I am trying to work out how to use/access the IAM role credentials on an windows ec2 instance when running a dotnetcore webapi on IIS.
I know that when running a dotnetcore app on ec2 linux the credentials are available to the default constructors but this does not seem to be the case when running on IIS, is there are particular instantiation method to use or does the IIS/kestrel server not have access to the credentials?
Thank you
To answer my own question:
Use a default constructor like var s3Client = new AmazonS3Client();
Yes, the Kestrel server does have RBAC access.
Further information:
The best practice for instantiating an Amazon client is to use the default constructor as above.
I had previously read people having issues accessing credentials while using .NET Core on IIS as the app runs on Kestrel server, but on EC2 instances the client still has access to the role-based access credentials. When running on EC2 Servers is a bad practice to have credentials written on the server, which is what almost every IIS question/answer thread pose as a solution and that is correct if IIS is not on an AWS server.
There are a number of ways to provide AWS credentials to your .NET applications. One approach is to embed your credentials in the appSettings sections of your App.config file:
<configuration>
<appSettings>
<add key="AWSProfileName" value="development"/>
<add key="AWSRegion" value="us-west-2" />
</appSettings>
</configuration>
For more information about it, you can refer to this link.
There is a similar question on SO, you also can refer to it.
Related
Is it possible to remote-connect to an Azure App Service running on Windows with my IIS Manager?
This seems to have been possible according to this blog post by clicking in IIS Manager File -> Connect to a site.
I refer to the steps mentioned in the link shared by you and in the last step I got an error below.
I did some research on it and it looks like managing the App Service from IIS is not supported anymore. I have not got any official link but the below links might give you some information on it.
Microsoft.Web.Configuration.AppHostFileProvider not found after configured Remote IIS Administration for Microsoft Azure Web App
Can no longer manage any Web Apps with IIS Remote Manager - Could not load file or assembly - AppHostFileProvider
I'm not sure for what purpose why you want to. My thoughts is you shouldn't be doing that as it defeat the purpose of PaaS services. Cannot access the iis layer in app service however you can still configure in web.config of your web app.
Relatively new to azure cloud so go easy
Configuration as below on
1 x app service (running asp.net web application)
1 x azure database for mysql server
(so currently 2 resources)
Now whenever i put my connection string into my web app to point to the mysql database hosted on azure, it just times out, with the error below
[MySqlException: Unable to connect to any of the specified MySQL hosts.]
I have set the security to allow access to azure services as per documentation, and disabled the enforce SSL for now. I am able to connect to the database remotely from my machine, but my web app times out.
I have tried every permutation of connection string but it makes no difference. It works if i use the mysql in app but this is not a scalable solution for us.
Did you copy your connection string from Azure and plug it into your web config under the connectionstrings node? If so, did you remove the connectionstring name then re-add it? Such as:
<connectionStrings>
<remove name="conn" />
<add name="conn" connectionString="Server=localhost\SQLEXPRESS;Database=***;Trusted_Connection=True;" providerName="System.Data.SqlClient" />
This is the best practice for using a connectionstring in a webconfig file.
As well take a look at your error details. You are trying to use environment variables for connecting to the database. This won't work because you are in two different environments: the first being your web app environment and the second being the database environment.
Even if you are using Azure as a host, it still won't work.
In our current Production Setup, we have setup SSRS and have been able to successfully use the SSRS reports in our .NET Web Application since years. We have used Impersonation in Web.Config (there might be other solutions available, we had to go with this) as shown below.
<identity impersonate="true" userName="domainname/username" password="password"></identity>
This solution worked well becuase our Active Di
rectory and SSRS server are located in the same Network / domain.
Now, as part of our Azure migration, we have migrated our SSRS server to an Azure VM. and we are able to view the reports using Report Server Manager within the VM. Now, when we access the Web Application (App Service - Web App), we are getting the following error. Below is the updated impersonation attribute that we have used.
<identity impersonate="true" userName="username#ouremailaddressdomainname.onmicrosoft.com" password="password"></identity>
"Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'The user name or password is incorrect"
Obviously, this is because of the fact that we don't have a Active Directory domain setup in Azure. Below are my questions.
Can we utilize the users available in the default Directory that gets created on Azure?
If yes, how do I specify the impersonization?
Thanks,
Prawin
With your planned setup you cannot use identity impersonation. This is because the AppService Web Apps do run in an isolated sand-boxed environment which cannot be part of a Windows Domain.
You have couple of options:
Change the reporting server to use mixed mode Authentication and create local for the SQL Server login and user with appropriate permissions. Then configure your reporting application to provide these SQL Server credentials
Move your Web Application to same VM (will not require Domain environment) as your Reporting Server (or just the part which deals with the reports)
Move your application to a separate VM and utilize the Azure Active Directory Domain Services to make the VMs part of same domain (an overkill IMO)
I would vote for the first option, as it requires least changes and leverages PaaS services (App Service). Everything else is overkill or just an abuse of the cloud platform.
I wanted to access WCF service from Mobile Service in Windows Azure. For this, I am using Service Bus Relay connection which is configured with credentials to call the WCF service.
When I published this Mobile Service on my local machine, I could call WCF service without any issue.
But when I published this Mobile Service on Azure, it is giving following error when trying to access it. IService1 is contract for WCF Service. I defined endpoint in Web.Config file in Mobile Service with this contract.
Can you help me resolve this?
Exception=System.InvalidOperationException: Could not find default endpoint element that references contract 'ServiceReference1.IService1' in the ServiceModel client configuration section. This might be because no configuration file was found for your application, or because no endpoint element matching this contract could be found in the client element.
EDIT:
Upon further investigating this issue, I found out that, proxy class, which is generated by adding service reference, is not picking up the endpoint definition defined in Web.config when we host it in the cloud. But when the service is run on my machine's azure emulator, it is picking up endpoint definition from Web.config.
So, to resolve the issue, I had to define endpoint programmatically and use the ChannelFactory class to call the WCF service.
Any thoughts on why Mobile Service is unable to read Web.config in cloud?
You can set the app settings as key/value pairs in the appSettings section of the .NET backend project’s Web.config file. These values are used when testing a .NET backend project on the local computer. When running in Azure, these values are ignored and the portal settings are used instead.
http://msdn.microsoft.com/en-us/library/azure/dn529070.aspx
So I guess there is something special about .config file in Mobile Services but I don't know more. Initializing your WCF programmaticaly is a good solution.
We're developing a new website running in azure. We are currently developing against the local azure dev environment. But now we need to publish and test the site in the real Azure world. But we would like to run in a "closed" environment, where only know users have access, as the site should not go live yet. Any suggestions to accomplish this?
/Rasmus
Windows Azure has something called 'staging mode', see this post: http://sevans.info/2010/10/10/windows-azure-staging-model/
It's very powerful, and exactly what you need as far as I can see.
You could remove the endpoints of your instance configuration, so there will be no forwarding through the load balancer. After that you could use the Remote Desktop to log into your azure instance and test your web application.
Above suggestions are great and I would also like to add two more in this list as well:
Using production deployment and having a dummy index/default page with directory browsing disabled (already set as default) So when someone come you your site there is nothing they will see. And as there is no directory browsing so they can not guess the page*.aspx to visit your site. This will keep your production site running and you can test it from outside.
Removing your instance form Load Balancer while keeping your instance healthy. This will require you to test the Azure Application by RDP to your instance and then launch internally. If you wish to do so here is the Powershell based trick.
You could restrict the IP addresses that are allowed to access your app if you have a static IP address. As per this link: https://azure.microsoft.com/en-us/blog/ip-and-domain-restrictions-for-windows-azure-web-sites/
Developers can use IP and Domain Restrictions to control the set of IP addresses, and address ranges, that are either allowed or denied access to their websites. With Windows Azure Web Sites developers can enable/disable the feature, as well as customize its behavior, using web.config files located in their website.
Here's the code:
<system.webServer>
<security>
<ipSecurity allowUnlisted="false" denyAction="NotFound">
<add allowed="true" ipAddress="123.456.0.0" subnetMask="255.255.0.0"/>
</ipSecurity>
</security>
</system.webServer>