While a user account impersonates a service account to call a GCP API or gcloud command, does the request have the union of permissions for both the user account and the service account?
For example, if the request returns a 403 error such as:
Error: Error enabling Shared VPC Host "{project}": googleapi: Error 403: Required 'compute.organizations.enableXpnHost' permission for 'projects/{project}', forbidden
Would it make any difference to the result of this call whether I added the permission to the user account or the service account?
The response doesn't say whether it's the service account or the principal who lacks the permission.
Obviously, it affects the wider security context - i.e. if I add the permission to my user account, then only I can perform that task (on any resource I can access), but if I add it to the service account, then anyone who can impersonate that service account can perform the task (on any resource the service account can access). But does it affect the specific API?
Related
I'm working with an app registration that has a secret defined. Via PowerShell I am able to get the credential, but not the secret value. Function used is Get-AzADAppCredential This is expected behavior, no issue here.
To renew the secret I run two functions Remove-AzADAppCredential and New-AzADAppCredential.
I run these PowerShell cmdlets via a DevOps pipeline and use a service connection with permissions in Azure portal.
I noticed that, when we create a service connection from DevOps to Azure, the service principal gets the role Cloud application administrator automatically assigned.
This role includes the permission "microsoft.directory/applications/credentials/update".
So the above (remove + new) should work, but it does not...
DevOps returns an error:
Az.MSGraph.internal\Remove-AzADApplicationPassword : Insufficient privileges to complete the operation.
Az.MSGraph.internal\Add-AzADApplicationPassword : Insufficient privileges to complete the operation.
PS. Using Az.Resources version 5.4.0 when working with the PowerShell functions.
Anyone got any idea what I'm missing?
Thanks.
Insufficient privileges to complete the operation.
The error comes when the user doesn't have sufficient privileges in AAD and doesn't have Write permission for the selected Azure Subscription.
Note: If you have Cloud application administrator privileges of the user, this role grants the ability to manage application credentials. Users assigned this role can add credentials to an application and use those credentials to impersonate the application’s identity. If the application’s identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application.
Make sure to check once if you have Global Administrator Access. If you have the access you can able to Modify the secret.
Users who are assigned to the Global administrator role can read and modify every administrative setting in your Azure AD organization.
The permission issue may happen due to
The user has only guest permission in the directory
The user is not authorized to the add applications in the directory
Refer here for detailed information
To be able to update a secret on an app registration, through DevOps, using a service principal, with minimal permissions, first make the service connection owner on that random app registration.
Next, add the Application.ReadWrite.OwnedBy application API permission on the app registration that's linked to the enterprise application. Not on the app registration where the service principal was made owner.
Than renewing the secret works fine.
It remains a question though why the role Cloud application administrator isn't sufficient because microsoft.directory/applications/credentials/update is included in that role, and that should also be enough.
I am trying to understand few points about delegating authorization to Azure BLOB using Azure service principles.
How I configure Azure:
Create and Configure Service Principal: in Active Directory I created an application, created a key (password), and set its required permissions to access Azure Storage;
Configure IAM of Azure Storage: under Storage accounts section, I chose my storage account, and under IAM I assigned my account (my login account as XYZ#hotmail.com) to Storage BLOB Data Contributor role.
How I use the configuration in my client App:
With the aforementioned configuration; my application takes tenant ID, client ID, client secret, and etc. and sends authorization request to /authorize endpoint.
Then a window pops-up and asks me to login (using e.g., XYZ#hotmail.com), and then a consent screen pops-up and asks for my permission to allow the service principal to read my Azure storage.
After I approve, my client application receives OAuth2.0 code.
Then I exchange this code with an access_key via the /token endpoint.
Q1: does this access_key grant my client application same privileges as XYZ#hotmail.com or service principal?
Using the obtained access key I can read/write azure blob.
Q2: if XYZ#hotmail.com does not have read/write access (i.e., not assigned with the Storage BLOB Data Contributor role), my client app would not be able to read/write for the blob, regardless of the Service Principal's role. This is where I get confused, I am under the impression that my client App is assuming Service Principal, hence it will have same privileges as the Service Principal, not XYZ#hotmail.com. For instance, XYZ#hotmail.com can have Contributor role (i.e., read/write), while the service principle would be assigned with a Reader role. In that case, I would have a full access to BLOB storage, while my client app will have only a read access to the BLOB storage. However, it seems client app gets same permissions as XYZ#hotmail.com. What am I missing here?
Q1: does this access_key grant my client application same privileges
as XYZ#hotmail.com or service principal?
The access_token you got has the delegated permissions which onbehalf of XYZ#hotmail.com. This is because that you used Authorization code grant flow.
What am I missing here?
For your scenario, I suggest you can use client_credentials flow for your app.
With client_credentials flow, you will get access token only with the application permissions configured in AAD. Also, this access token is actually onbehalf of your AAD application itself. If you assign a role to your service principal, you will get the access token with the permission of that role.
If you use Authorization code grant flow, you will get the access token onbehalf of the user, not the service principal. So, the access token will have the permission of that user.
I want to set up a web service which will manage few resources on a user's behalf (on his own AWS account).
So basically, after a user logs in, he will provide my service with proper permission to access his account. I've noticed similar services (https://www.dashbird.io/), which instruct you on how to create a proper role, but I'm not sure on how to actually use the role. How to login on his behalf (there is no token nor password).
I'm using node.js, but other examples will help as well.
Thanks.
Your application will need valid credentials to access resources in your customer's AWS Account. Theses credentials can be provided in various ways, but they would most probably be either:
Credentials for an IAM User in your customer's account, or
An IAM Role in your customer's account, which they have configured to allow you to assume
IAM User
This is the simplest method. Your customer would create an IAM User and provide it with appropriate permissions. They would then supply your application with the Access Key and Secret Key associated with the User.
Your application would use those credentials when establishing a session with AWS services.
IAM Role
Your customer would create an IAM Role and provide it with appropriate permissions. Unlike an IAM User, an IAM Role does not have credentials. Rather, an AWS User assumes a Role. They are then provided with temporary credentials that can be used to use AWS services in that account.
Think of it like a Fire Warden -- if there is a fire in an office building, somebody temporarily assumes the role of Fire Warden, telling people what to do. When there's a fire, they have authority because they assumed the role. But when there's no fire, they have no authority to tell you what to do.
The customer would need to configure the Role to trust your Account, or a User in your account. They will then give you the ARN (Amazon Resource Name) of the Role. Your application then uses an IAM User in your own Account to call AssumeRole(). If that IAM User (or your whole account) is trusted, then you will receive back credentials for accessing your customer's account.
See:
Creating a Role to Delegate Permissions to an IAM User
AssumeRole
I am trying to get the keys for all the Storage Accounts in my subscription. But I am getting this exception on one of the Storage Account using Azure Java SDK.
com.microsoft.azure.CloudException: Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client '5c79ee27-#########-######91f8e3' with object id '5c79ee27-###########-#####91f8e3' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/758ad253-#######f07/resourceGroups/spcwestus/providers/Microsoft.Storage/storageAccounts/grsstorag'."}}: The client '5c79ee27-###########-#####91f8e3' with object id '5c79ee27-###########-#####91f8e3' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/758ad253-#######f07/resourceGroups/spcwestus/providers/Microsoft.Storage/storageAccounts/grsstorag'.
For most of the Storage Accounts I manage to get the keys. But for some of them the same error gets repeated. What does this mean?
From the error you encountered, the server responded to your requests with HTTP 403 status code indicates that your request is Forbidden by the server.
HTTP 403 Status Code
A server that receives valid credentials that are not adequate to
gain access ought to respond with the 403 (Forbidden) status code
(Section 6.5.3 of [RFC7231]).
This is most probably caused by some Role-Based Access Controls that are in place to prevent your account to perform the list storage account key actions for certain storage accounts based on your assigned role.
You can use the Azure PowerShell cmdlet below to verify whether the role assigned to your specific object under the specific scope has the permission to list the storage account keys.
Get-AzureRmRoleAssignment -Scope "/subscriptions/758ad253-#######f07/resourceGroups/spcwestus/providers/Microsoft.Storage/storageAccounts/grsstorag" -ObjectId 5c79ee27-###########-#####91f8e3
More information please refer to the link below:
Use Role-Based Access Control to manage access to your Azure subscription resources
Maybe as addition above. Azure has the Storage Account Key Operator Service Role which is describes at the following:
Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts
Granting you this role should allow to list the keys.
I am working on an app that manages azure resources for customers (provision VMs, create VNets).
We have created a multi-tenant application in the azure portal that is configured for Delegated permissions of Windows Azure Service Management API and Windows Azure Active Directory.
We are able to login AAD based account without a problem. But when a live.com based account logs in, the user gets a AADSTS50020 error.
We for the login, we are navigating to https://login.microsoftonline.com/common/OAuth2/Authorize
with the following parameters:
client_id=XXX&response_mode=query&response_type=code&redirect_uri=XXX&prompt=consent
Here is the full error message:
AADSTS50020: User account 'xxx#hotmail.com' from identity provider
'live.com' does not exist in tenant 'XXX' and cannot access the
application 'xxx' in that tenant. The account needs to be added as an
external user in the tenant first. Sign out and sign in again with a
different Azure Active Directory user account.
You need to use V2 endpoints in order to allow access from personal microsoft accounts. I run into the same problems by using the v1 endpoint.
Use this endpoint:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
For example:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
?client_id=ffffff-1111-2222-3333-37fd4f8c20ee
&response_type=id_token
&redirect_uri=http://localhost:8080/login/microsoft/callback
&response_mode=form_post
&prompt=consent
&scope=openid
&state=12345
&nonce=RandomGUI
Good luck