I was previously able to use terraform 0.11 with digitalocean. I have since updated the terraform version to 0.13.5 and updated the digitalocean provider. However, after this change, I am not able to provision any resource as I am getting a 401 error from digitalocean. I have even tried using a new authentication token but that produced the same result.
Error: Error creating droplet: POST https://api.digitalocean.com/v2/droplets: 401 Unable to authenticate you
I have modified the TF_LOG value but that has not provided any additional details to help debug the issue. Any ideas on how to troubleshoot this further?
The token is valid as I am able to use it with curl but not with terraform 0.13.5 and digitalocean provider 2.2.0.
What could be happening, is that after the upgrade, you are not loading the variable correctly.
So the terraform it's passing an empty token to the provider. The provider then tries to authenticate with an empty/wrong token and fails resulting in 401.
If you are providing a default value, to confirm the issue, try removing the default value, and make it ask you instead.
Try Following this example
#Set the variable value in *.tfvars file
# or using -var="do_token=..." CLI option
variable "do_token" {}
# Configure the DigitalOcean Provider
provider "digitalocean" {
token = var.do_token
}
# Create a web server
resource "digitalocean_droplet" "web" {
# ...
}
And make sure you name your file whatever.auto.tfvars (auto.tfvars is the key) with the toke like this:
do_token = ua0uhk0a0ka0k7a0o90ia0oekadho0eka9
And it should work, or ask you for a token.
To be noted: This is an API token, not your password. follow [this process]{https://docs.digitalocean.com/reference/api/create-personal-access-token/} if you have never created/used one.
Related
Today, I have an issue getting an Azure AD access token from Postman. This is while it was working before for the same app and other apps I am working on. But none of them are working today.
I was working correctly, but now it shows me this error:
Error: AADSTS900144: The request body must contain the following parameter: 'client_id'
I use https://login.microsoftonline.com/common/oauth2/v2.0/authorize as auth URL, and https://login.microsoftonline.com/common/v2.0/token for Access token URL.
I have tried these for access token URL but none of them worked. https://login.microsoftonline.com/{{tenant_id}}/v2.0/token
https://login.microsoftonline.com/common/token
https://login.microsoftonline.com/{tenant_id}/token
here is my Azure AD oauth 2.0 configuration. Also, as you see, there is no client_id in the request body.
I tried to reproduce the same in my environment and got below results
You can get values of auth URL and access token URL from your Azure AD application that varies based on supported account type like below:
Go to Azure Portal -> Azure Active Directory -> App registrations -> Your App -> Overview -> Endpoints
Now I added environment variables in Postman by defining them like below:
Make sure to select the correct Environment while requesting for token with variables.
I filled the required details same as you to get the access token like below:
When I selected Get New Access Token, I got the token successfully as below:
The error usually occurs if you missed including client_id while
acquiring access token.
I changed client_id parameter to blank in variables like below:
When I tried to get access token again, I got same error as you like below:
To resolve the error, make sure to pass client_id value in right environment and save it.
I found out why it's acting like this:
I checked my friend's PC, and it was working there!
The issue was the last update of Postman. They have changed something in authorization.
just change the Client Authentication to Send client credentials in body and it will work.
I'm able to update/create the function key using the API as per document.
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-function-secret
My main aim is to update the function key every hour so I'm creating a http trigger (with the above api inside it) and scheduling the trigger.
For testing purpose I stored the url in one parameter.
URL:
'https://management.azure.com/subscriptions/xyz1/resourceGroups/xyz2/providers/Microsoft.Web/sites/func_appname/functions/func_name/keys/poc_testing1?api-version=2021-02-01{"Properties":{"Name": "poc_testing1","Value": "asdsda"}}'
Note: Value here is updating via random gen lib of python
Generated a bearer token using the service principal (which I'm already using to connect my stg acc) storing it in auth_token
header_auth= {'Authorization' : 'Bearer ' + auth_token }
Now running the below command in python
import requests
requests.post(url, headers=header_auth)
I'm getting 403 forbidden error
I'm thinking that it is not because of the bearer token, Did google the error and it is with the IP address. Can someone help me out here
I was referring the (https://learn.microsoft.com/en-us/troubleshoot/azure/general/request-throttling-http-403) doc but I'm not using any APIM service
Till now I referred the doc from MSFT.
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update-function-secret
I was able to create new function key.
I'm trying to do the same using python for which I performed the above steps.
Currently ran the above issue steps in my local Visual studio and tried az cli as well but same 403 error.
Why do you want to update the function key every hour?
If you aim to increased security use AzureAD Auth/OAuth2 rather than the function key.
Regarding the 403 error, please ensure you have assigned proper permissions to the service principal which allow the service principal to modify the azure function.
I try to run terraform with azurerm provider initialized for service principal authorization, with the following in providers.tf (with service principal that has owner access on the subscription and works in other code):
provider "azurerm" {
features {}
subscription_id = "SSSSSSSS-SSSS-SSSS-SSSS-SSSSSSSSSSSS"
client_id = "AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA"
tenant_id = "<MY_TENANT_ID>"
client_secret = "<MY_CLIENT_SECRET>"
}
However, when I run terraform plan or terraform apply, this fails reporting totally different client ID:
Error: Error ensuring Resource Providers are registered.
[.... some lines of useless examples ....]
Original Error: Cannnot register providers: Microsoft.ServiceFabricMesh, Microsoft.ManagedServices, Microsoft.DesktopVirtualization. Errors were: Cannot register provider Microsoft.ServiceFabricMesh with Azure Resource Manager: resources.ProvidersClient#Register: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB' with object id 'BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB' does not have authorization to perform action '
Microsoft.ServiceFabricMesh/register/action' over scope '/subscriptions/SSSSSSSS-SSSS-SSSS-SSSS-SSSSSSSSSSSS' or the scope is invalid. If access was recently granted, please refresh your credentials.".
In other words, while I tell terraform to use service principal "AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA", it uses "BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB" instead.
It is obvious to say that nothing in my code refers a service principal with id "BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB".
Setting ARM_* environment variables does not have any effect on this behavior.
Any idea how could that happen?
Update: I'm on terraform 0.14.3 and azurerm 2.41. Also tried azurerm 2.32 - it behaves the same.
First of all, you can output the client id to make sure that you are using the correct service principal that has the appropriate authorization scope on the subscription and tenant you're working with.
data "azurerm_client_config" "current" {
}
output "account_id" {
value = data.azurerm_client_config.current.client_id
}
Also, If you're using service principal credentials, try re-generating your secret key or your service principal. As a workaround, you also could skip the provider registration as
provider "azurerm" {
skip_provider_registration = true
}
At last, try to upgrade your terraform and azurerm provider for a better experience. It might be some bug in some versions, refer to this1 and this2.
I solved this - but still do not know why incorrect service principal id was used by terraform.
Once I registered the groups manually, the issue with 'BBBBBBBB...' principal id happened once more when terraform tried to create a resource in not existing group (there was a typo in RG name). I still can't understand why terraform reported that weird service principal issue instead of missed group, but the issue has gone now.
Thanks everyone who helped me to narrow it!
TL;DR: Authentication to Databricks using managed identity fails due to wrong audience claim in the token.
Technical details: When acquiring token to access databricks using managed identity (with http://169.254.169.254/metadata/identity/oauth2/token API), the returned token audience is 'spn:2ff814a6-3304-4ab8-85cb-cd0e6f879c1d' instead of '2ff814a6-3304-4ab8-85cb-cd0e6f879c1d'.
When trying to use the acquired token, I get the following error:
Error 400 io.jsonwebtoken.IncorrectClaimException: Expected aud claim to be: 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d, but was: spn:2ff814a6-3304-4ab8-85cb-cd0e6f879c1d.
It seems that the audience is always prefixed with 'spn:' in case of the resource being a guid and not a url.
I also tried to use the databricks app url ('https://azuredatabricks.net/') as the resource, but the token was not accepted here also.
Is this a known issue? Are there any workarounds (other than using the service principal method)?
Thanks!
I can also reproduce your issue, it looks like a bug, using managed identity with Azure Container Instance is still a preview feature.
I also test the same user-assigned managed identity with a Linux VM with the same curl command, it works fine.
Getting the following error while deploying.
Error: Error waiting for CDN Endpoint "website-dev-appservice" (Profile "website-dev-eastus2-cdn" / Resource Group "website-dev-eastus2-rg") to finish creating: Code="BadRequest"
Message="{\"ErrorMessage\":\"Errors found in Model: OriginHostHeader must match the regex '(^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9_\\\\-]*[a-zA-Z0-9])\\\\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\\\-]*[A-Za-z0-9])$)|((?:[:0-9A-Fa-f]+))'.\"}"
what could be the issue here?
Even though hashicorp doc says origin_host_header is an optional field but here Scripts needs origin_host_header to be specified which default value is the domain e.g origin_host_header = www.google.com
Just add origin_host_header, It should work.