Which Azure role / permission needed for command using Azure function - azure

I've created a solution that will auto-tag all resources in Azure when they're created using the "Creator", "Date", and "Time." These work perfectly if someone creates from the web interface. Unfortunately, I use Terraform to create resources and would like it to take the terraform appid and convert it to the name using the following command.
(Get-AzADServicePrincipal -ApplicationId "123456-4564-464651651").DisplayName
Unfortunately, I get the following error, basically saying i don't have privileges to do it. Is there a list that lets me know which roles correspond to which command i need to run? I only want to allow privileges to map Service Principle App ID display name (and nothing more).
[Error] ERROR: [Authorization_RequestDenied] : Insufficient privileges to complete the operation.Exception :Type : System.ExceptionMessage : [Authorization_RequestDenied] : Insufficient privileges to complete the operation.HResult : -2146233088CategoryInfo : InvalidOperation: ({ ConsistencyLevel …ect = , Expand = }:<>f__AnonymousType5`7) [Get-AzADServicePrincipal_List], ExceptionFullyQualifiedErrorId
The solution is based on this link using Event triggers https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/tagging-azure-resources-with-a-creator/ba-p/1479819

You should you at least Application.Read.All permission , Please see the doc for more info - https://learn.microsoft.com/en-us/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http
Hope this helps
Thanks

Related

Azure AD Group and SharePoint

I'm having an issue with the timing around creating a new Azure AD security group and using that group for SharePoint Online folder access.
Using New-PnPAzureADGroup i'm creating the security group, then using Set-PnPListPermission and Set-PnPFolderPermission i'm setting the security group with the required permission for that List or Folder.
It seems that Set-PnPListPermission & Set-PnPFolderPermission are running too quickly after the creation of the group as it reports
Set-PnPListPermission : The specified user XXXX123_SP could not be found.
The strange thing is, once the group has been created I can immediately run Get-PnPAzureADGroup and retrieve the group. I can also manually run the same command a little later and it completes successfully.
I assume the groups take time before they're available in SharePoint, what's the best practice approach to check and wait for these groups before applying them in SharePoint?
Thanks in Advance
You could try to use following PnP PowerShell commands:
Set-PnPListPermission -Identity '$LibraryName' -User 'c:0t.c|tenant|$AdGroupID' -AddRole 'Read'
I replaced -Group with -User in the PnP PowerShell command. Then executed successfully with on error message.
I've encountered this issue, except with external users rather than AD Groups but I think the root is the same. The object can be immediately queried from AD but takes times to become resolvable in SharePoint.
I doubt you'll find a documented best practice as this is a bit of an advanced use case. In my case I seem to recall it taking between 5 and 30 seconds to resolve. What I did was loop 10 times with a Thread.Sleep and break out when it succeeds. Event then you'd get occasional failures - you just log them and move on and let support staff deal with it.
Not my proudest coding moment but it (mostly) got the job done.
$condition = $false
do{
try {
Set-PnPListPermission [-ErrorAction Stop]
Set-PnpFolderPermission [-ErrorAction Stop]
$condition = $true
}
catch {}
}
until{$condition}

Apache Pulsar Unauthorized to validateTopicPolicyOperation for operation [WRITE] on topic

We've been trying to add JWT auth on our 2.8.1 Apache Pulsar cluster and it seems to be working properly, except for permissions. So basically, the state we are right now is that:
Without token, client gets a 401
With a token, it can access but has a trouble producing or consuming, so we added this :
./bin/pulsar-admin --admin-url https://pulsar-xxx-broker.pulsar-xx.svc.cluster.local:8443 --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params file:///pulsar/tokens/broker/token namespaces grant-permission "xxx-dev-FR/lol" --role pulsar-token- --actions produce,consume
And it was better, permissions seems to be pretty straightforward on namespaces and only consume,produce are allowed seeing the code. But then we hit that error:
org.apache.pulsar.client.admin.PulsarAdminException$NotAuthorizedException: Unauthorized to validateTopicPolicyOperation for operation [WRITE] on topic [persistent://xxx-dev-FR/ns-common-0.8.0/workflow-tag-new: com.xxx.xxx.commons.engine.workflow.xxxEngine] on policy [PARTITION]
So apparently we need some more permissions, so we looked into adding an admin role when creating the tenant and this is what we've done but unfortunately, it's not better.
Pulsar permissions schema
Do I miss something here?
Thanks a lot.
Kin
#Kin, from your example it seems you granting permission on one namespace xxx-dev-FR/lol but then trying to use a topic in a different namespace xxx-dev-FR/ns-common-0.8.0.
Yes it's true, but this was just an example sorry. I did launch the query grant permission command on the right namespace afterwards.
I feel like the grant-permission command is missing some permissions as only those two are available:
consume
produce
But apparently it doesn't work for changing a topic or namespace policy. Is there a way to make this work without being full admin?
edit : just in case it's not clear in my first post, while creating the tenants in pulsar-manager, we used the equivalent of this command:
./bin/pulsar-admin tenants create test --admin-roles <my_app_role>
You can validate below params are configured in broker.conf for all brokers, these are used when broker connects to other brokers
authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
(for below configs, subject of token and superUser should match)
brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
brokerClientAuthenticationParameters={token}
superUserRoles={super-user}
Configure one from below, based on the key(symmetric or asymmetric) you have used to generate the token, this will be used to decode the token
tokenSecretKey=
tokenPublicKey=
I managed to fix the issue which was not working because of the Token subject not being the same as the role input in the tenant admin permissions. For instance in CLI it meant:
pulsarctl token create -a HS256 --secret-key-file SECRETKEY --subject xxx-admin 2> pulsar-token-xxx-admin
kubectl exec -it pulsar-xxxx-broker-0 -- bash
./bin/pulsar-admin --tls-allow-insecure --admin-url https://pulsar-xxx-broker.pulsar-xxxx.svc.cluster.local:8443 --auth-plugin org.apache.pulsar.client.impl.auth.AuthenticationToken --auth-params file:///pulsar/tokens/broker/token tenants create <my_tenant> --admin-roles xxx-admin
We also had to add the following in the broker's configuration:
"topicLevelPoliciesEnabled": "true"
"systemTopicEnabled": "true"
Bye and thanks for your help.

auto creation of aws iot thing and attaching it to a thing group

I have created thing , certificates , policy and attached them successfully using python.
And i have founded a idea that instead of creating a policy for every new thing that is created , we can create a thing group and create a policy for that group and adding the thing to it and then share that group policy to every new thing we created.
I didn't have any idea on how to implement my idea and i keeps on searching for a reference to do that still i didn't find any usefull links or guides.If you know anything post that
Hi everyone after a long search i find the solution.
def add_thing_to_thing_group():
client = boto3.client('iot')
thing_group_name ='your thing group name'
thing_group_arn ='your thing group arn'
thing_name ='your thing name'
thing_arn ='your thing arn'
client.add_thing_to_thing_group(
thingGroupName= thing_group_name,
thingGroupArn= thing_group_arn,
thingName= thing_name,
thingArn= thing_arn
)
need boto3 package
thing group arn and thing arn are available in aws iot console

Wrong publishsettings xml file structure for Import-AzurePublishSettingsFile command

I have a fresh publishsettings file obtained with use of command Get-AzurePublishSettingsFile
And when I run following command:
Import-AzurePublishSettingsFile -SubscriptionDataFile "path to publishsettings"
I'm getting this error:
Import-AzurePublishSettingsFile : Error in line 1 position 14. Expecting element 'ProfileData' from namespace 'http://schemas.datacontract.org/2004/07/Microsoft.WindowsAzure.Comman
ds.Utilities.Common'.. Encountered 'Element' with name 'PublishData', namespace ''.
At line:1 char:1
+ Import-AzurePublishSettingsFile -SubscriptionDataFile "path to publishsettings ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Import-AzurePublishSettingsFile], SerializationException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Profile.ImportAzurePublishSettingsCommand
Looks like powershell cmdlet expects to see a file with different structure, but I have no idea where I can get one.
Am I doing something wrong here or it's an issue with Azure Powershell?
Azure module version is 0.8.2
I don't have an answer to your specific question. But I may have a better option, and something you can try to resolve the original issue.
See ArgumentNullException - Get-AzureService.
That post describes the following two options:
Instead of using publish settings files for management API authentication you can use your normal management portal login credentials. This is generally a better option for using the Azure powershell cmdlets.
If that doesn't work for you then see the link above for how to clear out the cached subscription configuration files and see if that fixes the Import-AzurePublishSettingsFile issue you are seeing.
I ran into the same issue. It turned out that I had used the incorrect parameter switch to specify the settings file.
Double check that you are using -PublishSettingsFile argument and not -SubscriptionDataFile as shown in your examples.
See the excerpt from powershell help below, for an explanation of each parameter.
Parameters
-PublishSettingsFile <String>
Specifies the full path and filename for the .publishsettings file for the Windows Azure account.
Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
-SubscriptionDataFile <String>
Specifies the path to a file where the subscription data is stored. This parameter is optional. If it is not provided, the subscription data is imported into a default file in the user's profile.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
I was able to make this work after several tries.
You need to start PowerShell as Administrator and clearly layout the path to the filename assigned the downloaded file to.
Once I did this it worked well.

Match a Deployment ID in Windows Azure

I have several different services running the same code base as windows azure worker roles.
I'm trying to test and see if the currently executing code is running in a specific instance. If I call to this in the management API:
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(
new Uri("https://management.core.windows.net/" + subscriptionId + "/services/hostedservices/<<servicename>>/deploymentslots/production?embed-detail=true"));
I get a response like this:
<Deployment xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Name>c8bd3b12f1bc4e0db9d8c1d59e97e48b</Name>
<DeploymentSlot>Production</DeploymentSlot>
<PrivateID>d1ea61e367e84aedb68de97eded3e896</PrivateID>
<Status>Running</Status>
<Label>SXRlbVVwZGF0ZXIgLSAzLzEzLzIwMTMgMTA6NDQ6MTUgQU0=</Label>
<Url>http://itemupdater3.cloudapp.net/</Url>
<RoleInstanceList>
<RoleInstance>
<RoleName>UpdateItems</RoleName>
<InstanceName>UpdateItems_IN_0</InstanceName>
<InstanceStatus>Ready</InstanceStatus>
</RoleInstance>
</RoleInstanceList>
<UpgradeDomainCount>1</UpgradeDomainCount>
<RoleList>
<Role>
<RoleName>UpdateItems</RoleName>
<OsVersion>WA-GUEST-OS-1.22_201302-02</OsVersion>
</Role>
</RoleList>
</Deployment>
I'm trying to test and see if the currently executing code has the same ID as this response.
If I compare:
xml["Deployment"]["Name"].InnerText;
To
RoleEnvironment.CurrentRoleInstance.Role.Instances[0].Id;
It never matches. How do I match something from the C# to the ID returned from the API?
Thanks!
You're trying to compare the name of the deployment (typically a single guid-like string, unique every time you redeploy) to the name of the instance (follows a pattern of RoleName_IN_xxx). They will never match.
I'm not 100% sure what you're trying to do, but the call to Service Management API will never give you information on your current instance - because it does not know where you run from; you can even call the API from non-Azure resources. It will simply give you data about the whole subscription.
RoleEnvironment.CurrentRoleInstance.Id will provide you with the ID of the current instance.
kevin, use the RoleEnvironment.DeploymentId instead of the RoleEnvironment.CurrentRoleInstance. This will allow you to compare what is currently running with what you get from the service management API.

Resources