I am a free tier aws user. I tried creating a group in IAM and created some user, in root user I created a policy which has no deletion policy, and I applied it to a group which I created.
But when I am accessing RDS by the user which I added into group, at that time I am not able to create any database. I am getting the respective error "You are not authorized to perform this operation. (Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation; Request ID: 80839f5f-d08c-435d-850f-7ab185421d35; Proxy: null)"
Related
I have a Python script that creates a new AWS account from the master account. Then it uses assume_role to access the newly created account. I have a custom waiter to check that the account has created. However, not sure if due to a timing issue or something else, sometimes the assume_role shows AccessDenied. Putting in a time.sleep(x) seems to help. I was wondering if there was a better way to do this (Is it possible to make a custom waiter for assume_role?).
def assume_role(assumed_session, account_id, account_alias):
client = assumed_session.client('sts')
assumed_role_object = client.assume_role(
RoleArn = "arn:aws:iam::%s:role/MyCustomRole2" % account_id,
RoleSessionName = account_alias
)
time.sleep(x)
credentials = assumed_role_object['Credentials']
return credentials
The error I get occasionally is
('An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/MyCustomRole1/my-org is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::YYYYYYYYYYYY:role/MyCustomRole2',)
I'm using Microsoft Graph API to fetch items from Sharepoint list. Everything has worked well and I have a token, which works for getting items from the list
Now I want to get a notice, when any item gets updated on that list. For that, I tried to create webhook with subscription with the same token. However when trying to create subscription, the API returns 403.
var subscription = new Subscription
{
Resource = "sites/{siteId}/lists/{listId}/",
NotificationUrl = "{notification url}",
ExpirationDateTime = DateTimeOffset.Now.AddDays(2),
ChangeType = "updated"
};
var res = await graphServiceClient.Subscriptions
.Request()
.AddAsync(subscription);
I have set the required Sites.ReadWrite.All permission to my app registration. The call to the API returns me
{
Error: Code: ExtensionError
Message: Operation: Create; Exception: [Status Code: Forbidden; Reason: Access denied. You do not have permission to perform this action or access this resource.]
Inner error:
AdditionalData:
request-id: 99445d24-8d09-45a5-98e7-05b99587fd7f
date: 2020-04-26T21:53:21
ClientRequestId: 99445d24-8d09-45a5-98e7-05b99587fd7f
}
Am I targeting wrong resource or is there any other permission, that app needs?
Edit: also tried using certificate to authorize, still nothing.
For creating a new webhook subscription, the application must have at least edit permissions to the SharePoint list where the subscription will be created (if the App is Azure AD). If the application is a SharePoint Add-in, You must grant 'Manage' or higher permission.
I have Azure Subscription with Default Directory with my company's account (myname#mycompany.com) as a guest.
I login to azure portal with this my company's account.
In the SQL Server, I have set Active Directory admin to an AAD group and I'm member of the group.
When I click Export (database) in Azure Portal, I select Active Directory authentication and type my username/password:
However I'm getting:
Failed to export the database: MyDatabase. ErrorCode: 400
ErrorMessage: There was an error that occurred during this operation :
'Error
encountered during the service operation. ; Exception
Microsoft.SqlServer.Management.Dac.Services.ServiceException:Unable to
authenticate request; Inner exception
System.Data.SqlClient.SqlException:Failed to authenticate the user
username#mycompany.com in Active Directory
(Authentication=ActiveDirectoryPassword).; Error code 0xCAA20003;
state 10; MSIS7068: Access denied.; '
Failed to authenticate the user username#mycompany.com in Active Directory (Authentication=ActiveDirectoryPassword).; Error code 0xCAA20003; state 10; MSIS7068: Access denied
According to the error information that it indicates that the user password is not correct.
Based on my test, it works correctly if you set the Active Directory admin to an AAD group and if you are a member of the group.
I am trying to login with username and password using Azure AD B2C with MSAL. After logging in, we are authenticating access token using web API which returns the resource token and after getting it we connect the DocumentClient using resource token as mentioned below, but when we try to perform the action like savedocument in Cosmos DB, facing following error
var Client = new DocumentClient(new System.Uri(App.accURL), resourceToken);
Message:
{"Errors": ["Authorization Token doesn't present sufficient permissions to serve the request."]}
ActivityId: 3360415e-b937-4061-b74d-485d44550df2,
Request URI: /apps/7dc938ac-8c47-4af3-9760-5e80284624b0/services/4344f786-4b9a-4293-ab0a-d27a5ccae76a/partitions/26b66fff-1ad2-47dc-90c8-cc9ee7b0d23b/replicas/131448621059935679p: Error: ...
when we try to perform the action like savedocument in cosmosDB, facing following error. Authorization Token doesn't present sufficient permissions to serve the request.
AFAIK, we can associate only one permission to a specific resource for a user. And there are only two permission modes: All (Read, write, delete permissions) or Read. I would recommend you checking the permissionMode, ResourceLink, ResourceTokenExpirySeconds if you specified for your user have correctly configured.
You could List Permissions for a user and use DocumentClient.ReadPermissionFeedAsync for retrieving the permissions for a user. Additionally, you could refer to the related tutorials Permissions in Azure DocumentDB and Cosmos DB > Permissions.
If you still could not locate this issue, please updated your question with the related code for granting permission for your user and leverage fiddler to collect the network traces when using the resourceToken token for accessing resources.
I need to be able to get the signed in user's group membership so that I can verify whether he is part of a specific group. However I am getting "Insufficient privileges to complete the operation." exception using the Azure AD graph API client library.
I am a co-admin of a subscription and I have created a new Azure AD application to authenticate against the default directory and configured the "Permission to Other application" section as in the below screenshot.
Azure AD Application Configuration
I am able to fetch the signed in user details, but when I try to call MemberOf function, then I get the above exception. Please let me know what I am missing here. Thanks in advance!
string objectId = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value; // object id of the signed in user
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IUser user = await client.Users.GetByObjectId(objectId).ExecuteAsync();
var userFetcher = (IUserFetcher)user; // able to fetch the signed in user
IPagedCollection<IDirectoryObject> pagedCollection = await userFetcher.MemberOf.ExecuteAsync(); // getting error here - "Insufficient privileges to complete the operation."
The problem here was that I had selected the permissions outside the 'personal scope' (Access the directory as the signed in user, Read directory data).
Hence, it needed consent from the service administrator of the subscription associated to the directory. Once the admin logs into the app and approves the consent screen, the code should stop giving insufficient privileges exception.