I'm seeing this exception in my app when trying to interact with my Pulsar topic:
"message":"[persistent://exampleTenant/example-app-consumer/example-app-REPLAY]
failed to get Partitioned metadata : Authorization failed
feeds_exampleTenant_example-app-consumer on topic
persistent://exampleTenant/example-app-consumer/example-app-REPLAY
with error Don't have permission to administrate resources on this
tenant"
I've verified:
The endpoint is correct (so I'm hitting the right cluster)
The port is correct (I'm hitting SSL, not the non-SSL port)
My token is correct.
My role and token are correct for interacting with my primary topic
What could be the issue?
This exception occurs when your role lacks the required permission.
You either need the appropriate permission (consume, produce, or both) to be granted to your role for this additional topic you're accessing, or you will need a new role with a new token to be issued.
In the case that you're using a replay topic or a dead letter queue (DLQ) topic, you will need to ensure that you have adequate permission for interacting with those topics (whichever are applicable.) Since permissions in Pulsar are managed at the namespace level, if you expect to have permission, you need to check that your tenant and namespace were provided correctly.
Related
Currently, I am trying to run a trigger on a Logic App on Microsoft Azure, but every time I try, I receive an InvalidAuthorizationTokenTenant error. Let me explain.
So I have a Virtual Machine on Microsoft Azure called StaticReportingVM that runs a service automatically when it is turned on. I am trying to automate the process of turning the machine on and off using a Logic App called startVM. The logic design is below: it has a recurrence task that checks the time of year it is (the task should run at the beginning of every month), it tells the machine to turn on, and notifies me through my personal email whether or not the task has succeeded.
startVM design
startVM parameters
The parameters are correct for my machine and my subscription. However, every time I run the trigger, I get the following error:
{
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/xxxxxxx-xxxxxxx-xxxxxxx/'. It must match the tenant 'https://sts.windows.net/yyyyy-yyyyy-yyyyyy/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/yyyyy-yyyyy-yyyyyy' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
Note that xxxxx-xxxxx-xxxxx is different from yyyyy-yyyyy-yyyyy and the two yyyyy-yyyyy-yyyyys are the same. (Not sure if this helps answer my question but I just want to cover more bases!)
Below is a (poorly edited) image of the connections I have set for the Logic App to work, where the email above is the email registered with my Azure account and the Office 365 email is my personal email to notify me of whether or not the trigger has worked.
startVM connections
I have a few questions about this: why am I getting an InvalidAuthenticationTokenTenant error even though I only am using the one subscription? Is it possible I have multiple tenants under this account and if so how can I delete those tenants? How can I bypass the error and get the logic app working?
P.S. This is my first stackoverflow question so I'm sorry if I am missing any critical details! Any and all feedback is appreciated.
• The way you are trying to trigger a logic app on Microsoft Azure VM for starting a recurrence task and notify you through the personal email address is incorrect. You should create a managed identity for the logic app through which the trigger is configured. Once configured, then assign a new role to the logic app’s managed identity through the VM’s IAM (Identity and Access Management) blade. Once done, then update the ‘Start the Virtual Machine’ task in the logic app to connect using the managed identity created for the logic app.
In this way, your issue should get resolved and you should not receive any error regarding the ‘Tenant token authentication’. Also, you are getting this error because, when you are configuring the ‘StartVM parameters’, the tenant ID is not asked in it, rather only ‘subscription ID’ is asked and the ‘resourceGroup’ is asked. Thus, due to which, if you have atleast ‘Contributor’ role access in more than one tenant linked to each other, then the default tenant ID and the tenant in which your VM us deployed will be different and hence the conflicting error faced regarding it.
• Please find the below snapshot of the configuration for including the managed identity in your logic app design: -
Thus, once you give managed identity of a VM as the connection in the logic app ‘Start VM’ action, the logic app ‘Start VM’ trigger will use the managed identity’s assigned role to the VM as authorization to start the VM and hence the tenant token issue will get resolved.
For more information and clarification on this, kindly refer to the below link: -
https://learn.microsoft.com/en-us/azure/azure-functions/start-stop-vms/deploy#enable-multiple-subscriptions
Afternoon all
Trying to get a logic app to run a query on a log analytics workspace and email the results on a weekly basis. Created a service principal, and have given it Reader access at Subscriptions level and I'm allowed to create the connection, but when I try to populate the drop down in Designer, it's throwing with an error:
Could not retrieve values. Error executing the api '/listSubscriptions'. Client request id: 'undefined'
As seen here: https://imgur.com/a/CDp1g6L
I was following this guide, and it's failing to populate those list boxes:
https://thomasthornton.cloud/2020/11/09/log-analytics-queries-to-csv-emailed-using-azure-logic-apps
Tried temporarily giving it permissions as subscription Owner, same deal. Also the same error with the logic app's own System Managed Identity. Got it to work in a different subscription by using my global admin ID, but I don't want to do that as it's of course dependent on that account and it's way too privileged.
I also tried editing in the correct values in code view, just in case it was only some enumeration error, but the test run fails with:
"Message": "Failed to get valid request parameters. Authorization Error
In my other subscription, I also tried giving the account permissions at the root Tenant level, in case it was purely unable to evaluate all subscriptions, but no joy, same error when using Managed Identities or Service Principals.
I'm at a loss. Any ideas?
We have multiple Azure accounts for our various environments. I'm able to create schema extensions on the accounts we use for preproduction and development but for our production Azure account I'm unable to create schema extension even though setups are exactly identical.
Like our other accounts I use OAuth 2.0 token of a global admin and make HTTP POST to https://graph.windows.net/ourinstance.onmicrosoft.com/applications/ourmultitenantappId/extensionProperties?api-version=1.6 with the payload:
{
"name": "SA",
"dataType": "String",
"targetObjects": [
"User"
]
}
Graph API returns with HTTP 403 Forbidden with Authorization_RequestDenied error message.
I have definitely verified user account I'm using has global admin access role, I have created multiple global admin user accounts in old Azure portal and the new Azure portal, I have compared all user and multitenant app settings between the production Azure account and preproduction Azure account and have compared the manifests as well but to no avail.
I have done all these checked for at least 5 times. I'm at a loss why I keep getting Authorization_RequestDenied error message.
Anything I could have possibly missed?
As far As I know, there are two kinds of 403 error.
First one is like that Insufficient privileges to complete the operation. For this issue, please ensure the app has Directory.ReadWrite.All permission.
And the second one error is like The size of the object has exceeded its limit. Please reduce the number of values and retry your request. This error occur when if an application tries to set a value for an additional extension property on an object for which 100 extension property values have already been set. At present, there is no work around for this issue please check whether there are schema extensions which is not used and unregistered the extension.
Got the problem resolved through Microsoft Support.
Turns out OAuth token didn't have necessary permissions despite the fact I have added permissions needed in UI. I had to explicitly grant admin consent to the application using https://login.microsoftonline.com/{tenant-id}/oauth2/authorize?client_id={client-id}&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2F&response_mode=query&resource=https%3A%2F%2Fgraph.windows.net%2F&state=12345&prompt=admin_consent
Sometimes I get this error while pulling data from Google Analytics.
"code":403,"message":"User does not have sufficient permissions for this profile."
This error occurs only for some profile IDs.
How can I fix this?
The user you are authenticating with must have access to the profile id you are trying to request data from.
403 insufficientPermissions Indicates that the user does not
have sufficient permissions for the entity specified in the query. Do
not retry without fixing the problem. You need to get sufficient
permissions to perform the operation on the specified entity.
I would check your code or have it write out the profile id that is causing you a problem. You may have mistyped it.
Note: You can also get this error if the user's access in Google analytics was removed.
I receive a 401 auth error: "Manage claim is required for this operation" upon executing the following statement:
if (namespaceManager.QueueExists(QueueName))
{
namespaceManager.DeleteQueue(QueueName);
}
I know this question is old and but wanted to add in my findings since the behavior confused me quite a bit. Hopefully this helps someone looking at this in the future.
You need a Manage claim in order to be able to do TopicExists/QueueExists kind of operations. If the topic or queue doesn't exist you can get away with no exceptions even without a Manage claim which was strange to me.
As of WindowsAzure.ServiceBus v3.4.1.
After verifying my connection string, I simply Regenerated my primary key for my access policy on the Azure Mgmt. Portal. I used the new key and was able to successfully auth.
Your original key could be generated without Manage option, which would result in manage operation failure.
Go into the access control (IAM tab) and give your user the following roles:
Azure Service Bus Data Receiver
Azure Service Bus Data Sender