I am trying to add the following permission to an Azure role due to an error I am seeing in the logs - Microsoft.Web/sites/host/properties/read. However, I cant find this permission to apply when I edit the role definition. Any idea?
Glad JakeUT that you resolved the issue using the */read permission.
As per this Microsoft Documentation), hat permission _Microsoft.web/sites/host/properties/read_ is not found. After _Microsoft.web/sites/host/_ - listkeys/action, sync/action, listsyncstatus/action, functionkeys/write, functionkeys/delete, systemkeys/write and systemkeys/delete are available.
And from this GitHub Article, it is said that:
If the resource type is dynamic and the required permission is standard across all supported resource types (e.g. read, write), you can use relative permissions by replacing the resource type with "." or "{resourceType}". For instance, if checking read access on a website, you can check for "./read", which will be evaluated as "Microsoft.Web/sites/read". For a website deployment slot, this would be evaluated as "Microsoft.Web/sites/slots/read".
Related
I was trying webhook to send email in chatbot (dialogflow). Getting following error (log entry) .
What may be the reson?
message: "Permission 'cloudfunctions.functions.setIamPolicy' denied on resource 'projects/rare-shadow-276706/locations/us-central1/functions/dialogflowFirebaseFulfillment' (or resource may not exist)."
The issue
This is an issue with the proper permissions, and the service account permissions. What's happening is the dialogflowFirebaseFunction needs to have the setIamPolict role.
The fix
You can achieve this when you (the user) have the roles/iam.securityAdmin role. Check this out for more info. Other roles may also work, but this role will suffice. I would suggest also deleting the existing cloud function, get the new role, and then create the cloud function again.
Solved
After setting Project Owner role, no error.
Thanks
Am trying to configure the latest ariflow 1.10.10 with the new RBAC UI, wanted it to be single sign on.
tried the DB/LDAP options but this required user id/password to login.
trying to set up REMOTE_USER but not able to find good documentation or examples on how get it working.
enabled the below setting the airflow_webserver.cnfg file
AUTH_TYPE= AUTH_REMOTE_USER
and enabled kerberos in core section on airflow.cnfg file, when restarted the webserver it gives the below error
{decorators.py:113} WARNING - Access is Denied for: can_index on: Airflow
need help to resolve this .
When I first tried to access the UI without logging in (i.e. as a Public user), I got the {decorators.py:113} WARNING - Access is Denied for: can_index on: Airflow. Adding can_index to Public role should allow the UI to load so you can then log in. I'm unfamiliar with using a REMOTE_USER, but I imagine adding similar permissions to a role and assigning it to the REMOTE_USER would help.
I have built a feature for grammar check and am trying it with some different AI APIs.
I am trying to get it to work with Bing API and am using dev.cognitive to test but am always getting permission denied: https://dev.cognitive.microsoft.com/docs/services/5f7d486e04d2430193e1ca8f760cd7ed/operations/56e73036cf5ff81048ee6727/console
These are the steps I took:
- Created a Resource and Cognitive Services service
- Copied the Key 1
- Accessed the link above to test it and I am getting:
Date: Mon, 18 Nov 2019 18:51:32 GMT
Content-Length: 224
{"error":{"code":"401","message":"Access denied due to invalid subscription key or wrong API endpoint. Make sure to provide a valid key for an active subscription and use a correct regional API endpoint for your resource."}}
The query parameters are:
mode: proof
mkt: en-us
I appreciate if someone can help.
Thanks!
Can you try replacing the resource Name with the resource you have created? I just tried with a new resource created and it works fine.
I had created a Cognive Services service as a multi-service resource and there they didn't make me specify I was using this for Bing Spell Check.
I created a new one but this time as a Single Service Resource: https://portal.azure.com/#create/Microsoft.CognitiveServicesBingSearch-v7
and selected the correct price tier for what I needed (either S1 or S2) and it now works.
My previous multiservice cognive service had an endpoint ending like this: .api.cognitive.microsoft.com/
and for this purpose, it will only work when you have an endpoint like this: .cognitiveservices.azure.com/bing/v7.0
Also wanted to give thanks to #Sajeetharan for giving me his time and helping me to get to my resolution.
Seems that the required header Ocp-Apim-Subscription-Key is not being passed or it contains the wrong value. You can find a full working sample in here: https://learn.microsoft.com/en-us/azure/cognitive-services/bing-spell-check/quickstarts/csharp
Context
I am willing to get a resource details with the Azure REST API. And more particularly, I want to get the IAM associated with a resource.
Problem
So, I searched in the doc reference and found that endpoint: https://learn.microsoft.com/en-us/rest/api/resources/resources/get which provides an identity response attribute that meets my needs.
However, I can't find any information about the required path parameter parentResourcePath. What does that parameter mean and how can I get its value for a specific resource ?
Also, when I tried going through the resources group path, I can get a path to the resource details but without the parentResourcePath parameter, and the response doesn't include the identity attribute.
Finally, am I going the right way (using GET resource API) ? And if so, where can I find that parentResourcePath value ?
Actually, you have a better choice - Resources - Get By Id.
The /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName} in the api Resources - Get named resourceId which used in the Resources - Get By Id.
But if you combinate the properties manually, it is not easy, Azure has many different resource providers, resourcetype.
Generally, you could find the resourceId in your resource in the portal -> Properties. Also, the response of this API will include the identity which you need.
Sample:
Get a web app resource.
The resourceId is like /subscriptions/xxxxxxx/resourceGroups/joywebapp/providers/Microsoft.Web/sites/joywebapp2.
You can click Try it in the doc to try the api.
Response:
Well I made it throught the Role assignment list for scope endpoint, giving the subscription/resourcegroup/resource in the scope. And the output contains a principalId attribute that seems to point to a user or group or service principal.
Ref: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/listforscope
I have a requirement to delete some roles from an app registration.
Have tried to do this on the Azure portal both directly in the manifest editor and by downloading / editing / uploading the manifest JSON.
I get the following error:
Failed to update application xxxxxx. Error details:
CannotDeleteEnabledEntitlement.
I also tried to set "isEnabled" property to "false" and delete the roles after that with no success.
Anyone have any pointers on how to overcome this issue?
As you mentioned in your post, the deletion of any OAuth2Permission is a 2 step process:
You must first disable the permission, and push that to the directory.
Then you can delete the permission.
The error message you are showing in your post is a result of you not disabling the permission first. You will need to share details about the error you get if trying to delete the disabled permission fails as well.