I am trying to use azcopy tool from Ubuntu 20.04 to upload file to Azure Blob.
I am authenticated with AAD and SP:
export AZCOPY_SPA_CLIENT_SECRET="12345678"
azcopy login --service-principal --application-id abc --tenant-id=xyz
Here I get auth success:
INFO: SPN Auth via secret succeeded.
However when I run:
azcopy copy './myfile' 'https://mystorageacc.blob.core.windows.net/mycontainer/myfile'
I get this error:
failed to perform copy command due to error: Login Credentials missing. No SAS token or OAuth token is present and the resource is not public
Obviously the AAD service principals are in the role 'Storage Blob Data Contributor' of the storage account.
What is wrong? thanks
The answer to issue 'No SAS token or OAuth token is present' is to run the keyctl session workaround Session. This issue was identified and the keyctl work around can be found here - Azcopy login/logout fails
https://github.com/Azure/azure-storage-azcopy/issues/452
Related
My objective is to get access token for a user for a resource( an AD app present in the tenant)
I have been able to get access token for a service principal by using
az login --service-principal -u -p --tenant --allow-no-subscriptions
az account get-access-token --resource
Now when I try to achieve the same for a user by switching service-principal login by user login(az login)
az login
az account get-access-token --resource
This however gives an error
Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'abc'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 19fdf309-f9ef-423b-8c18-7cd9269b0700\r\nr\nTimestamp: 2019-11-21 09:03:25Z","error_codes":[65001],"timestamp":"2019-11-21 09:03:25Z","trace_id":"19fdf309-f9ef-423b-8c18-7cd9269b0700","correlation_id":"2aafc4e4-0c1b-42b3-ba59-afe09bbe9fb5","suberror":"consent_required"}
Can someone help me understand why this is the case?
Thanks in advance!
You are trying to get token from <APP ID Uri> using Azure CLI, which client ID is exactly 04b07795-8ddb-461a-bbee-02f9e1bf7b46.
Go to the resource(App in AD)->Expose an API->Add client application with 04b07795-8ddb-461a-bbee-02f9e1bf7b46 and check scope.
Then get the access token again.
I have a storage account in azure with ADLS gen2 (hierarchy enabled). I have created a app and a service principal. I have also created a container in the storage and a folder inside that container. Using ACL I have given execute permission to container and read and write permission to the folder.
I am able to copy data using azcopy to the directory I have created inside the container.
I would like to list the data I have copied. Since azcopy list does not work, I tried using rest api
Using Post req
https://login.microsoftonline.com//oauth2/v2.0/token
client_id : app_id
client_secret : secret
grant_type : client_credentials
scope : https://storage.azure.com/.default
I get a token. When I use this token here
https:///?directory=&resource=filesystem&recursive=true
Authorization = Bearer
x-ms-version : 2019-02-02
I get this error
{
"error": {
"code": "AuthorizationPermissionMismatch",
"message": "This request is not authorized to perform this operation using this permission.\nRequestId:0cd2e016-601f-003b-5fbe-5870a7000000\nTime:2019-08-22T07:50:06.5848071Z"
}
}
What am I missing here?
It requires **Read and Execute** permission to list the content of the directory.
I would suggest you to give Read & Execute both permission to application.
Reference:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/storage/blobs/data-lake-storage-access-control.md
Please try and see if it works.
When attempting to get an access token for a custom AD Application, using az account get-access-token --resource '<APP ID Uri>', I receive the following error:
AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Microsoft Azure CLI'. Send an interactive authorization request for this user and resource.
04b07795-8ddb-461a-bbee-02f9e1bf7b46 is not my application id, and my application has had administrator consent granted. I've tried putting this id in an interactive login request with no change in behavior.
get-access-token works fine when the resource is a defined MS endpoint like https://database.windows.net or https://vault.azure.net/
My goal is to have Azure App Services with Managed Service Identity authenticating to each other with short-lived AD bearer tokens. Each service has a configured audience that corresponds to the AD App.
Running az account get-access-token --resource '<APP ID Uri>' from local CLI, you are trying to get token from '<APP ID Uri>' using Azure CLI, which client ID is exactly 04b07795-8ddb-461a-bbee-02f9e1bf7b46.
To handle this you could go to:
Azure Active Directory → App registrations → {your app} → Expose an API → Add client application with:
ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
Authorized scopes: check '<APP ID Uri>'
To make sure you have right ID you could run az account get-access-token paste token to jwt.io and find value of "appid".
Documentation reference:
Application IDs for commonly used Microsoft applications
I can reproduce your issue with a --resource '<APP ID Uri>', if I login cli with a user account.
If I login with a service principal, it works fine.
You could try to login azure cli with a service principal, refer to this link.
I have a Web API project hosted in Azure as web app with Managed Service identity enabled (so I don't need an app registration, right?):
Now I need to obtain a token to access my API so that I can use it in POSTMAN:
az login
az account get-access-token --resource "https://mytenant.onmicrosoft.com/d3a219e0-bbbf-496b-a4a4-b9ca485c5a52"
which gives me
Get Token request returned http error: 400
and server response:
{"error":"invalid_resource","error_description":"AADSTS50001: The
application named
https://mytenant.onmicrosoft.com/d3a219e0-bbbf-496b-a4a4-b9ca485c5a52
was not found in the tenant named
xxxxxxxx-xxxx-xxxx-af31-xxxxxxxxxx. This can happen if the
application has not been installed by the administrator of the tenant
or consented to by any user in the tenant. You might have sent your
authentication request to the wrong tenant.
I get the same error if I try to use object id 63d571cf-79bf-405d-8304-a31fb64cb953 instead of app id as part of resource uri.
What am I doing wrong?
What am I doing wrong?
az account get-access-token is used to get token to access the Azure resource. We could get more information from this document.
--resource
Azure resource endpoints. Default to Azure Resource Manager Use 'az cloud show' command for other Azure resources.
The resoure should be in the following endpoints. And default resource is https://management.azure.com/
"endpoints": {
"activeDirectory": "https://login.microsoftonline.com",
"activeDirectoryDataLakeResourceId": "https://datalake.azure.net/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"activeDirectoryResourceId": "https://management.core.windows.net/",
"batchResourceId": "https://batch.core.windows.net/",
"gallery": "https://gallery.azure.com/",
"management": "https://management.core.windows.net/",
"resourceManager": "https://management.azure.com/",
"sqlManagement": "https://management.core.windows.net:8443/",
"vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json"
}
Based on my understanding, the command no relationship with your API access.
For more information about MSI and how to protect an API by using OAuth 2.0 with Azure Active Directory, please refer to this tutorial and this tutorial.
The resource URI does not contain your Application Id nor Object Id.
It is a separate identifier that you can find from the App Registration's Properties under App ID URI.
And since this is an MSI-generated service principal, there is no app. I think you have to register an app in this case.
I need to get an access token from my keyvault via MSI.
I follow the guide to enable MSI. MSI is enabled and the necessary
extension was installed.
I perform this guide to add access control of Key Vault for my VM. VM is contributor of KeyVault
I try to get AC according to this guide and gets 403 when I try to get access to the Key Vault.
Step 3 in details:
curl http://localhost:50342/oauth2/token --data "resource=https://vault.azure.net" -H Metadata:true
curl https://<YOUR-KEY-VAULT-URL>/secrets/<secret-name>?api-version=2016-10-01 -H "Authorization: Bearer <ACCESS TOKEN>"
When I run step 2 I get 403 error.
I tried to replace 'https://vault.azure.net' to 'https://' but I got another error:
{"error":"invalid_resource","error_description":"AADSTS50001: The application named https://<YOUR-KEY-VAULT-URL> was not found in the tenant named <A tenant ID>.This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 7365f8f5-791f-4131-88f8-9466cadc4d00\r\nCorrelation ID: e18e0e5e-966e-460b-9b61-16decf97dff4\r\nTimestamp: 2017-12-12 11:18:01Z","error_codes":[50001],"timestamp":"2017-12-12 11:18:01Z","trace_id":"7365f8f5-791f-4131-88f8-9466cadc4d00","correlation_id":"e18e0e5e-966e-460b-9b61-16decf97dff4"}
What's wrong?
You have to add the VM service principal in Key Vault's Policies. Having Contributor on the Key Vault allows the principal to perform operations through the ARM API, but what it needs to access is the Key Vault API. That requires you to add the principal some permissions on the Policies tab.