I'm trying to authenticate to Azure container registry with the cli.
I'm using subject name and issuer authentication, and authenticating to azure with service principal.
that's what I do to login to azure
az login --service-principal --use-cert-sn-issuer -u {app id} -p {certificate .pem file} --tenant {tenant id}
it works, and then I try to login to the acr with:
az acr login --name {acr name}
it fails with:
The command failed with an unexpected error. Here is the traceback:
Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS700027: Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: {Thumbprint}, Please visit 'https://developer.microsoft.com/en-us/graph/graph-explorer' and query for 'https://graph.microsoft.com/beta/applications/{app id}' to see configured keys]\r\nTrace ID: 4546d682-75b6-4a8b-9c03-11f4821c5f00\r\nCorrelation ID: 02e4c324-25a9-47ff-a5ba-afdeec0ce5ec\r\nTimestamp: 2020-06-23 08:12:00Z","error_codes":[700027],"timestamp":"2020-06-23 08:12:00Z","trace_id":"4546d682-75b6-4a8b-9c03-11f4821c5f00","correlation_id":"02e4c324-25a9-47ff-a5ba-afdeec0ce5ec","error_uri":"https://login.microsoftonline.com/error?code=700027"}
what could be the problem?
The error shows that your certificate is not very correct. Here is the same issue in Github and you can follow the steps to solve it.
Or you can create the service principal using certificate-based authentication with the CLI command:
az ad sp create-for-rbac --name ServicePrincipalName --create-cert
and then it will work fine for you. Here are the steps with more details. And take care of the caution:
When using a PEM file, the CERTIFICATE must be appended to the PRIVATE
KEY within the file.
Related
I am encountering an error executing the az ad app permission grant command via local terminal.
Do you need to be a Global administrator to be able to execute command? I am getting 403 Forbidden for url error, even though I can exactly do the same in the Portal manually. I am set as the owner for both App Registrations.
clientID = 'xxxx-xxxx-xxx-xxxx-xxxxxx"
$apiID= 'xxxx-xxxx-xxx-xxxx-xxxxxx
az ad app permission grant --api $apiId --id $clientID --scope user_impersonation
Operation failed with status: 'Forbidden'. Details: 403 Client Error: Forbidden for url: https://graph.windows.net/xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2PermissionGrants?api-version=1.6
Planning to import an SSL certificate to a web app from Key Vault.
Found that Import-AzWebAppKeyVaultCertificate in Az.websites which performs the above task but the above fails in the azure pipeline and I'm looking into any alternative in AzureRm As for my research I can't find anything in documents.
Az docs - https://learn.microsoft.com/en-us/powershell/module/az.websites/import-azwebappkeyvaultcertificate?view=azps-6.0.0&viewFallbackFrom=azps-4.8.0
I want to know anything specific command to import ssl certificate to a web app from keyvault using AzureRm commands
Did you try with Azure CLI command ?
az login
# upload certificate to Azure key vault
az keyvault certificate import --file "E:\Cert\P2SChildCert.pfx" --password "" --name "test1234" --vault-name "testkey08"
# download certificate as pfx file
az keyvault secret download --file "test2.pfx" --vault-name "testkey08" --name "test1234" --encoding base64
# upload the pfx file to Azue web app
az webapp config ssl upload --certificate-file "test2.pfx" --name "andywebsite" --resource-group "andywebbot" --certificate-password "" --query thumbprint --output tsv
You could use Invoke-RestMethod to call the REST API Certificates - Create Or Update manually.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/certificates/{name}?api-version=2019-08-01
To get the access token, refer to https://learn.microsoft.com/en-us/rest/api/azure/#client-credentials-grant-non-interactive-clients
When I run the pipeline on AKS and run az login --identity it gives me an error as below. What should I do to fix this issue.
AzureResponseError: Failed to connect to MSI. Please make sure MSI is configured correctly. Get Token request returned http error: 400, reason: Bad Request
I got a powershell Azure Functions using this command:
Connect-PnPOnline -Url "https://awesome.sharepoint.com" -AppId $appid -AppSecret $appsecret
I get the appid and secret from the key vault and it works. I do connect but when trying to run commands like
Get-PnPSite
Result:
Get-PnPSite : Access denied. You do not have permission to perform this action or access this resource.
I've got an app and I've granted permissions in the app:
Any suggestion??
Extra information:
Using MFA
I have set up WSL. And then installed docked following this tutorial and then installed azure cli.
I can login from windows command line; but I cannot login to azure container registry by using the command below from bash
$ az acr login --name $ACRNAME
I get the following error
Error response from daemon: Get https://ACRNAME.azurecr.io/v2/:
unauthorized: authentication required
And also if i tried to pull the image by
$ docker pull ${ACRNAME}.azurecr.io/image_name
get the same error
Error response from daemon: Get https://ACRNAME.azurecr.io/v2/:
unauthorized: authentication required
But i am able to see the list. The following command returns list
$ az acr repository list -n $ACRNAME
I have found this closed issue and change my machine DNS server to 8.8.8.8 but no progress. What am i missing?
For you issue, you maybe use the wrong username and password. So, first you can check your username and password which you choose to login. You can get the information in portal: container->Access keys.
You can get more information from this document az acr with az acr check-name and az acr create.