I have a logic app inside an ISE which uses an API Connection to write to my storage account. Both ISE and storage account are in the same private VNet and my storage account has firewall rules enabled for each subnet of the ISE. Even so, all requests to the logic app fail to write to blob storage with the error:
{
"status": 403,
"message": "This request is not authorized to perform this operation.\r\nclientRequestId: ...",
"error": {
"message": "This request is not authorized to perform this operation."
},
"source": "azureblob-cus.azconn-cus.p.azurewebsites.net"
}
If I disable the blob storage firewall rules, it can write to the storage account. Why can my logic app-inside the ISE which has firewall rules configured for the storage account-not write to my storage account?
I figured it out. I was creating my API connections against the publicly available blob storage service rather than the managed connector inside my ISE. Instead of having
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"location": "[resourceGroup().location]",
"name": "[parameters('BackupStorageAccountName')]",
"properties": {
...
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureblob')]"
}
}
}
I needed to have
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"location": "[resourceGroup().location]",
"name": "[parameters('BackupStorageAccountName')]",
"properties": {
...
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/integrationServiceEnvironments/', parameters('iseName'), '/managedApis/azureblob')]"
}
}
}
Related
To create an API Connection to Azure Service Bus using Managed Identity I'm using the following template:
"resources": [
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2018-07-01-preview",
"name": "[parameters('connections_servicebus_name')]",
"location": "[parameters('connections_servicebus_location')]",
"kind": "V1",
"properties": {
"alternativeParameterValues": {},
"displayName": "[parameters('connections_servicebus_displayname')]",
"api": {
"name": "[parameters('connections_servicebus_name')]",
"displayName": "[parameters('connections_servicebus_displayname')]",
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('connections_servicebus_location'), '/managedApis/', 'servicebus')]",
"type": "Microsoft.Web/locations/managedApis"
},
"customParameterValues": {},
"parameterValueSet": {
"name": "managedIdentityAuth",
"values": {}
}
}
}
]
that is actually working except for the fact that the 'NamespaceEndpoint' information (like: sb://mySBNS.servicebus.windows.net) is not provided anywhere and so the field appear empty on Azure portal:
After adding it manually, the connection and the LogicApp that is using it, start to work.
What is the json field to provide that information??
You can refer to this question for full details:
"parameterValueSet": {
"name": "managedIdentityAuth",
"values": {
"namespaceEndpoint": {
"value": "sb://<servicebus-namespace-name>.servicebus.windows.net/"
}
}
}
I have used Azure Key vault on Azure Logic App. But I couldn't access the values to Azure Logic APP API Connection. Basically I have to get the username and password for SQL connector from Azure Key vault. Apprecait if you can suggest, how we can achieve this.
As far as I know, azure logic app can't access key vault in api connection in portal. If you want to access key vault, you can use rest api to access it.
You need to enable msi in your logic app (the link below shows us we can do msi modification in "Workflow Settings" but currently it has changed we need to enable it in "Identity" blade of your logic app) and use http action to access your key vault.
You can refer to this link for further information: https://devkimchi.com/2018/10/24/accessing-key-vault-from-logic-apps-with-managed-identity/
Once created the connection API will not output any sensitive information.
Using ARM template, you can create an API connection but it won't update the connection details when you rotate the credentials, you'll have to redeploy the template.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"sqlConnectionAPIName": {
"type": "string",
"metadata": {
"description": "The name of the connection api to access the service bus namepsace."
}
},
"sqlserverName": {
"type": "string",
"metadata": {
"description": "The Name of the SQL Server instance."
}
},
"databaseName": {
"type": "string",
"metadata": {
"description": "The name of the database."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Web/connections",
"name": "[parameters('sqlConnectionAPIName')]",
"apiVersion": "2018-07-01-preview",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"displayName": "[parameters('sqlConnectionAPIName')]",
"parameterValues": {
"server": "[reference(resourceId('Microsoft.Sql/servers', parameters('sqlserverName')), '2015-05-01-preview').fullyQualifiedDomainName]",
"database": "[parameters('databaseName')]",
"username": "[reference(resourceId('Microsoft.Sql/servers', parameters('sqlserverName')), '2015-05-01-preview').administratorLogin]",
"password": "[reference(resourceId('Microsoft.Sql/servers', parameters('sqlserverName')), '2015-05-01-preview').administratorLoginPassword]"
},
"api": {
"id": "[concat('subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/sql')]"
}
},
"dependsOn": []
}
]
}
I am having problems when deploying a Logic App template in Azure. Everything goes Ok but connection with OneDrive For Business is not authenticated. Which parameter do I need in my template in order to make the connection automatically?
This is my connection resource code:
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('connections_onedriveforbusiness_name')]",
"location": "westeurope",
"properties": {
"displayName": "[parameters('onedrive_email_account')]",
"customParameterValues": {},
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/westeurope/managedApis/', parameters('connections_onedriveforbusiness_name'))]"
}
}
}
OneDrive For Business Connections is an OAuth connection. So we don't have to add any content to the "parameterValues".
The resource code
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('connections_onedriveforbusiness_name')]",
"location": "westeurope",
"properties": {
"displayName": "[parameters('onedrive_email_account')]",
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/westeurope/managedApis/',parameters('connections_onedriveforbusiness_name'))]",
"parameterValues": { }
}
}
}
Once you finish the ARM template deployment, you need to open the OneDrive For Business Connection to authenticate.
If you don't like to open the portal. You can also use LogicAppConnectionAuth PowerShell script.
For more details, please refer to https://www.bruttin.com/2017/06/13/deploy-logic-app-with-arm.html
I'm creating a logic app which will do some operations on a blob storage, thus it needs a Connector to a specific blob storage. I'm able to define which Connector should be used (providing its name and other properties), however if it doesn't exist yet, the template fails to deploy. I know we can create these connectors via logic app designer, but i would very much like to automate that process. Hence the question:
Is it possible to deploy/create this connector using an ARM template or a script?
You can check this post related to Logic App connector.
Here is an ARM Template that create an API connection to blob storage:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"azureBlobConnectionAPIName": {
"type": "string",
"metadata": {
"description": "The name of the connection api to access the azure blob storage."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "The Storage Account Name."
}
}
},
"variables": {
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
},
"resources": [
{
"type": "Microsoft.Web/connections",
"name": "[parameters('azureBlobConnectionAPIName')]",
"apiVersion": "2016-06-01",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"displayName": "[parameters('azureBlobConnectionAPIName')]",
"parameterValues": {
"accountName": "[parameters('storageAccountName')]",
"accessKey": "[listKeys(variables('storageAccountId'),'2015-05-01-preview').key1]"
},
"api": {
"id": "[concat('subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('defaultResourceLocation'), '/managedApis/azureblob')]"
}
},
"dependsOn": []
}
]
}
I'm deploying an ARM template with VSTS which contains a lock (in my case lock on a Storage Account for a Function App)
{
"parameters": {
"name": {
"type": "string"
},
"storageName": {
"type": "string"
},
"location": {
"type": "string"
}
},
"resources": [
{
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Storage/storageAccounts",
"name": "[parameters('storageName')]",
"location": "[parameters('location')]",
"properties": {
"accountType": "Standard_LRS"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/providers/locks",
"name": "[concat(parameters('storageName'), '/Microsoft.Authorization/', parameters('storageName'))]",
"apiVersion": "2015-01-01",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageName'))]"
],
"properties": {
"level": "CannotDelete",
"notes": "One or more function apps were linked to this storage account. You can see all the function apps linked to the account under 'files' or 'shares'."
}
}
]
},...
That just works fine when deploying from VS or from command line with my credentials.
However when deploying from a VSTS release definition, the deployment fails with:
Resource Microsoft.Resources/deployments 'myFunctionApp' failed with message '{
"error": {
"code": "InvalidTemplateDeployment",
"message": "The template deployment failed with error: 'Authorization failed for template resource 'myFunctionAppStorage/Microsoft.Authorization/myFunctionAppStorage' of type 'Microsoft.Storage/storageAccounts/providers/locks'. The client '***VSTS service principal Id***' with object id '***VSTS service principal Id***' does not have permission to perform action 'Microsoft.Authorization/locks/write' at scope '/subscriptions/*** subscription ***/resourceGroups/*** resource group ***/providers/Microsoft.Storage/storageAccounts/myFunctionAppStorage/providers/Microsoft.Authorization/locks/myFunctionAppStorage'.'."
}
}
When I remove the Microsoft.Storage/storageAccounts/providers/locks section from the template, the VSTS deployment works. But then the storage account would bear no lock preventing a deletion.
Contributor role - which is assigned when VSTS creates the Service Principal in the AAD connected to the Resource Groups Subscription - is not sufficient for placing the lock. Assign Owner and the lock can be placed with the VSTS deployment process.