I am trying to implement KeyVault managed Storage Account in Azure to rotate storage keys using KeyVault. I did follow the documentation, which uses both "ServicePrincipalID" and "UserPrincipalID", but in my case i am provisioning my resources and implementing all the steps involved using my service principal (as we deploy using VSTS with service principal) and using "ServicePrincipalID" as ObjectID in place of "UserPrincipalID" (as there is no user intervention during provisioning and post-provisioning process). I did give my service principal "Owner" role and all required permissions for keyvault to access storage. But when i do "Add-AzureKeyVaultManagedStorageAccount" i get the below error which says "KeyVault is unable to perform the action on behalf of the caller". So i am not sure what access i am still missing, even after making my principal as Owner. Please find my screenshots below for more details. Would be glad to hear any suggestions to cross this hurdle.
Error
KeyVault details
Thanks
Chaitanya Alladi.
i get the below error which says "KeyVault is unable to perform the action on behalf of the caller". So i am not sure what access i am still missing, even after making my principal as Owner.
Unfortunly, we can't do that with service principle now.
AAD doesn't support get OBO(OnBehalfOf) token for service principle caller tokens.
We need to use the user credentials instead of Service Principal credentials. There are some operations that are only possible on behalf of the user and not Service Principal when it comes to storage account keys as of now.
Related
I am using Azure API to create blob storage account.
For my old subscription it works, but after I created a new subscription, and tried to use it, the API fails with error:
The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/write' over scope '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.
When I try to create it from the UI with that subscription it does work.
How can I solve the issue, so I will be able to use the API also with the new subscription?
Both subscriptions need to be in the same Azure AD directory. If they are not then you are out of luck (but you can move subscriptions between directories).
Click on your new subscription and go to Access Control. Look for your app registration and grant it the appropriate permission against your subscription.
You can also do this at the storage account level if you want to scope the app's permissions to only that resource.
I have an application (AWX) with a script that is trying to perform an action in Azure (add tags to a vm). In AWX, I get the following error, apparently from Azure: msg: "Error retrieving resource group usw-sys-rg-001 - The client '9d...27' with object id '9d...27' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/83...4a/resourcegroups/usw-sys-rg-001' or the scope is invalid. If access was recently granted, please refresh your credentials."
Seems like straightforward message. The account/identity/principal being used is not authorized. The problem, is, the client id in the error message does not correlate with any credential object I have in AWX. And specifically it doesn't correlate with the Microsoft Azure Resource Manager credential I have in AWX. Not being the author of this AWX playbook, I'm a bit puzzled by all of this.
Since the error appears to come from Azure, and Azure doesn't seem to say that the client id doesn't exist, this makes me think that I should be able to find that identity in Azure (presumably it's a service principal) and inspect its permissions. However, when I filter through the app registrations, I can find no entry with a client id matching the one from the error message above.
How do I find the service principal in Azure Portal? Or is it something else?
I must be looking at this wrong. Does anyone have any pointers? Many thanks.
First, make sure you logged in to the correct Azure AD tenant in the portal.
Secondly, navigate to the Enterprise applications(not App registrations, because some service principals will not have corresponded App registration in your AAD tenant, e.g. Managed Identity, etc) in Azure Active Directory.
Then filter with All Applications like below, input the client id, then you will find it.
What I'm doing:
My machine learning developer is trying to manually provision a ML Workspace in Azure.
Error:
{"message":"The client 'name#company.com' with object id 'xxxxxxx-xxxxxx-xxxxx-xxxxxxetc.' does not have authorization to perform action 'Microsoft.MachineLearningServices/register/action' over scope '/subscriptions/'xxxxxxx-xxxxxx-xxxxx-xxxxxxetc.'' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)"}
What I've tried:
I see two existing discussions on this error from azure here and here. In both cases the users are using a service account with an API, and the gist of the solutions offered are to grant the service account the proper role assignments in access control. In my case, however, the user is trying to create the resource manually via the portal, and the user already has 'owner' role over the resource group. What more could I grant them? How does she refresh her credentials? Any pointers? THANKS!
Definitely looks like a permission issue. spitball ideas, maybe you also have to add the account to the subscription??
edit:
definitely seems like a bug!
https://github.com/MicrosoftDocs/azure-docs/issues/61114#issuecomment-677703149
I am trying to call Azure Maps with OAuth access tokens but it is throwing me 403 Forbidden with the message "Permission, capacity, or authentication issues.". I have followed procedure mentioned here: https://learn.microsoft.com/en-us/azure/azure-maps/azure-maps-authentication
Created App Registration in AD, generated secret
Added API permission to Azure Maps
In Azure Maps > IAM > added the application as Map Data Reader
Got the Access token from https://login.microsoftonline.com//oauth2/token with resource=https://atlas.microsoft.com/
Calling https://atlas.microsoft.com/route/directions/json?api-version=1.0&query=52.50931,13.42936:52.50274,13.43872 with x-ms-client-id and Authorization=Bearer
Same procedure works correctly for my personal free subscription but not in my company's subscription. Don't know how to debug.
For reference on how Azure RBAC works.
Ensure you have no deny assignments possibly enforced from management groups on the particular role.
Make sure the role assignment is applied to the correct scope. Meaning on the scope of an Azure Maps Account or a parent of the account such as the resource group or subscription.
If you have security principals assigned to the correct scope but still receiving 403. It usually means you have assigned or authenticating with the wrong security principal.
Example:
"App only" token for an App Registration requires the service principal App to be assigned at the scope.
If you as user authenticate as a user to the App Registration that would mean the user security principal should be assigned to the scope; Not the app.
If you are using Azure AD groups it could mean that the security principal may not be part of the group which is assigned access.
I don't think it's common to add service principals to security groups though. But it is a possibility which should be confirmed. There is also a possibility of delay before the permissions are propagated but this usually shouldn't take more than a few minutes.
Just to be thorough but may not apply here. Certain REST APIs require S1 sku to be selected on the account. This will result in the same error response.
We raised the ticket with Microsoft and they told us it was caused by:
longer synchronization times regarding the RBAC configurations
worldwide
I want to get the health and other resource details of a particular Azure Account or Subscription using these API's
https://learn.microsoft.com/en-us/rest/api/resourcehealth/availabilitystatuses/listbysubscriptionid
When i do TryIt on the web page it works, but If i want to do it using say PostMan or programatically, how do i generate the Authorization key, I have seen docs to create Authorization Key using "App Registrations", but i dont have any WebApp here, All i want to do is get the details of a particular account or subscription using Azure provided API calls and using any AD user with proper roles for authentication.
This link provides some details but then i dont have a clientid here, since i dont have any webapp
https://msdn.microsoft.com/en-gb/library/azure/dn645543.aspx
Please let me know if anyone has tried doing this.
Thanks
You have to register an app in Azure AD.
This does not need to be an actual "Web app".
You are registering a service principal (you can think of it as a service account).
After registering the app (with type Web App/API), generate a Key for it.
Write down the Application Id (Client Id) and the key (Client Secret).
Then give the service principal access through the Access Control (IAM) section on the subscription/resource group/resource where you want to give the app access to.
You can then follow the instructions here to generate the access token: https://msdn.microsoft.com/en-gb/library/azure/dn645543.aspx.
Remember to use https://management.azure.com/ as the resource since you are calling the ARM API.