I was trying to connect my SQL Azure Queries through Bearer token which is generated through this query
$token= & az account get-access-token --resource=https://database.windows.net/ --query accessToken
Since today it says "Login failed for user ''"
I have not done any major changes in my environment, as even locally the script does not work
Once i get the access token then I Connect SQL server, Firewall settings are all fine. I am the server Admin of my DB, Is there something which i check further ?
I think the token it's expired.
As per the doc az account get-access-token: The token will be valid for at least 5 minutes with the maximum at 60 minutes.
Please try to re-generate a new one, and give it a try.
I was executing the script from DevOps pipeline as a Task of Azure CLI.. So i had used service principal (connection string) as an Admin in SQL Server from Azure Portal manually. It was working fine
When i tried to Automate the same by adding Service Principal as an administrator through ARM template, it showed it had applied the same in Azure portal, but when executing the pipeline it said login failed
So to resolve the issue I had to manually apply service principal as an Admin in Azure portal
Related
I'm using the azure/login github action in my workflow to login to azure to then set some secrets and deploy to Azure Kubernetes Cluster. Suddenly the github action is failing with the error token is expired.
The last thing I did before this error started showing up "not sure if this is related at all" was to execute the command az vmss identity assign -g on the vmss of the cluster to assign a userAssignedIdentity
I tried recreated the federated credential for the enterprise app connecting the github actions/workflows to our AAD but nothing changed, I even tried using a client secret authentication, but that gave the same error as well.
Something was seriously messed up with the cluster, I had to delete it and recreate and recreate the managed identity, granting it access to the cluster and creating a federated credential to allow github to deploy through it to the cluster
I'm having problems finding a SQL server in Azure portal. The SQL server is apparently running as I can connect to it with both AzureAD credentials and SQL credentials via SSMS. The apps using databases from the SQL server is also working.
But I can't find it in Azure? I've tried checking portal.azure.com with all our logins, but no luck.
Anyone has any tips?
Double check if you have chosen the same directory and subscription under you account if you have more than one. And If you remember your resource group name, just to rule out any transient issue in web portal, you can try the below:
Install Azure CLI from here or use cloud CLI and run below commands in order
Login to your account, result lists all the subscription in your account.
az login
Verify your preferred subscription is set
az account show
See your SqlDB details:
az sql db show --name YourSqlDbName --server YourSqlServerName --resource-group YourResourceGroupName
You'll see all he details, if it exists.
Turns out I had to log in with my admin account and go to portal.azure.com/customer.domain
I'm try to use the Azure VM Connector to start and stop a Virtual Machine.
When I edit the Logic App it uses my User Id to authenticate (successfully).
However, my User Id is in a different Tenant than the VM. The Start Virtual Machine connector allows you to specify the SubscriptionId, ResourceGroup, and VM Name, but not the TenantId.
I get an Authorization (401) error (InvalidAuthenticationTokenTenant) when I try to run the Logic App. How can I specify the correct TenantId to get it working?
"error": { "code": "InvalidAuthenticationTokenTenant", "message": "The
access token is from the wrong issuer
'https://sts.windows.net/a35caae4-15e1-4518-bd0f-c1fd0f22814c/'. It
must match the tenant
'https://sts.windows.net/600ab0db-7c24-401f-b5be-d765e88dfb09/'
associated with this subscription. Please use the authority (URL)
'https://login.windows.net/600ab0db-7c24-401f-b5be-d765e88dfb09b' to
get the token. Note, if the subscription is transferred to another
tenant there is no impact to the services, but information about new
tenant could take time to propagate (up to an hour). If you just
transferred your subscription and see this error message, please try
back later." }
I solved the problem by doing 3 things:
Enable Managed Identities for the Logic App
Add a new role assignment in the VMs Access Control (IAM) section for the Logic App
Updated the Start virtual machine task in the Logic App to connect using the managed identity
The following link regarding Azure Functions to Start/Stop VMS provided the basic steps that I applied to the Azure Logic App(s) in my case.
I'm attempting to build out my DevOps pipeline to deploy a DataFactory, Databricks Notebooks & Azure Data Warehouse,
I have my resource subscriptions setup for both Dev and Prod. deploying to Prod is more tricky than it seems.
my keyvault has GET/LIST Permissions for both Secret & Keys for the Target DataFactory.
https://learn.microsoft.com/en-us/azure/data-factory/continuous-integration-deployment
I have used the above guide to setup my target data factory in prod - and it is stood up correctly with all the connection strings setup and keyvault permissions set.
but I am stuck on this portion :
Grant permissions to the Azure Pipelines agent The Azure Key Vault
task may fail with an Access Denied error if the proper permissions
aren't present. Download the logs for the release, and locate the .ps1
file with the command to give permissions to the Azure Pipelines
agent. You can run the command directly, or you can copy the principal
ID from the file and add the access policy manually in the Azure
portal. Get and List are the minimum permissions required.
when I deploy my release I get the following error on the KeyVault task :
The specified Azure service connection needs to have Get, List secret management permissions on the selected key vault. To set these permissions, download the ProvisionKeyVaultPermissions.ps1 script from build/release logs and execute it, or set them from the Azure portal
I've added this power shell script ProvisionKeyVaultPermissions.ps1 to my repo and added it to my task but it just runs forever ? unsure if I'm missing something here.
hope this is clear/ please ask for any additional info.
I wonder if it's the DevOps service connection that's missing the permissions.
You can check access policies for the vault from the console. You should see your service connection as an APPLICATION; it needs the GET and LIST privileges as the document your following says. My understanding is that these are privileges for the account that's deploying your code, rather than the account that will run your code.
I am trying to setup Azure Service Manager connection from VSTS for CICD Pipeline but it is failing. I have already made below changes to Azure.
Created Application thorough Azure Active Directory
Created Secret Key (For azure service principal key)
Provided full access to user (azure account) for created application
Collected all details - client id, tenant id and subscription id
Provided all these details in VSTS to setup connection
When I click verify connection. it gives below error -
Failed to query service endpoint api:
https://management.azure.com//subscriptions/?api-version=2016-06-01.
Error Message: The remote server returned an error: (403) Forbidden..
below is screenshot of VSTS -
Please let me know if I missed anything OR guide me all required steps to complete this VSTS to Azure connection.
You need to grant the service principal Azure subscription access permission.
Login Azure portal->All service->Subscriptions->click your subscription->Access control(IAM)->Add role assignment->assign a role to your service principal
Reference:
Manage access to Azure resources using RBAC and the Azure portal