I'm try to use the Azure VM Connector to start and stop a Virtual Machine.
When I edit the Logic App it uses my User Id to authenticate (successfully).
However, my User Id is in a different Tenant than the VM. The Start Virtual Machine connector allows you to specify the SubscriptionId, ResourceGroup, and VM Name, but not the TenantId.
I get an Authorization (401) error (InvalidAuthenticationTokenTenant) when I try to run the Logic App. How can I specify the correct TenantId to get it working?
"error": { "code": "InvalidAuthenticationTokenTenant", "message": "The
access token is from the wrong issuer
'https://sts.windows.net/a35caae4-15e1-4518-bd0f-c1fd0f22814c/'. It
must match the tenant
'https://sts.windows.net/600ab0db-7c24-401f-b5be-d765e88dfb09/'
associated with this subscription. Please use the authority (URL)
'https://login.windows.net/600ab0db-7c24-401f-b5be-d765e88dfb09b' to
get the token. Note, if the subscription is transferred to another
tenant there is no impact to the services, but information about new
tenant could take time to propagate (up to an hour). If you just
transferred your subscription and see this error message, please try
back later." }
I solved the problem by doing 3 things:
Enable Managed Identities for the Logic App
Add a new role assignment in the VMs Access Control (IAM) section for the Logic App
Updated the Start virtual machine task in the Logic App to connect using the managed identity
The following link regarding Azure Functions to Start/Stop VMS provided the basic steps that I applied to the Azure Logic App(s) in my case.
Related
I have a DevOps release pipeline pushing out (via CLI on a VM) to a dev resource group happily. When I add a stage pushing to an identical QA resource group I get the below.
ERROR: (AuthorizationFailed) The client '' with object id '' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions//resourceGroups//providers/Microsoft.Web/sites//config/publishingcredentials' or the scope is invalid. If access was recently granted, please refresh your credentials.
Is there a place I should be looking at first?
The error is due to the service principa(in azure devops, typically is 'service connection') doesn't have correct role/permission on the target resource.
Please find your service connection in Project settings.
Click Manage Service Principal which will redirect you to the Application Registration of the Service Principal. All you need to do here is copy the name (the default format is <account>-<prject>-<GUID>).
Go back and click Manage service connection roles which will redirect you to the IAM blade of the Azure Subscription. Here you need to assign a role to the service principal of which you copied the name of in the previous step. you can add it as subscription owner/contributor role on the target subscription simply.
You can check similar answer here.
I'm using the Microsoft Extension to access KeyVaults from Azure DevOps to fetch a secret from the vault. I'm getting this error message which appears to say that I need to allow rights the Azure Devops agent access to the keyvault.
"Could not fetch access token for Managed Service Principal. Please configure Managed Service Identity (MSI) for virtual machine 'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad Request""
I have this running on a separate test subscription where the AzureDevOps account has contributor access under Role Assignments, same on the PROD subscription where the error message is coming up.
Any insights would be greatly appreciated.
THanks,
This seems to be an issue with Azure keyvaults defined with service endpoints. As Azure DevOps is not a trusted service it does not have access to the endpoint. The workaround is to whitelist the ip of the agent right from the pipeline, removing it after you've obtained the secrets(figuring out how to do this now). This is referenced in here and here
I am using Azure app service api to view server details like worker process and region etc. for management purpose. After generating token from AuthenticationContext.AcquireTokenAsync method, I am requesting following URL for server details https://management.azure.com/subscriptions/<sub ID>/resourceGroups/<resource group name>/providers/Microsoft.Web/serverfarms/?api-version=2018-02-01
In the response I am getting AuthorizationFailed error code with the detail given bellow:
The client does not have authorization to perform action 'Microsoft.Web/serverfarms/read' over scope '/subscriptions/xxxxxxxx-xxxxxxx-xxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Web/serverfarms/xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.
But when I try the same verification using https://learn.microsoft.com/en-us/rest/api/appservice/appserviceenvironments/get portal where I can try the APIs for testing, the request is returning expected results.
So, is there any other way to authenticate or should I have to define some permissions to achieve the functionality?
The service principal you are using doesn't have rights within that tenant.
Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.
Go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment with correspond service principal which you use to acquire token.
After you have given successful permission, refresh and try again.
I had the same error while running,
az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
I did this shortly after az login.
Problem was I haven't set my subscription properly so what I had to do was run,
az account set --subscription your-subscription-id
After that az aks get-credentials worked fine, the error was gone and you will get an output like,
Merged "myAKSCluster" as current context in C:\Users\UserName\.kube\config
I had the same problem. Initially, I went ahead and added to my user the "Web Plan Contributor" role, as it is the one that should handle those things. Nothing changed - I still had this error.
What turned actual problem turned out to be is a wrong resource group... Turns out I copied some old script where WebAppPlans were in separate RG, and I was searching the app plan there. Completely missleading error. I guess it will bring up the same error message even if the App Plan simply doesn't exist.
In my Azure DevOps release pipeline, I would like to start a VM. So I have an "Azure resource group deployment" task with the action "Start virtual machines". However, when I run this task, I get the error:
"Failed to fetch the list of virtual machines from resource group: ...
Error: "Could not fetch access token for Managed Service Principal.
Please configure Managed Service Identity (MSI) for virtual machine
'https://aka.ms/azure-msi-docs'. Status code: 400, status message: Bad
Request"
In my VM I already enabled system-assigned managed identity, so I don't know why this error is appearing. Any thoughts?
You will also need a service connection in Azure DevOps to connect to your Azure subscription using the MSI.
You can configure Azure Virtual Machines (VM)-based agents with an Azure Managed Service Identity in Azure Active Directory (Azure AD). This lets you use the system assigned identity (Service Principal) to grant the Azure VM-based agents access to any Azure resource that supports Azure AD, such as Key Vault, instead of persisting credentials in Azure DevOps for the connection.
In Azure DevOps, open the Service connections page from the project settings page. In TFS, open the Services page from the "settings" icon in the top menu bar.
Choose + New service connection and select Azure Resource Manager.
Choosing a service connection type
Select the Managed Identity Authentication option.
Opening the managed service identity settings
Enter a user-friendly Connection name to use when referring to this service connection.
Select the Environment name (such as Azure Cloud, Azure Stack, or an Azure Government Cloud).
Enter the values for your subscription into these fields of the connection dialog:
Subscription ID
Subscription name
Tenant ID
After the new service connection is created:
If you are using it in the UI, select the connection name you assigned in the Azure subscription setting of your pipeline.
If you are using it in YAML, copy the connection name into your code as the azureSubscription value.
Ensure that the VM (agent) has the appropriate permissions. For example, if your code needs to call Azure Resource Manager, assign the VM the appropriate role using Role-Based Access Control (RBAC) in Azure AD. For more details, see How can I use managed identities for Azure resources? and Use Role-Based Access Control to manage access to your Azure subscription resources.
https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-to-a-vm-with-a-managed-service-identity
When I try to list azure VMs on my account from their python API, I get the following error:
Message: The client 'xxxxxxxxxxxxxxxxxxx' with object id 'xxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Compute/virtualMachines/read' over scope '/subscriptions/xxxxxxxxxxxx/resourceGroups/xxxxxxxxx/providers/Microsoft.Compute/virtualMachines/xxxxxx'.
Does this type of API access require paid access or did I set up my authentication incorrectly?
You authentication is correct, but you just need proper permissions on the Azure side. So you need to grant yourself (the client you are acting from) a Virtual Machine Contributor or Contributor role to the resource group the VM is in (or to the subscription).
Take a look at this link.