must contain refresh tokens for your provider. If you’re not familiar with how to do this, here are some hints:
Google: Append an "access_type=offline" query string parameter to your /.auth/login API call (if using the Mobile Apps SDK, you can add this to one of the LogicAsync overloads).
Microsoft Account: Select the wl.offline_access scope in the Azure management portal.
Azure AD: This is a little complex right now, but take a look at my next post on enabling Graph API access. Follow the setup steps and this will also enable you to get refresh tokens for Azure AD (you can omit the Read directory data and the resource=… parts if they don’t apply to you). The plan is to simplify this in the future.
My application uses Azure AD and OpenID Connect to sign-in users (see https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect).
I want to be able to list users' Azure subscriptions when they've signed-in. I cannot figure what I need to do after a user has successfully signed-in and they've been redirected back to my app, i.e. how/where I get a hold of the necessary access token or credentials, and, to be honest, which is the correct API to call with said token/credentials. Can this be done? Is an entirely different approach necessary?
Look through the code in the example for an instance of AuthenticationResult. The access token can be accessed at AuthenticationResult.AccessToken and you can decide what you want to do based off that.
One of the notification events (raised as part of the sign-in flow) receives an authorization code. With the code, I was able to acquire an access token (using AuthenticationContext.AcquireTokenByAuthorizationCode) and, with that, I was able retrieve the subscriptions using this API https://management.azure.com/subscriptions. Note: ensure your AD application delegates permissions to the Service Management API.