When trying to configure a Private Endpoint on a storage account, I get an empty list of resource types
And if I try to do it with the resource id instead, I get the following error
Any idea?
I tried to reproduce the same in my environment works fine successfully.
This issue may occur if your region is mismatched it will not show your resource type. To resolve issue check whether while create a storage account you can able to create a private endpoint as below.
Thus, my private endpoint is created successfully as below.
Suppose, if you are already created a storage account you want to configure private endpoint make use of below workarounds.
In your storage account -> click networking under security and networking ->private endpoint connection ->Add private endpoint as below.
While adding a new private endpoint in a storage account your resource type and resource are automatically recognize and display as below. This way helps you in order to prevent a resource unsupported issue.
I have configured my WebAPI to get Azure Storage connection string out of Azure KeyVault using Managed Identity.
For that, I have created an Azure AD dedicated user, which is given permission to get/list secrets from Azure KeyVault. I then assigned this user to my AZURE_USERNAME environment variable and I have configured Visual Studio to use this account.
It all works fine as long as I run the WebAPI in IIS Express when I debug from Visual Studio. However I want to run the WebApi from my local IIS when I debug in Visuall Studio.
What am I missing here ? I suspect it is because local IIS does not run with the configured user above, but what would be the workaround ?
The error I get is
AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/some_id. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
In the end I created a dedicated service principal in azure ad which is then added to my applications's users. This service principal is referenced by the environment variable on the dev machine.
I have made progress on this and it is now working in local IIS but...
to make it work, I added the following environment variables:
as documented here
However it means this only works for ONE Service Principal at a time. What if I want all of my local WebApi running at the same time (which is the case) in the local IIS. How can I handle that with DefaultAzureCredential ?
Another solution is to create an AzureServiceTokenProvider instance by passing a connection string parameter that will specify the tenant and application secret.
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;AppId=2ad1fe1f-d93f-4973-a1e5-e7019638b90a;TenantId=your-tenant-here.onmicrosoft.com;AppKey=your-app-secret-here");
In such a way there is no more need to use the environment variables.
Check it here
I was trying to get the connection string from the azure key vault for azure functions. These are the steps I did,
Created a managed identity(System assigned) in the azure functions
Create a secret in an azure key vault
Add access policies to give permission to the azure function app
Added an entry in the app settings for connection string where the value was #Microsoft.KeyVault(SecretUri=SECRETURLOFKEYVAULT)
But when I run the azure function I am getting below error,
"Keyword not supported: #microsoft.keyvault(secreturi....."
This is how I have enabled managed identity,
And my access policy looks like below,
Any help would be much appreciated
I ran into a similar problem by following the tutorial. My remedy was a restart of the function app. Saving of the app setting was not enough for the Function App to start using the Key Vault secret provider correctly.
According to the steps you provided, it have no problem to work well. Here is the tutorial about get key vault secrets in Azure Function you could refer to.
Note: Add access policies to the azure function app with the Get permission on secrets and that was enough.
Also, here is a similar issue that get same error like you which is due to IP Address restriction blocking it.
This issue occurred while testing on local. It was resolved after doing an az login.
I have enabled Managed Service Identities on an App Service. However, my WebJobs seem unable to access the keys.
They report:
Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. password_required_for_managed_user: Password is required for managed user
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
Kudo does not show any MSI_ environmental variables.
How is this supposed to work? This is an existing App Service Plan.
The AppAuthentication library leverages an internal endpoint in App Service that receives the tokens on your site's behalf. This endpoint is non-static and therefore is set to an environment variable. After activating MSI for your site through ARM, your site will need to be restarted to get two new Environment Variables set in it:
MSI_ENDPOINT and MSI_SECRET
The presence of these variables are essential to the MSI feature working properly during runtime as the AppAuthentication library uses them to get the authorization token. The error message reflects this:
Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
If these variables are absent, you might need to restart the site.
https://learn.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity
If the environment variables are set and you still see the same error, the article above has a code sample showing how to send requests to that endpoint manually.
public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion) {
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));
return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));
}
I would try that and see what kind of response I get back.
I just solved this issue when trying to use MSI with a Function app, though I already had the environment variables set. I tried restarting multiple times to no success. What I ended up doing was manually turning off MSI for the Function, then re-enabling it. This wasn't ideal, but it worked.
Hope it helps!
I've found out that if you enable MSI and then swap out the slot, the functionality leaves with the slot change. You can re-enable it by switching it off and on again but that will create a new identity in AD and will require you to reset permissions on the key vault for it to work.
Enable the identity and give access to your azure function app in keyvault via access policy.
You can find identity in platform feature tab
These two steps works for me
In my case I had forgotten to add an Access Policy for the application in the Key Vault
Just switched ON the Status like #Sebastian Inones showed.
Than add access policy for KeyVault like
This is resolved the issue!!
For the ones, like my self, wondering how to enable MSI.
My scenario:
I have an App Service already deployed and running for a long time.
In addition, on Azure DevOps I have my Pipeline configured to Auto-Swap my Deployment Slots (Staging/Production). Suddenly, after a normal push, Production starts failing because of the described issue.
So, in order to enable MSI again (I don't know why it has to be re-enabled but I believe this is only a workaround, not a solution, as it should be still enabled in the first place)
Go to your App Service. Then Under Settings --> Identity.
Check the status: In my case, it was off
I have attached an image below to make it easier to follow.
For the folks that will come across these answers, I would like to share my experience.
I got this problem with Azure Synapse pipeline run. Essentially I added access policies properly to the KeyVault, and also I added a LinkedService to the Azure Synapse pointing to my KeyVault.
If I trigger the notebook manually it works, but in the pipeline, it fails.
Initially, I used the following statement:
url = TokenLibrary.getSecret("mykeyvault", "ConnectionString")
Then I added the name of the linked service as a third parameter, and the pipeline was able to leverage that linked service to obtain the MSI token for a Vault.
url = TokenLibrary.getSecret("mykeyvault", "ConnectionString", "AzureKeyVaultLinkedServiceName")
Might be unrelated to your issue but I was getting the same error message.
For me, the issue was using pip3's azure-cli. I was able to fix this issue by using brew packages for both azure-cli and azure-functions-core-tools.
Uninstall pip3 azure-cli
pip3 uninstall azure-cli
Install brew azure-cli
brew update
brew install azure-cli
Double check if the error message ends with:
Please go to Tools->Options->Azure Services Authentication, and re-authenticate the account you want to use.
I have some difficulties in managing Azure certificates from my code.
Indeed I'm trying to use Azure REST Services API (e.g. creating HTTP requests) in order to know my services state from my Azure web site.
It works well in local debugging, but my web role seams to have some limitation with the certificates manager. Bellow is what I do:
// this method stores a certificate from the resources
// to the local certificates manager
private X509Certificate2 StoreCertificate(Certificates certName)
{
X509Certificate2 newCert = null;
// get certificate from resources
newCert = this.GetCertificateFromResources(certName);
// store it into the local certificate manager
if (newCert != null)
{
var store = new X509Store(
StoreName.TrustedPeople,
StoreLocation.LocalMachine
);
store.Open(OpenFlags.ReadWrite);
store.Add(newCert);
}
// reset ref and try to load it from manager
newCert = null;
newCert = this.GetCertificate(certName);
return newCert;
}
An Access is denied error appends when I try to add the certificate.
Any idea ? Can I store certificates into the Azure VM ?
Should I use a special location to store those ?
Are you using a Cloud Service (web/worker role)? If so, which OS family? I've seen some reports that with a worker role using OS family 3, you need to run the role with elevated permissions in order to read certs from the local cert store. Not sure if that applies to web roles as well and adding to the cert store.
Has the service cert been added via the Azure management portal as well (or via the REST API or PowerShell)?
Well I have found lot of things:
I was deploying my code in a web site so that I cannot add a certificate to the Shared VM in Azure
I have tried to connect to the VM in a remote desktop session and I added a certificate manually.
Even in this case, I have an (403) Forbidden error in an InvalidOperationException.
So here is the current state:
a certificate has been created (makecert) and added manually in the VM that hosts my web role (deployed in a service)
this certificate has been uploaded to both the Azure Account certificates and to the Azure service certificates (the one that deploys my web role)
the thumbprint of this certificate has been added in my code and I can access to the certificate when my code is executed
So 2 questions:
Is there something I should do with my certificate ?
When I try my web role locally in the Azure emulator, everything works. Is there a special setting to update during the publish / deploy step ?
Thanks for your help.
In order to save the time of other developers, here is what I did to solve the main problem:
connect to the VM that deploys the web role: see there
create the certificate: see there
Eventually plays with the certificates manager (mmc.exe)
Then the certificate is available from the code.