I have created an access group that has access to a specific resource group. For Code Engine and Container Registry all possible access (Viewer, Operator, Editor, Administrator, Reader, Writer, Manager) roles are enabled. However, when a user within that access group is trying to create an image build, in the last step they get:
Error binding registry Failed to create registry binding for 'IBM
Registry Frankfurt'
When I attempt the same action with my superuser, I have no issues creating a new build.
It seems like the issue is with permissions. Can someone advise what specifically needs to be set to allow that registry binding?
Related
We are creating a UWP app using Xamarin forms and for Login purposes, ADAL has been used. Authentication has been happening successfully when we are connected to VPN. But when we try to run the same app in the Client network where we don’t require VPN, App is not showing ADAL IWA (Integrated Windows Authentication), instead, we are getting the Error message “We can't connect to the service you need right now. Check your network connection or try this again later.” I have attached an image for reference. On investigating further, we found an article about the same issue with the solution in the Microsoft forum (https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-uwp-considerations). The solution is to enable the Private Network in the Registry Editor in Authhost.exe in HKEY_LOCAL_MACHINE. On running the below command, we could be able to bypass the issue. But we don’t want to play on editing the registry on each end-user machine or device. So, we tried editing the registry programmatically inside the app, but we got a security exception.
Enabling Private Network Through Command Prompt:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\authhost.exe\EnablePrivateNetwork = 00000001
Error while trying to edit Registry Programmatically:
System.Security.SecurityException: 'Requested registry access is not
allowed.'
Reference for Editing Registry Programmatically:
https://codingvision.net/c-edit-registry-keys-or-values
So, we need to understand, what is the best way to address this issue?
I don't want to alter the Registry using the command prompt or
Registry Editor App.
Is it possible to enable private network via AD group policy or Windows OS Settings.
Any other possible way to Enable Private Network
Note:
The same code works fine with Android Environment. The problem is only with Windows.
• There is no group policy existent which changes this option in registry for the private network in ADAL authentication. But you surely can change this registry setting through group policy as it is the only solution to enable private network for ADAL authentication. To do this, please follow the steps below in group policy: -
a) Login to the Group policy server/domain controller and open the group policy management GUI, then select the default domain group policy and edit it.
b) Then go to ‘Computer Configuration --> Preferences-> Windows settings --> Registry --> New --> Registry Wizard’. The registry wizard opens and allows you to connect to the remote computer and select the appropriate registry key, i.e., ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\authhost.exe\EnablePrivateNetwork = 00000001’
c) Select the correct client system that has the above registry entry present in their system and then select it. Also, please note that the registry browser allows you to select the keys from the hives ‘HKEY_LOCAL_MACHINE’ and ‘HKEY_USERS’ only. Also, if the remote system is unable to connect from the registry finder, please ensure that the system is turned on, access is not blocked by firewall and the remote registry service is not stopped.
d) Once done, the above registry entry is imported into the Group policy console along with the desired path for that registry key in the workspace. Once done, the GPO should be deployed and, in this way, the registry key will be pushed and updated on all the client systems in that domain network.
• You will have to create a new Group policy object and select the appropriate OU from the Group policy server while deploying this registry key if you do not want to deploy it to all the domain networks.
Getting error ONLY while accessing Blob storage.
No issues in Queues, File Share or table.
Any idea ?
Unable to retrieve child resources.
Details:
["FetchError:request to https://fssaicessunsetsbxv1sa.blob.core.windows.net/?include=metadata&comp=list failed, reason: unable to get local issuer certificate"]
Error : Self-Signed Certificate in Certificate Chain ,Unable to retrieve child resources.
Issue for me: I am attached with office proxy server. But Azure Storage Explorer is not using that proxy.
Solution:
Azure Storage Explorer -> Edit -> Configure Proxy,
Source = No proxy "Changed to" Use System proxy(preview)
After making these changes; I am able access the resources.
Moreover, Verify the permissions do you have on the connection string?
To generate your connection string either through the Azure Portal or some apps. When you generate the connection string, you need to give "Allowed permissions". Beside Read/Write you also need the List permission so Storage Explorer can list the blobs. Here is a screenshot in Azure portal to check/uncheck the permissions:
Have set any RBAC policies?
If you are connected to Azure through a proxy, verify that your proxy settings are correct. If you were granted access to a resource from the owner of the subscription or account, verify that you have read or list permissions for that resource.
If possible can you try to un-install and reinstall the latest version and check for the status of the issue.
Azure Storage Explorer Troubleshooting: "unable to retrieve child resources” or “The request action could not be completed”.
If the issue still persist after trying above mentioned steps, I would like to work closer on this issue. Let me know the status
Warning: For the noobs !
if you got luck you can also fix it by closing and re-opening the visual studio.
Reason: Authorization is tightly coupled with azure
Motivation: To err is Human ! Even Soft. DEV working at Microsoft are Human.
I'm traying to daploy an instance of the form recognizer app in Azure. For that I'm following the instructions in the documentation: https://learn.microsoft.com/en-us/azure/cognitive-services/form-recognizer/deploy-label-tool
I have created the docker instance and the connection, but the step to create the APP is failing.
This are the parameters I'm using:
Display Name: Test-form
Source Connection: <previuosly created connection>
Folder Path: None
Form Recognizer Service Uri: https://XXX-test.cognitiveservices.azure.com/
API Key: XXXXX
Description: None
And this is the error and getting:
I had the same error. It turned out to be due to incorrect SAS URI formatting because I generated and copied the SAS token via the Storage Accounts interface. It's much easier to get the correct format for the SAS URI if you generate it through the Storage Explorer (currently in Preview) as opposed to through the Storage Accounts.
If you read the documentation carefully it gives you a step by step guide
"To retrieve the SAS URL, open the Microsoft Azure Storage Explorer, right-click your container, and select Get shared access signature. Set the expiry time to some time after you'll have used the service. Make sure the Read, Write, Delete, and List permissions are checked, and click Create. Then copy the value in the URL section. It should have the form: https://.blob.core.windows.net/?"
Form Recognizer Documentation
The error messages point to a configuration issue with the AzureBlobStorageTemplate Thing. Most likely the containerName field for the Blob Storage Thing is empty or contains invalid characters
Ensure the containerName is a valid Azure storage container name.
Check https://learn.microsoft.com/en-us/rest/api/storageservices/Naming-and-Referencing-Containers--Blobs--and-Metadata for more information.
A container name must be a valid DNS name
The Connector loads and caches all configuration settings during startup. Any changes that you make to the configuration when troubleshooting are ignored until the Connector is restarted.
When creating the container connection, you must add the container into the SAS URI, such as
https://<storage-account>.blob.core.windows.net/<Enter-My-Container-Here>?<SAS Key>
You can also directly use the open source labeling tool, please see the section further down in the doc:
The OCR Form Labeling Tool is also available as an open-source project on GitHub. The tool is a web application built using React + Redux, and is written in TypeScript. To learn more or contribute, see OCR Form Labeling Tool.
I'm currently trying to set up an Azure Web App for Containers, linking it to a Azure Container Registry that lives inside a different subscription. That's why my initial thought was to use the Private Registrytab inside the Web apps Container Settings to enter the credentials of said Registry.
However when I save and reload the page the settings of the Azure Container Registry tab are now populated and the Private Registry tab is empty. The issue is, that I get now get following error:
2020-01-21 21:51:12.951 ERROR - DockerApiException: Docker API responded with status code=NotFound, response={"message":"pull access denied for cliswebapi, repository does not exist or may require 'docker login': denied: requested access to the resource is denied"}
I assume because no password was stored. How do I configure this properly?
While you use the private registry, the Azure Container Registry is also a private registry, and deploy to Web App for Containers, you need to set the environment variables here:
DOCKER_REGISTRY_SERVER_USERNAME - The username for the ACR server.
DOCKER_REGISTRY_SERVER_URL - The full URL to the ACR server. (For example, https://my-server.azurecr.io.)
DOCKER_REGISTRY_SERVER_PASSWORD - The password for the ACR server.
See more details in If you're using Azure Container Registry, you need to set some app settings.
And if you create multiple containers, all the images must be in the same registry. All in Docker Hub or Azure Container Registry. See more details in All images must use the same registry.
Update:
With the message that you deploy the Web App using the image in the ACR in a different subscription. It seems it's a bug in Web App and you can see the issue in the Github. And the suggestion is that maybe you can use the service principal for the ACR to authenticate and the steps here.
I have spend some time on this issue and figured it out. Here is my solution:
Assuming we are having two subscriptions, let's call them SUB-A and SUB-B, where we are having an Azure Container Registry in SUB-A (called azurebluedev in my example).
Now we'd like to create an App Service in SUB-B that pulls its image of our container registry by using the admin username.
It's critical that you use the correct format under Image and tag in the docker blade when creating the app service. It must follow the format url/image:tag (without https) otherwise you will run into the described problem. I was using image:tag format beforehand which didn't work.
This worked for me!
I have been looking into the "logic apps designer' of Microsoft azure for a couple of days. Thank you for your help! I am stuck on the following:
Context
I wanted to perform some actions interacting between multiple files in a Dropbox. The logic app was not proposing an off-the-self solution, hence I created a python script that did exactly what I wanted.
I then decided to create an image of this script in order to be able to use it from the azure platform within the Logic Apps.
The containers registry contains the image I pushed to Azure and I created the container instance that includes only one image which is the python script.
Everything works.
Current structure
From what I read, it seems that we can run the container instance by using the action called create group container then adding a until action (run until state is equal to Succeeded) and finally using delete the container group.
I have a trigger that has been tested and that works.
Issue
When running the Logic App, the action create group container is failing:
"code": "InaccessibleImage",
"message": "The image '<name_of_the_image>' in container group '<name_of_the_group>' is not accessible. Please check the image and registry credential."
Question
How can I correct what seems to be a basic error on my part?
Where can this registry credential be appropriately corrected?
Update
I have tried removing everything, assigning myself "owner" role in the container registry, then adding the container instance, assigning myself "owner" role in the container instance, then rebuilt the logic app. I ran it again and I get the same error.
I figured the issue.
Since in my case, it is a private container registry, I needed to add the following the the action 'create group container': properties.imageRegistryCredentials.
In this, you will be required to enter the following information that are available in the Access keys of the container registry:
[
{
"password": "<yourpassword>",
"server": "<yourloginserver>",
"username": "<yourusername>"
}
]
So glad and I hope it helps others!
To set the credentials of ACI inside Create or update container group task in logic app you need to add a parameter (See the picture).
add parameter for ACI credentials