I am trying to run a simple workflow using terraform within GitHub Actions workflow using the below article, but am receiving an error.
Error: Failed to get existing workspaces: Error retrieving keys for Storage Account "xxxxx": azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/\*\*\*/resourceGroups/XXXXXX/providers/Microsoft.Storage/storageAccounts/xxxx/listKeys?api-version=2016-01-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"AADSTS90002: Tenant '***' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.\r\nTrace
Can someone guide me on what am I missing here? I am very new to this and this is my first project.
How are you authenticating against Azure with the azurerm Terraform provider?
We normally use these ENV variables for GitHub Actions or Azure DevOps Pipelines:
export ARM_SUBSCRIPTION_ID=VALUE
export ARM_TENANT_ID=VALUE
export ARM_CLIENT_ID=VALUE
export ARM_CLIENT_SECRET=VALUE
Related
I have an Azure DevOps pipeline that is using the task AzureFunctionApp#1 to deploy a function app.
The pipeline is using a Service Connection with a principal called devops-intg-nurseryfees-nonprod. If I check the IAM blade for the resource group of the function app, I can see that the principal has a Current role assignment of a custom role that contains an action of Microsoft.Web/sites/*
However, when the devops task runs, I get the following error:
Failed to fetch App Service 'func-nurseryFees-dev-001' details. Error: The client 'svc-principal-guid' with object id 'svc-principal-guid' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/subscription-guid/resourceGroups/rg-nurseryFees-dev-001/providers/Microsoft.Web/sites/func-nurseryFees-dev-001' or the scope is invalid. If access was recently granted, please refresh your credentials. (CODE: 403)
Any ideas?
The error message gave two possible causes. I'd focused on the 1st, does not have auth but it turned out the problem was "the scope is invalid".
There was a typo in the name of the resource group.
Note, the "true" scope string of a function app can be found in the Azure portal by clicking the "JSON View" link in the top-right of the overview page:
I am using Azure Container apps with Azure Blob Store as a state store. It is a simple Hello World (weather service) app using dotnet 6. App starts up fine, on Post I am trying to save the generated weather information to Azure Blob Store as JSON. I have configured Dapr components in Azure Container Apps for StateStore using Azure blob storage. I am using storage key (secondary key) as explained in this Microsoft documentation
Upon doing a Swagger and looking at log I get the following error.
Dapr.DaprException: State operation failed: the Dapr endpoint indicated a failure. See InnerException for details.
2022-07-17T01:10:35.716245402Z ---> Grpc.Core.RpcException: Status(StatusCode="Internal", Detail="failed saving state in state store statestore: -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/work/1/go/pkg/mod/github.com/!azure/azure-storage-blob-go#v0.10.0/azblob/zc_storage_error.go:42
2022-07-17T01:10:35.716524109Z ===== RESPONSE ERROR (ServiceCode=AuthenticationFailed) =====
2022-07-17T01:10:35.716795515Z Description=Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
2022-07-17T01:10:35.716812515Z RequestId:863bcef4-401e-0069-5f7a-99724b000000
2022-07-17T01:10:35.716820115Z Time:2022-07-17T01:10:35.7137648Z, Details:
2022-07-17T01:10:35.716825516Z AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.
2022-07-17T01:10:35.716831516Z Code: AuthenticationFailed
Error is Authentication Failed. I am unsure what I am missing since I am not making any additional config in storage account such as VNET service end point etc. Account is enabled for Key access. Any help is appreciated.
Below is the code that I am using
using var client = new DaprClientBuilder().Build();
var forecast = new WeatherForecast()
{
Date = DateTime.Now.AddDays(1),
TemperatureC = Random.Shared.Next(-20, 55),
Summary = Summaries[Random.Shared.Next(Summaries.Length)]
};
await client.SaveStateAsync<WeatherForecast>(stateStoreName,key,forecast);
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
i think i found the answer. The issue was with metadata since the key set in metadata of the component.yaml as mentioned in the Microsoft documentation is not working. I changed it to use secretref and referred in metadata directly in the portal. Not sure why the error was showing Authentication error but it is finally working.
I am trying to use Microsoft.Graph to access the onedrive files. I am referring to the sample provided on GitHub link
https://github.com/OneDrive/onedrive-texteditor-js
in this sample while getting the file link(CreateLink). I am getting following error
{"error":{"code":"InvalidAuthenticationToken","message":"CompactToken parsing failed with error code: 80049217","innerError":{"date":"2022-03-21T12:49:24","request-id":"45725ccf-a752-45c3-8208-9040e4177e4b","client-request-id":"45725ccf-a752-45c3-8208-9040e4177e4b"}}}
Do I need some subscription to do this setting or am I missing anything?
Is there any other setting is required to resolved this access issue?
Is there any other way of getting the sharelink of onedrive file?
What I have tried:
I have given API Permissions in Microsoft azure application of which I have used the applicationId in request. I have found one URL: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=azure-resource-explorer%2Cprogramming-language-csharp.
(Configure App Service to return a usable access token) But I could not find this setting in my azure application.
Please check below 2 steps to diagnose the problem,
1.Login into https://developer.microsoft.com/en-us/graph/graph-explorer , Hit the same API and check access token on jwt.ms and make sure you have required permissions to perform.
2.Also check your token expiry time (exp), might be it got expired. Go to jwt.ms to check token details, check the attached image to see where you find token exp_time.
If the token got expired ,please follow the docs to get new token.
I am trying to deploy an ARM template for ADF using Azure DevOps CI/CD
The deployment was successful but while trying to test the linked services, I am not able to connect successfully.
The linked service is to get connected to the ADLS location under same subscription and the authentication method is using service principal and using key vault secret name to get the connection.
key vault is also under the same subscription and resource group.
While trying to connect the LS to ADLS location I am getting the below error.
Failed to get access token by using service principal. Error: invalid_client, Error Message: AADSTS7000215: Invalid client secret is provided.
Trace ID: 67d0e882-****-****-****-***6a0001
Correlation ID: 39051de7-****-****-****-****6402db04
Timestamp: 2020-11-** **:**:**Z Response status code does not indicate success: 401 (Unauthorized). {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: 67d0e882-****-****-****-***6a0001\r\nCorrelation ID: 39051de7-****-****-****-****6402db04\r\nTimestamp: 2020-11-** **:**:**Z","error_codes":[7000215],"timestamp":"2020-11-** **:**:**Z","trace_id":"67d0e882-****-****-****-***6a0001","correlation_id":"39051de7-****-****-****-****6402db04","error_uri":"https://login.microsoftonline.com/error?code=7000215"}: Unknown error .
AADSTS7000215: Invalid client secret is provided.
The linked services which is to connect clusters are working fine for which connection secrets are stored in the same key vault.
I was confused some secrets(for cluster connection) in the same key vault is working and few (for adls connection) are not working.
Had a check for the application under same principal id in Azure active directory and secret is valid till 2022.
Any Idea about the root cause of the error and how to resolve the issue?
I have encountered a similar problem before, you need to make sure that the client secret belongs to the application you are using, or you can also try to create a new client secret, it should work for you.
I'm trying to set up the Bing Spell Check API on my Microsoft Azure account. The deployment, however, fails with the following error message:
OPERATION ID 492286237BA7FFEB
TRACKING ID 779d79cf-4b12-487f-ba97-c896bbdccb87
STATUS Conflict
PROVISIONING STATE Failed
TIMESTAMP 24/2/2017 09.55.58
DURATION 1 minute 22 seconds
TYPE Microsoft.CognitiveServices/accounts
RESOURCE ID /subscriptions/c68eec07-13e6-4f40-831c-c42f996fca89/resourceGroups/webis2/providers/Microsoft.CognitiveServices/accounts/webis
STATUSMESSAGE {
"error": {
"code": "RequestConflict",
"message": "Cannot replace resource with id 'webis'
because the resource entity tag has changed
while processing this request.
Please retry the request with the updated
resource."
}
}
RESOURCE webis
The STATUSMESSAGE suggests to simply retry the request, but this fails, too, with the same error message.
Otherwise, I'm not sure how to resolve the issue, since I obviously have no access to the provisioning process of the Bing Spell Check API.
Any help would be greatly appreciated.
We are investigating this. For now you should be able to work around the issue by deploying to an existing Resource Group instead of creating a new Resource Group during the API account creation.
Update: This issue has been resolved and new API account creation should work correctly.