For the New-AzureStorageContext cmdlet, assuming I know the value for both, what are the differences between the Endpoint and Environment parameters?
For example, let's say I want a new a new storage context named foo within the Azure China cloud, so the environment is AzureChinaCloud and the endpoint would be foo.core.chinacloudapi.cn I can pass either of those in as a parameter to the cmdlet, although it appears from the docs that they are mutually exclusive.
What would functionally be different between passing one or the other? If I pass Environment, does the created storage context not have an endpoint? If it does have an endpoint, is it not set to foo.core.chinacloudapi.cn? If I pass the Endpoint, does the context not get set to AzureChinaCloud? Is it even possible not to have one or the other?
Furthermore, the returned AzureStorageContext has a number of properties related to endpoint: BlobEndPoint, EndPointSuffix, FileEndPoint, QueueEndPoint, and TableEndPoint. Which of these properties should be set when passing either Environment or Endpoint?
what are the differences between the Endpoint and Environment parameters?
Endpoint: it contains the storage account name and the azure environment, if AzureCloud, it will be storagename.core.windows.net, if AzureChinaCloud, it will be storagename.core.chinacloudapi.cn like you mentioned, it belongs to Optional Parameters.
Environment: it just specify the environment, not contain the storage account name.
If I pass Environment, does the created storage context not have an endpoint? If it does have an endpoint, is it not set to foo.core.chinacloudapi.cn? If I pass the Endpoint, does the context not get set to AzureChinaCloud?
I think you dont need to use both of them, if you pass the account name and environment, the context will have the endpoint, also, if you pass the endpoint, it will have the environment.
Is it even possible not to have one or the other?
Of course, you could use other parameters to create the context, e.g. you could just use StorageAccountName and StorageAccountKey to create the context, you could find it in the doc you mentioned.
Which of these properties should be set when passing either Environment or Endpoint?
The four properties are all decided by the endpoint, if you pass the endpoint, I think you dont need to set them. e.g. If the endpoint is storagename.core.windows.net, the BlobEndPoint will be storagename.blob.core.windows.net.
Update:
what are the differences between the Endpoint and Environment parameters?
Different environments decide different endpoints, you could check it by the command: Get-AzureRmEnvironment. if AzureCloud, it will be core.windows.net, if AzureChinaCloud, it will be core.chinacloudapi.cn
AzureCloud:
AzureChinaCloud:
If I pass Environment, does the created storage context not have an endpoint? If it does have an endpoint, is it not set to foo.core.chinacloudapi.cn? If I pass the Endpoint, does the context not get set to AzureChinaCloud?
You could just use one of them, refer to the screenshot, note: actually the Endpoint means EndPointSuffix, you could find it in my test result. So we should pass e.g. -Endpoint "core.windows.net" instead of -Endpoint "storagename.core.windows.net". If we pass -Endpoint "storagename.core.windows.net", it will be incorrect, the EndPointSuffix will be storagename.core.windows.net in the result.
Incorrect result:
Which of these properties should be set when passing either Environment or Endpoint?
In the above screenshots, I dont pass any of these four endpoints, but you could find the result will have all of them. Also you dont need to pass EndPointSuffix, it equals EndPoint.
Related
TLDR
Can I automatically retrieve values from App Configuration through the Function App Configuration variables section similar to AWS retrieving App Config/Secret values
I come from an AWS background and one thing I am used to doing is storing my sensitive information in App Config/Secrets Manager and then directly referencing the sensitive info in the lambda environment variables.
I've been looking for a way to replicate this in Azure and I've been struggling as everything I've found so far seems to want me to change my application code to get the data from App Configuration when all I want to do is update my terraform configuration.
The closest I thought I'd gotten was this documentation since it says
Use App Configuration references for App Service and Azure Functions (preview)
and the format looks like something you could store as a value in the function app's ENV var configuration section.. but when I attempted to do this, I got an error because of invalid characters. Now I'm thinking that the docs I referenced above are also just another way to change my application code to reference this new location.
I'm probably missing something obvious here so I was hoping someone could point me in the right direction because I do not want to have to change dotnet code to do something as simple as
- dotnet code references 'ENV_VAR'
- Function App configuration blade has key 'ENV_VAR' w/ a value of something like APP_CONFIG(KEY)
- Value automatically retrieved from App Configuration and used in code
What I would like to avoid
- dotnet code changed to reference App Configuration
- when app runs it bypasses function app configuration and gets directly from app config
The reason I would like to avoid this is
There's no reason I should have to update application code when the end result that I need is to use an ENV variable and
there are some ENV variables that are required by Azure for a function app to work and they contain things like the the storage API Key, which I'd prefer to keep in a centralized location that I can have more restrictive access policies for
EDIT
I received this error when it attempted to retrieve the value
The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
and
The request authorization key is not authorized for DEV-MyACCT-TEST.EASTUS-1.EVENTGRID.AZURE.NET. This is due to the reason: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters
EDIT 2
I verified that it's not attempting to get the secret from app configuration at all. Here's screenshots of what the environment variable is in the function and how i have it stored in app configuration
Returned ENV variable in response of request:
{
"message": "(Id: asdfasdfasdf) Env Var: #Microsoft.AppConfiguration(Endpoint=https://<my app config name>.azconfig.io; Key=EventGrid:Key:EVENTGRID_KEY)"
}
The issue was that while my Function App did have a user assigned managed identity which gave it permission to read the App Configuration, and i did have the app configuration as the target, I did not fully understand how permissions work in Azure, specifically that Granting access to a resource w/ a specific Role and then assigning that UAMI to a Function App is not enough to actually give it permission. I needed to do one more step which was to update a parameter for the keyvault, because even though I'm not using key vault, that is the parameter which uses the managed identity.
Additionally, Terraform's documentation hasn't been updated yet to indicate that you'd put the ID used for app configuration in the key vault ID section.
The last thing which threw me off is that instead of giving an error letting me know I didn't have access to App Configuration when attempting to access it, it seems it just didn't even try. It turns out that reason for that was because I had an extra ; at the end of the string before the parenthesis and instead of throwing an error, it just treated it like a plain string and didn't attempt to connect to App Configuration
I'm using Azure Data Lake Storage to store a large amount of files. I'm setting up an Azure API Management gateway in front of it, which rewrites the URI and sets the backend service to the ADLS REST API (Gen2).
At this point I'm trying to configure the Path - Read pass-through. My operation in APIM is /data/{filesystem}/{path}?timeout={timeout}, which I would like to be able to call as follows:
(timeout is optional)
filesystem: MyFileSystem
path: Path/To/File.json
GET https://example.com/api/data/MyFileSystem/Path/To/File.json
However, when I navigate to this operation in the Azure Portal and use the Test feature, it reports the following error:
{ "message": "Unable to identify Api or Operation for this request. Responding to the caller with 404 Resource Not Found." }
I understand that APIM is likely looking for an operation matching /MyFileSystem/Path/To/File.json and cannot find one.
For what it's worth, my Path - List endpoint works as I'd expect, which is why I know it's specifically the {path} that's holding me up.
GET https://example.com/api/data/MyFileSystem?recursive=true&resource=filesystem
200 OK
I imagine I can change from a template parameter to a query parameter, but I'd prefer to avoid that route for now. So, is there a way to have a template parameter that allows slashes?
Yes. Last template parameter may have slashes. Use {*path}.
You are right Santi, slashes in template param will make APIM unable to find corresponding operation to handle requests.What's more, it is useless that you URL-encode the slashes as APIM will URL-encode your param again if it includes special characters which will mass the path.
I tested your scenario on Azure storage, if your use "\" to replace "/" it works well , you can have a try on it :
Context
I am willing to get a resource details with the Azure REST API. And more particularly, I want to get the IAM associated with a resource.
Problem
So, I searched in the doc reference and found that endpoint: https://learn.microsoft.com/en-us/rest/api/resources/resources/get which provides an identity response attribute that meets my needs.
However, I can't find any information about the required path parameter parentResourcePath. What does that parameter mean and how can I get its value for a specific resource ?
Also, when I tried going through the resources group path, I can get a path to the resource details but without the parentResourcePath parameter, and the response doesn't include the identity attribute.
Finally, am I going the right way (using GET resource API) ? And if so, where can I find that parentResourcePath value ?
Actually, you have a better choice - Resources - Get By Id.
The /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName} in the api Resources - Get named resourceId which used in the Resources - Get By Id.
But if you combinate the properties manually, it is not easy, Azure has many different resource providers, resourcetype.
Generally, you could find the resourceId in your resource in the portal -> Properties. Also, the response of this API will include the identity which you need.
Sample:
Get a web app resource.
The resourceId is like /subscriptions/xxxxxxx/resourceGroups/joywebapp/providers/Microsoft.Web/sites/joywebapp2.
You can click Try it in the doc to try the api.
Response:
Well I made it throught the Role assignment list for scope endpoint, giving the subscription/resourcegroup/resource in the scope. And the output contains a principalId attribute that seems to point to a user or group or service principal.
Ref: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/listforscope
According the documentation the HttpTrigger API Key has the variable name code, like this:
https://<yourapp>.azurewebsites.net/api/<function>?code=<ApiKey>
Can I change this variable name? In my case I want to change it to access_token like this:
https://<yourapp>.azurewebsites.net/api/<function>?access_token=<ApiKey>
I want to do this because I want to use Azure Functions together with a 3rd party webhook that is expects access_token as the variable name.
No that name cannot be changed - it is part of our API and isn't configurable.
I am trying to export an Azure package using the GetPackage method of Service Management API.
I have tried both calling the REST API directly using a WebClient, and by using the Windows Azure Service Management Library package (I have posted the code I used as an answer to that question).
However, no matter the method I tried and how I constructed and/or encoded the container URI, I am always getting the following error:
400 Bad Request
Parameter value '...' specified for parameter 'ContainerUriString' is invalid.
The parameter in question is of the following form:
https://something.blob.core.windows.net/somecontainer
I verified that the storage account exists and is accessible (tried both public and private containers), even tried calling HttpUtility.UrlEncode() on the container URI (even though the SDK does it automatically).
Any ideas how to get this resolved?
Please ensure that the storage account where you want the files to be copied belong to the same subscription as that of Cloud Service.