I am trying to create an ARM Template in Azure to build VM's and WebApps in prep for the AZ204 exam.
However, I am running into an issue in creating a template, from a downloaded json file.
The error I am getting is
The client 'Simon.Price#xxx' with object id 'f65d2b21-aa7e-4d5a-9ed3-xxxxx' does not have authorization to perform action 'Microsoft.Gallery/register/action' over scope '/providers/Microsoft.Gallery' or the scope is invalid. If access was recently granted, please refresh your credentials.
I have confirmed that in Azure AD that my account is an Global Administrator, with the description
Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
which implies I should be able to do this.
What permissions am I missing?
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
I am looking for examples to fetch access token for azure storage account access via azure active directory with service principal in python
It seems like https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/client_credentials_sample.py doesn't support service principal access
are there other ways in fetching token via service principal?
• Yes, you can surely fetch an access token for an Azure storage account via Azure Active Directory using a service principal, i.e., an app registration by following the steps below as given in the below documentation link: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service
As per the above documentation, you will have to host your python application code in a web app service and create a system assigned managed identity for it. Once created, then an application will be created in Azure AD with the same ‘Object ID’ as shown in the managed identity section of the web app service. Before moving onto this application created in Azure AD, assign the required roles to this system assigned managed identity through the ‘IAM’ tab. So, in your case, you should assign the role of ‘Storage Account Contributor’ to the ‘System-assigned managed identity’ created for the web app service.
• Once, the role has been assigned, then go to the ‘Enterprise application’ and search for the ‘Object ID’ of the managed identity, you will encounter an application with the name of the web app service, in that, go to ‘Permissions’ under ‘Security’ tab and assign the required permissions and admin consent required to the application. The permissions shown are those that are allowed under the scope of ‘Storage Account Contributor’ and similarly, you must assign permissions from it to the app/service principal. Then ensure that you are correctly calling the environment variables of this application created in Azure AD regarding the managed identity and implement the ‘DefaultAzureCredential’ from the ‘azure.identity’ module. For this purpose, kindly refer to the below subsection of the above documentation: -
https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service#3---implement-defaultazurecredential-in-your-application
In this way, you can fetch an access token for the Azure storage account via Azure Active Directory using a service principal.
I need to create Azure DevOps agent pool using Terraform.
In Terraform I'm using microsoft/azuredevops provider. And resource azuredevops_agent_pool
In conclusion, I have an error Error creating agent pool in Azure DevOps: Access denied. user needs Manage permissions to perform the action. For more information, contact the Azure DevOps Server administrator.
I have Administrator permissions in Azure Devops.
What can I try with this error?
UPD. I can create agent pool from Web UI azuredevops.
I am using authentication with PAT. PAT configured for FULL access.
UPD2. I understood that access on Project Level is other than access on Organization Level. So I have full access on Project Level but terraform is trying to create agent pull on Organization Level.
It's not possible at the moment. I face the same issue.
The issue is still opened since 2020.
https://github.com/Azure/terraform-azurerm-aci-devops-agent/issues/4
As mentioned on the README.md
Before running this module, you need to create an agent pool in your
Azure DevOps organization and a personal access token that it
authorized to manage this agent pool.
So it's not possible to automatically create an agent pool from the official Terraform azure DevOps provider
You might try to find a way through Azure DevOPS REST API:
https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/elasticpools/create?view=azure-devops-rest-7.1
You might also find this GitHub issue comment useful:
https://github.com/microsoft/terraform-provider-azuredevops/issues/204#issuecomment-962504540
Someone has already developed a way to do with Terraform using local-exec combined with azure cli/PowerShell/rest api
I have a Logic App in Azure that reads and writes data from and to SharePoint using the Graph API and the newly added permission of "Sites Selected". To do so I'm using PowerShell and the Azure CLI commands to give such permission to the Logic App's managed identity. This works, but only using an Azure global admin as authentication, and I'm trying to find the correct roles/permissions so an ADO pipeline can run the script using a service connection without having to give the global admin access, as Cloud Application Administrator seems to be not enough.
Any suggestions?
References :
New Azure AD Service App Role Assignment
App Role Assignment to App
App to App Role Assignment To in Graph
I am trying to run an Azure Resource Group Deployment task in Azure Pipelines. I have deployed an Azure Pipelines self-hosted agent on an Azure VM running Windows, and in my Azure DevOps organization I have set up an Azure Resource Manager service connection to a VM with a managed service identity.
However, I get the following error when trying to configure my Azure Resource Group Deployment task with my service connection with managed identity:
GetUserAccessToken: Failed to obtain an access token of identity . AAD returned silent failure.
Screenshot:
I have already verified that I granted access (Contributor) to the VM's managed identity to the target resource group:
The service connection is also scoped to the Azure subscription:
Any help on diagnosing this issue is appreciated. Thanks!
Failed to obtain an access token typically occur when your session has expired.
To resolve these issues:
Sign out of Azure Pipelines or TFS.
Open an InPrivate or incognito browser window and navigate to https://visualstudio.microsoft.com/team-services/.
If you are prompted to sign out, do so.
Sign in using the appropriate credentials.
Choose the organization you want to use from the list.
Select the project you want to add the service connection to.
Create the service connection you need by opening the Settings page. Then, select Services > New service connection > Azure Resource Manager.
Refer to:
https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#sessionexpired
In case this is useful to anyone else, I had a similar issue when modifying service connections through Azure DevOps. The solution provided by Charlie Brown pointed me in the right direction: The user in AAD isn't automatically added to the Azure DevOps Enterprise Application, so if you run into this it may mean that you need to add the user or group that's trying to access it through DevOps.
In my case I just added myself as and owner and user through the Azure Portal -> Azure Active Directory -> Enterprise Applications -> Azure DevOps.
I didn't have to create another user, nor modify anything with MFA.
It appears that the issue comes about because it is the user account authenticated to Azure DevOps that is retrieving subscription information. Azure DevOps is not using the managed identity to retrieve the subscription information.
In particular, my original Azure DevOps user account had MFA turned on to authenticate to an Azure subscription (e.g. portal.azure.com), but did not have MFA turned on to authenticate to Azure DevOps (e.g. dev.azure.com/). I think that this was causing the issue when failing to get an access token:
I created a different user account in my Azure AD, gave it access to my Azure DevOps organization, and made sure that this new user account had Reader permissions over the target subscription and did not have MFA turned on. This resolved the issue of getting subscription info when using managed identity:
My scenario getting this error was adding a Service Connection to a Management Group in Azure DevOps
GetUserAccessToken: Failed to obtain an access token of identity
{{GUID}}. AAD returned silent failure.
Fix for me was adding my account as a Project Collection Admin in DevOps... details below:
Tried every permission possible ... GA, ROOT Mgmt Group Owner (via AAD setting), target Mgmt Group Owner, Subscription Owner, App Administrator... In devops i am a project admin and i have Admin security role in service connections.
Interesting diff i have here, my Azure AD home tenant is different from my Azure Subscription AD tenant (i am a B2B Guest).
I actually tried to use a different DevOps tenant that has an AAD tied to the Azure Subscription tenant and it WORKED :( This lead me to diving further into what is different. Aside from the DevOps->AAD link, I am also COLLECTION admin on the working one, and only a project admin on the failing one. I made sure I had Management Group Owner rights and then added my account as a Project Collection Admin - WORKED!
Ref: https://developercommunity.visualstudio.com/solutions/1246044/view.html