I am working on this MS Azure article: Connect to and manage Azure Synapse Analytics workspaces in Azure Purview. But in Grant permission to use credentials for external tables section of the article, when I run the following query, I get the error shown below:
SQL:
GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::[mySynapseWorkspace] TO [myPurviewAccountName];
Error:
mismatched input 'SCOPED' expecting ':'
Question: What may be a cause of the error, and how can we fix it?
I learn from a similar issue logged that you should be providing your credential name and username instead.
Try,
GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::[your_credential_name] TO [your_username];
Related
I am trying to retrieve the web job history of an Azure web job via REST using a .NET backend and the OAuth2 credentials flow (as described here
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-triggered-web-job-history-slot)
How do I need to authenticate correctly?
I retrieve the token as follows:
POST https://login.microsoftonline.com/{MySubscription}/oauth2/v2.0/token
client_id={MyApp}
&grant_type=client_credentials
&scope=https://management.azure.com/.default
&client_secret={myclient_secret}
I get a token back, however I get a 403 error message when I try to retrieve the resource:
GET https://management.azure.com/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}/history?api-version=2021-02-01
Authorization: Bearer {MyToken}
Client '{MyApp}' with object ID '{MyApp}' is not
authorized to perform the action
'Microsoft.Web/sites/slots/triggeredwebjobs/history/read' using the
scope
'/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}'
or the scope is invalid. If access was granted recently, please update
your credentials.
What am I doing wrong?
I already added the API-Permission
The "403 Token invalid" error usually occurs if you missed giving permissions to particular scope (Azure Service Management).
By giving this scope it enables you to access https://management.azure.com
To resolve this error, please follow below steps:
Go to Azure Ad ->your application -> API permissions -> Add permission -> Azure Service Management -> delegated permissions ->User impersonation -> Add
After giving these permissions try to retrieve the resource again, there won't be any error.
Since I didn't find a solution that worked with OAuth2 and the Credentials flow, I got it working with Basic Authentication. The username (userName) and password (userPWD) can be taken from the publishing profile of the respective app service.
GET https://{appservicename}.scm.azurewebsites.net/api/triggeredwebjobs/{jobName}/history
Authorization Basic ....
I am trying to use the following git repo in order to connect to azure ams, upload a video and stream it:
https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/StreamFilesSample/index.ts
For some reason I am keep getting the following error:
The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write' over scope '/subscriptions/XXX/resourceGroups/TEST-APP/providers/Microsoft.Media/mediaServices/TESTAMP/transforms/ContentAwareEncoding' or the scope is invalid. If access was recently granted, please refresh your credentials
The AD user is owner but I understand it is a permission issue.
I searched all over the web for hours what permission do I need to grant and where but could not find any solution
The error get thrown here:
let encodingTransform = await mediaServicesClient.transforms.createOrUpdate(resourceGroup, accountName, encodingTransformName, {
name: encodingTransformName,
outputs: [
{
preset: adaptiveStreamingTransform
}
]
});
of course, I have updated the .env file to the correct data of my azure account.
Can anyone point out what am I missing and how to grant this permission?
Thanks!
The error message is referring to your Service Principal that is being used to authenticate against the AMS SDK.
Double check that you entered the GUID values for the service principal ID and Key, and make sure you did not use the friendly name in there.
AADCLIENTID="00000000-0000-0000-0000-000000000000"
AADSECRET="00000000-0000-0000-0000-000000000000"
Also, double check in IAM Access control in the portal that the service principal exists under the Role Assignments for your Media Services account and has Contributor or Owner permission Role first.
If you are in an Enterprise that locks down AAD access - you may need to work with your AAD owner/admin to make these changes and grant the service principal the right roles for your account. That's a bit outside of Media Services, and is just general Azure AAD application creation rights, and role assignments.
If you are still hitting issues, I would file a support ticket and also ask your AAD administrator to assign the role permisssion to your service principal.
As an aside, we are also working on updated Node.js SDK samples for the upcoming (soon!) release of the 10.0.0 Javascript SDK.
See the beta samples here - https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/10.0.0-beta.1
I am trying to connect snowflake using python connector but i am facing problem while connecting to a specific role. even i have access to that role at snowflake web application but i am not able to connect with that same role using python connector. i am only able to connect with PUBLIC role.
I am using following script:
conn = snowflake.connector.connect(
user=USER,
password=PASSWORD,
role=ROLE,
account=ACCOUNT,
warehouse=WAREHOUSE,
database=DATABASE,
schema=SCHEMA,
autocommit=False
)
I am getting following error:
DatabaseError: 250001 (08001): Failed to connect to DB:
account_name.east-us-2.azure.snowflakecomputing.com:443. Role
'ANALYST_ROLE' specified in the connect string does not exist or not
authorized. Contact your local system administrator, or attempt to
login with another role, e.g. PUBLIC.
Here are some hints:
In Snowflake Role names are case sensitive. Maybe you have some quoting issues in your original code, i.e. please check your '', "", lower- or uppercase or simply use the original role name without some quotation marks.
Maybe the role has not enough privileges to operate on your db/schemas and thus it says "not authorized".
You can try to add the role manually before: Account -> Roles
I caught the error, I just made a very slight mistake(single character mistake) in my role name. due to very large name, i could not see it. I am able to connect now.
the role name mentioned here is fake for security reason so don't assume that.
TL;DR: Authentication to Databricks using managed identity fails due to wrong audience claim in the token.
Technical details: When acquiring token to access databricks using managed identity (with http://169.254.169.254/metadata/identity/oauth2/token API), the returned token audience is 'spn:2ff814a6-3304-4ab8-85cb-cd0e6f879c1d' instead of '2ff814a6-3304-4ab8-85cb-cd0e6f879c1d'.
When trying to use the acquired token, I get the following error:
Error 400 io.jsonwebtoken.IncorrectClaimException: Expected aud claim to be: 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d, but was: spn:2ff814a6-3304-4ab8-85cb-cd0e6f879c1d.
It seems that the audience is always prefixed with 'spn:' in case of the resource being a guid and not a url.
I also tried to use the databricks app url ('https://azuredatabricks.net/') as the resource, but the token was not accepted here also.
Is this a known issue? Are there any workarounds (other than using the service principal method)?
Thanks!
I can also reproduce your issue, it looks like a bug, using managed identity with Azure Container Instance is still a preview feature.
I also test the same user-assigned managed identity with a Linux VM with the same curl command, it works fine.
I am trying to login with username and password using Azure AD B2C with MSAL. After logging in, we are authenticating access token using web API which returns the resource token and after getting it we connect the DocumentClient using resource token as mentioned below, but when we try to perform the action like savedocument in Cosmos DB, facing following error
var Client = new DocumentClient(new System.Uri(App.accURL), resourceToken);
Message:
{"Errors": ["Authorization Token doesn't present sufficient permissions to serve the request."]}
ActivityId: 3360415e-b937-4061-b74d-485d44550df2,
Request URI: /apps/7dc938ac-8c47-4af3-9760-5e80284624b0/services/4344f786-4b9a-4293-ab0a-d27a5ccae76a/partitions/26b66fff-1ad2-47dc-90c8-cc9ee7b0d23b/replicas/131448621059935679p: Error: ...
when we try to perform the action like savedocument in cosmosDB, facing following error. Authorization Token doesn't present sufficient permissions to serve the request.
AFAIK, we can associate only one permission to a specific resource for a user. And there are only two permission modes: All (Read, write, delete permissions) or Read. I would recommend you checking the permissionMode, ResourceLink, ResourceTokenExpirySeconds if you specified for your user have correctly configured.
You could List Permissions for a user and use DocumentClient.ReadPermissionFeedAsync for retrieving the permissions for a user. Additionally, you could refer to the related tutorials Permissions in Azure DocumentDB and Cosmos DB > Permissions.
If you still could not locate this issue, please updated your question with the related code for granting permission for your user and leverage fiddler to collect the network traces when using the resourceToken token for accessing resources.