I'm in the process of migrating from Cloud Service (classic) to Cloud Service (extended support) in Azure. Unfortunately, CS extended support documentation is very scarce and often inaccurate, so the process if very much not straight forward. At this point, I'm working on the deployment pipelines. With CS classic, we used management APIs to deploy/update/etc. The API for extended support is more straight forward, however, again, the documentation is lacking. The best I found was this page: Cloud Service - create or update. While this provides fairly good starting points, I'm struggling to find any info on the following points:
ServiceConfiguration element - what format is this in? Is it pure XML (encoded within JSON, of course) or something else? For classic API, service configuration was passed as a BASE64 encoded XML.
The request body (JSON) contains some of the same elements as in the service configuration - what happens if they don't match?
Package URL - what format is this in? The package is stored in an azure storage account - so how do I reference it? Also, for authentication, I can't grant the CS any permissions to the storage account, as it's not created yet (it doesn't exist!) - but it seemingly needs this permission in order to be created.
RDP extension - what format is "password" in? Is this really just a plain password? For classic, RDP password was encrypted using a certificate, which was separately uploaded into the service.
SSL certificate from the vault - how is authentication going to work? Again, the CS doesn't exist yet, so I can't grant it any permissions in the vault.
On authentication front, I managed to send the auth request and get the oauth2 token, which I would then use for this API - could this be enough? Of course, I can try this, but need to understand the other things first (i.e. format of some elements).
Note separately that deployment pipeline is executed from Jenkins and must stay that way - I don't have any control over that.
UPDATE: I tested this as best I could with service configuration being plain xml, with content matching the rest of json input, plain text password for RDP extension, and hoping for the auth to use bearer token. The response I received was 400, with the following details:
{
"error": {
"code": "InvalidParameter",
"message": "The value of parameter packageUrl is invalid."
}
}
So, back to my point 3 above - what is the format of package url?
UPDATE 2: After some experimenting, it did accept the package URL with the SAS token. Now I'm stuck with this error:
{
"error": {
"code": "StandardPublicIPAddressNotSupportedCloudService",
"message": "Standard public IP not supported for cloud services."
}
}
Web search for that string returns 0 matches. The template I'm using is copy/paste from MS documentation; the process I'm using is exactly per MS documentation. Any further help massively appreciated.
This isn't exactly what you're after, but I used the following article to help with generating a template.json and parameter.json file which then could be used through Powershell.
https://techcommunity.microsoft.com/t5/azure-paas-blog/how-to-use-azure-devops-to-publish-cloud-service-extended/ba-p/3675180
This is what my Powershell script eventually looked like:
New-AzResourceGroupDeployment -ResourceGroupName "cses-rg" -TemplateFile DeployArm.template.json -TemplateParameterFile DeployArm.parameter.json -packageSasUri $cspkg -configurationSasUri $cscfg -cloudServiceName cldcsestest -deploymentLabel myDeploymentLabel -publicIPName 'MyPublicReservedIp' -rdpPassword $rdpPassword
I only used the Powershell script locally for quicker testing, but my goal was to get it working with Azure Dev Ops.
Related
I'm able to update/create the function key using the API as per document.
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-function-secret
My main aim is to update the function key every hour so I'm creating a http trigger (with the above api inside it) and scheduling the trigger.
For testing purpose I stored the url in one parameter.
URL:
'https://management.azure.com/subscriptions/xyz1/resourceGroups/xyz2/providers/Microsoft.Web/sites/func_appname/functions/func_name/keys/poc_testing1?api-version=2021-02-01{"Properties":{"Name": "poc_testing1","Value": "asdsda"}}'
Note: Value here is updating via random gen lib of python
Generated a bearer token using the service principal (which I'm already using to connect my stg acc) storing it in auth_token
header_auth= {'Authorization' : 'Bearer ' + auth_token }
Now running the below command in python
import requests
requests.post(url, headers=header_auth)
I'm getting 403 forbidden error
I'm thinking that it is not because of the bearer token, Did google the error and it is with the IP address. Can someone help me out here
I was referring the (https://learn.microsoft.com/en-us/troubleshoot/azure/general/request-throttling-http-403) doc but I'm not using any APIM service
Till now I referred the doc from MSFT.
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-function-secret
I was able to create new function key.
I'm trying to do the same using python for which I performed the above steps.
Currently ran the above issue steps in my local Visual studio and tried az cli as well but same 403 error.
Why do you want to update the function key every hour?
If you aim to increased security use AzureAD Auth/OAuth2 rather than the function key.
Regarding the 403 error, please ensure you have assigned proper permissions to the service principal which allow the service principal to modify the azure function.
I had seen multiple examples how to use Azure API manager using powershell to retreive password for SCM but unable to find any example using it without powershell i.e. something execution in shell command line. i am also looking for example for saving and deploying my api
You can always inspect any Azure service API in action by doing what you need in Azure portal and seeing what requests get sent. Correlating them with documentation helps. So to get access token for SCM endpoint in APIM you need:
With any Azure credentials make a GET call to https://management.azure.com/subscriptions/.../resourceGroups/.../providers/Microsoft.ApiManagement/service/.../tenant/access/git?api-version=2018-01-01
in response you will get a payload similar to:
{
"id": "XXX",
...
}
Take "id" from that payload and make a POST call to https://management.azure.com/subscriptions/.../resourceGroups/.../providers/Microsoft.ApiManagement/service/.../users/XXX/token?api-version=2018-01-01
you will get your token:
{
"value":"..."
}
I'm reading the documentation for Cloud Identity and Access Management Method: projects.serviceAccounts.signBlob. I've got it figured out except for the body, which is
{
"bytesToSign": string
}
The documentation says that this should be
The bytes to sign.
A base64-encoded string.
Gosh, how helpful! Can anyone explain what bytesToSign is? What do I put there? The service account private key?
The Google Cloud Platform (GCP) IAM API method projects.serviceAccounts.signBlob allows you to cryptographically "sign" a blob of data using the system-managed private key for a given service account.
More info: Digital Signature
Permissions
In order to sign blobs using a service account, you need to make sure your account has the iam.serviceAccounts.signBlob permission on the service account in question. The easiest way to do this is to grant your account the Service Account Token Creator on the Project or the Service Account. This role contains the following permissions:
iam.serviceAccounts.get
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
resourcemanager.projects.get
resourcemanager.projects.list
Using the API
This API endpoint takes two arguments:
service account name (in the URL of the request)
blob that you would like to cryptographically sign (in the body of the request)
As an example, let's say that you want to sign this text:
Here is some text that I would like to sign.
First, you must base64 encode the string, which becomes:
SGVyZSBpcyBzb21lIHRleHQgdGhhdCBJIHdvdWxkIGxpa2UgdG8gc2lnbi4=
Then you would post to the endpoint with the base64-encoded string in the body. For example, if your project was called my-project and you wanted to sign the blob with my App Engine default service account, you would do:
POST: https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/my-project#appspot.gserviceaccount.com:signBlob?key={YOUR_API_KEY}
BODY:
{
"bytesToSign": "SGVyZSBpcyBzb21lIHRleHQgdGhhdCBJIHdvdWxkIGxpa2UgdG8gc2lnbi4="
}
If successful, it will return a response with the keyId that was used to sign the blob and the signature which is the signed blob.
Example:
{
"keyId": "f123aa7016e4565e49a489357aa384fa25a9e789",
"signature": "t7FT+3b0AUzqmGHofHIa8MDcfuBOKQa4/DtK6Ovel22Y9pa5G4PduW5iYY9EMQpyXW3sZEZiyFRs3M9nGkLt/DKXITCW9Ta4nvLZwNj1ahFjkujr12iUzyU+NR9/Db2LWoI/g4j1e27E9O8zqXdi+BQpKkOYHUcfbH3xcTbEJnmjU/1zEHztNRXlihNPyOjSWsKhPdVnVzxYmi6Y3Bmgb3kCZe5hhUhANo9gavsakSogi0y5z625vHiW3roQkH2fEktcDkf49GlLJEHqRu+FaCcAwgpsEs/Nm+llgfhSuHKx1tcvslmTWOGAnYDKVg74oqg4FgfhiLqBWJYRrFRwxQ=="
}
You can try it here with the API Explorer (but change the project name to your project and change the service account name to your service account).
This can also be done with gcloud, for example:
$ gcloud iam service-accounts sign-blob \
--iam-account my-account#somedomain.com input.bin output.bin
For more information on how this command ties into the wider cloud infrastructure, please see:
https://cloud.google.com/appengine/docs/standard/python/appidentity/
https://cloud.google.com/appengine/docs/java/appidentity/
https://cloud.google.com/appengine/docs/standard/php/appidentity/
https://cloud.google.com/appengine/docs/standard/go/appidentity/
You might use this to to assert your identity to non-Google services. If you want to assert that some text provided by you to an external application is in fact coming from you, then you can sign the text with the signBlob method to sign the text with your private key, and then you can use the get_public_certificates() method to obtain a list of certificates which can be used to validate that the signature.
More: Asserting identity to third-party services
Thanks to #lukwam and #John Hanley, the answer was that I didn't need to use projects.serviceAccounts.signBlob, i.e., this was a rabbit hole I didn't need to go down. I was getting a SigningError message and I needed to assign roles to service accounts, as I have detailed in this question and answer.
I am creating a LUIS app using the LUIS programmatic API. After the app is successfully created and trained, I want to assign an API key to the app using this endpoint:
PUT /luis/api/v2.0/apps/{appId}/versions/{versionId}/assignedkey
Both my programmatic API key (obtained from luis.ai) and the normal API key (the one I am trying to assign, obtained from Azure Portal) are registered to the same email address.
However, when I am trying to send a request to the above endpoint, it fails with this error:
{
"error": {
"code": "BadArgument",
"message": "Cannot find the specified subscription"
}
}
I'm out of ideas for what I might be doing wrong, because exactly the same logic already worked before.
Is there some kind of way to "assign" an Azure subscription to my LUIS account?
Update:
I didn't find an answer to my question, but I found a workaround. Calling PUT /luis/api/v2.0/apps/{appId}/settings will set the application to "public", which means you can use any subscription key with it. See docs.
It seems that this endpoint is now deprecated because I get the following:
{
"error": {
"code": "DeprecatedException",
"message": "To assign a subscription key to an app, please go to the LUIS website at https://www.luis.ai and assign it from the app publish page."
}
}
In the luis page I see this:
The endpoint PUT /luis/api/v2.0/apps/{appId}/versions/{versionId}/assignedkey and /luis/api/v2.0/subscriptions are indeed deprecated. I contacted to LUIS support and they answered:
We are shifting the key management experience to happen only through the portal. Users no longer need to copy and paste keys, we offer a well-integrated experience that lists all the Azure keys inside our portal, key management details here.
I am trying to export an Azure package using the GetPackage method of Service Management API.
I have tried both calling the REST API directly using a WebClient, and by using the Windows Azure Service Management Library package (I have posted the code I used as an answer to that question).
However, no matter the method I tried and how I constructed and/or encoded the container URI, I am always getting the following error:
400 Bad Request
Parameter value '...' specified for parameter 'ContainerUriString' is invalid.
The parameter in question is of the following form:
https://something.blob.core.windows.net/somecontainer
I verified that the storage account exists and is accessible (tried both public and private containers), even tried calling HttpUtility.UrlEncode() on the container URI (even though the SDK does it automatically).
Any ideas how to get this resolved?
Please ensure that the storage account where you want the files to be copied belong to the same subscription as that of Cloud Service.