Get publish profile returns unauthorised user - azure

I'm trying to debug a web API on azure and need to access the logs from FTP
Whenever I try and download the publish profile in order to learn my FTP connection details, I get an error page saying credentials were incorrect
How can this be if I'm already logged in?

Make sure you have privileged permissions to the resources which you are trying to access.
Incase if you haven’t set the credentials for your Web API, suggest you set the credentials first using the azure portal.
Select your Azure Web App/API -> under deployment credentials set your FTP deployment credentials. For more details, you can refer the below screenshot.
You could also use Get-AzurePublishSettingsFile PowerShell cmdlet to download the publish settings profile file.

Related

How to log in to Azure using az cli from a Gitlab CI runner?

I have generated a zip file of a Node.JS-based web app in Gitlab, and I am trying to deploy it as an Azure "web app" using az webapp deploy. This works fine on my local machine where I am logged in, but I can't for the life of me figure out how I can log in to Azure from the Gitlab runner, so that I can run that same command. I've tried:
Using the Publish Profile (already need to be logged in for that!)
Creating a managed identity with roles on the app (but I don't have access to AD)
Creating the managed system identity in the app's "Identity" pane (can't find any associated password?!)
Generating a JWT token to store in Gitlab as described in this question (I don't have access to the App Registrations functionality)
I don't want to use Azure to rebuild the application using the webhook system, I already have a known-working ZIP package that I want to deploy. My only hangup is logging in.
How can I log in to Azure -- i.e. what incantations do I have to provide to az login -- from a Gitlab CI runner, in order to deploy my website from a zipped Gitlab artifact to the App Service?
(note: I am a teacher and trying to figure this out for my students; it is possible that I am working with a somehow-limited Azure but my local IT doesn't support us for this and of course neither will Microsoft.)
If you cannot access the app registrations as discussed in a similar question and have no federation configured, your only options are to use a username and password (e.g. a user's username and password to authenticate to AAD), use a device code flow, or self-host your GitLab runner on Azure with a managed identity.
Using username and password
To use username is password is straightforward:
az login --tenant $YOUR_TENANT_ID -u $YOUR_USERNAME -p $YOUR_PASSWORD
However, this may not be possible if you normally do not login to Azure using a username and password (for example, you use OAuth or other federated login for the Azure portal and users have no passwords set). In which case, you will need to use the device code flow.
Using device code
To use device code flow, you will need to monitor the job output, copy the URL shown, and login from your browser every time your job runs. In your job, add the following:
az login --tenant $YOUR_TENANT_ID --use-device-code
In the job output you will see a message similar to the following:
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code YOUR-CODE-WILL-APPEAR-HERE to authenticate
Copy the code from the message, open your browser to the device login page and enter the code to allow your job to proceed.
Note: It is possible for organizations to disable this login method, in which case you will see an error when trying to login this way.
Self-hosting GitLab runner on Azure with a managed identity
Lastly, if you're not able to use any of the above methods, you can deploy the GitLab runner to Azure itself as an application that uses a managed identity (for example on AKS, ACI, or on a VM with a managed identity).
For example, you can configure a shell runner on an Azure VM. Azure VMs with a managed identity will not require az login to perform az cli commands.
Creating the managed system identity in the app's "Identity" pane (can't find any associated password?!)
The reason you can't find any associated password is because managed identities can only be leveraged from Azure services -- for example, Azure VMs using a managed identity are able to use az cli without logging in.

Cannot deploy to Azure App Service from VS Code or CLI

I am able to create a new Azure App Service on my Azure subscription from VS code. If I then try to deploy my python web application to the App Service that I just created I get a "401 - Unauthorized: Access" error. If I logon to the Azure portal I can view my newly created App Service. I can see on the Access Control page that I am listed as a contributor. I am not sure why I can not deploy my code or view files. Does anyone have suggestions as to security settings to check? I need to be able to deploy my code. Thank you.
#Kachopsticks, Apologies! If my response is to too late. To benefit the community, sharing the steps that could help isolate such issues:
There is a way to disable basic auth access to the WebDeploy port and SCM site with basicPublishingCredentialsPolicies, see if this is the case.
basicPublishingCredentialsPolicies --parent sites/ --set properties.allow=false
https://learn.microsoft.com/azure/app-service/deploy-configure-credentials?tabs=cli#webdeploy-and-scm
You could re-download the publish profile from Azure portal, and import publish settings in Visual Studio for deployment.
In the Azure portal, open the Azure App Service.
Go to Get publish profile and save the profile locally.
A file with a .publishsettings file extension has been generated in the location where you saved it and you may import that in VS and then attempt to re-deploy.
Additionally, Azure App Service supports two types of credentials for local-Git and FTP/S deployment:
User-level credentials one set of credentials for the entire Azure account.
App-level credentials (one set of credentials for each app. It can be used to deploy to that app only) -. They can't be configured manually, but can be reset anytime. For a user to be granted access to app-level credentials via (RBAC), that user must be contributor or higher on the app (including Website Contributor built-in role). Readers are not allowed to publish, and can't access those credentials.

Failed to connect to PostgreSQL with Azure AD User via Azure data studio

I am following this post and I have added Azure AD User to my Azure PostgreSQL. When I use admin user I can connect to the server but when I change to use Azure AD-based authentication, it always got error Token get failed .... I think I'm lost, please help me. Thanks in advance.
Not sure about the reason because you didn't provide details about how you configure the AAD-based authentication.
But there is a new, simpler way to sign-in with AAD account.
Please refer to New, simpler way to sign-in to Azure Database for PostgreSQL - Single Server using Azure AD.
You just need to configure the Azure AD Administrator in the Azure Portal.
Remember that when you try to sign in in Azure Data Studio, you need to specify the username as AADuser#{your AAD domain}.com#{PostgreSQL server name}

How to set or retrieve deployment credentials in Azure App Service?

I am writing an auto deployment service and I am already able to create my App Service resource via ARM Template using the ARM API but now I need to deploy the content there, Im planning use the Kudu Zip deployment API (https://github.com/projectkudu/kudu/wiki/Deploying-from-a-zip-file) but Im missing how to set or get the deploy username and password automatically through some api based process (not using the UI).
I know the site credentials are actually account-tied users, if you know a different kind of credential can be used to deploy, please point me the direction that would allow me release without a specifc person-oriented credential (an app credential instead)
If you want to get the publish credentials, you could use the
Web Apps - List Publishing Credentials Rest API to do that.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/publishingcredentials/list?api-version=2016-08-01
About how to call the Azure Resource Manager REST API, please refer to this tutorial.
We also could use Azure SDK to get the publish credentials. For more information about how to use Kudu API or Azure SDK to get the publish credential, please refer to another SO thread.

How do I reset azure deployment credentials?

I have accidentally set a user name / password for FTP access through App -> Deployment Credentials -> FTP user name / password in azure portal.
I do not want FTP access to my sire / account. The action that I did set my user level credential for all apps on my account which is not what i desired.
How do I reset my credentials? I do not want a different FTP username, rather remove FTP access to my site completely. I followed the steps in this, but I cannot find the the "Quick Glance" menu in the new portal.
Use the 'Reset publish profile' button on the Overview blade of the App in the Azure portal.
It's situated in the top right here:
Edit 1:
Completely removing FTP access to the App Service is not (yet) supported, but the option is under review as you can read here: https://feedback.azure.com/forums/169385-web-apps/suggestions/8211222-option-to-disable-ftp-and-force-ftps-in-azure-we
Edit 2:
User-level credentials: one set of credentials for the entire Azure account. It can be used to deploy to App Service for any app, in any subscription, that the Azure account has permission to access. These are the default credentials set that you configure in App Services > <app_name> > Deployment credentials. This is also the default set that's surfaced in the portal GUI (such as the Overview and Properties of your app's resource blade).
Source: Configure deployment credentials for Azure App Service

Resources