I wanted to retrieve the access keys of classic storage account.
I found this online
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/listKeys?api-version=2016-12-01
But this is not applicable for classic storage account. When I replace the Microsoft.Storage to Microsoft.ClassicStorage, it throws the following error
{
"error": {
"code": "InvalidRequestUri",
"message": "The request uri is invalid. The requested path '/subscriptions/{subscriptionID}/resourceGroups/{myresourcegroup}/providers/Microsoft.ClassicStorage/storageAccounts/{myStorageAccount}/listKeys' is not found."
}
}
NOTE: I am using Application permissions not delegated.
For classic storage accounts, the documented way to list keys is using Service Management API (unfortunately I am not able to find the documentation).
You can get the keys for a classic storage accounts using ARM API as well however it is not supported and Microsoft may remove that API completely anytime. To do so, simply use the following URL:
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ClassicStorage/storageAccounts/{accountName}/listKeys?api-version=2015-06-01
It is also recommended that you convert your classic storage accounts to ARM storage accounts if possible.
Related
I am having an issue with transcribing (Speech-To-Text) an audio file hosted on Azure Storage container from the Cognitive Services API.
The services are of the same resource (and I created a VNet and they are part of the same subnet).
After I take the response from there the contentUrl:
The error I get is:
{
"successfulTranscriptionsCount": 0,
"failedTranscriptionsCount": 1,
"details": [
{
"source":"https://{service-name}.blob.core.windows.net/meetingnotes/Meeting82035.wav",
"status": "Failed",
"errorMessage": "Error when downloading the recording URI. StatusCode: Conflict.",
"errorKind": "DownloadRecordingsUrisUnknownError"
}
]
}
I tested in my environment and was getting the same error as you.
To resolve the issue, you need to append the SAS Token with bloUrl in contentUrls field.
For Generating the SAS token allowed all the permission as I have done in below picture.
Generated Transcript report
Final OutPut Once Clicked on ContentUrl
I contacted Azure support and they provided the correct solution, which is to add the Role “Storage Blob Data Contributor” to the speech services resources.
Go to IAM of your storage account
Go to Role Assignments
click "Add", then add your speech service in Managed Identities.
That should fix it.
I am working on a simple Azure Data Factory pipeline where I have simply added a Batch Service and in that specified the Batch Service account (which I have created thru linked service and tested the connection is working). In the command I am just running a simple "ls" command and when I do a debug run I get this error: "Cannot create Shared Access Signature unless Account Key credentials are used." I have following linked services "Azure Batch", "Azure Blob Storage" and Key Vault (where we store the access key). All linked services connections are working properly.
Any help on how to fix this error: "Cannot create Shared Access Signature unless Account Key credentials are used."
Azure Batch Linked service:
Azure Storage Linked service:
Azure Data factory pipeline:
The issue happens because you use "Managed Identity" to connect ADF to the Storage. It will say "successful" when doing a connection test on the linked services but when this storage is used for a Batch, it needs to have "Account Key" authentication type (see here).
Details of the Error: Get access token from MSI failed for Datafactory XXXX, region XXXX. Please verify resource url is valid and retry. Details: Accquire MI token from MI store V1 failed.
Error Code: 2403
Failure type: User Configuration issue
used web activity in Azure Data Factory to access Azure function app using MSI
I also had these kind of issues and it took me some time to figure out the right resource ID for the token I needed.
First of all the "Web-Activity" in ADF or Azure Synapse can be used for performing Azure REST-API calls quite good.
But we have to understand that "access token" is not always the same "access token". Azure AD provides different access token depending on the resource provider you want to access.
Here is a list of Resource IDs you can use:
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities#azure-services-that-support-azure-ad-authentication
Unfortunately it doesn't seem up to date, as I'm using in my case for https://dev.azuresynapse.net (which is not listed on the docs yet).
As an alternative, there is Azure Function activity in Azure Data Factory. You can try that.https://learn.microsoft.com/en-us/azure/data-factory/control-flow-azure-function-activity
Situation:
We have a web-app on azure, and blob storage, via our web-app we write data into the blob, and currently read that data back out returning it as responses in the web-app.
What we're trying to do:
Trying to find a way to restrict access to the blob so that only our web-app can access it. Currently setting up an IP address in the firewall settings works fine if we have a static IP (we often test running the web app locally from our office and that lets us read/write to the blob just fine). However when we use the IP address of our web app (as read from the cross domain page of the web app) we do not get the same access, and get errors trying to read/write to the blob.
Question:
Is there a way to restrict access to the blob to the web app without having to set up a VPN on azure (too expensive)? I've seen people talk about using SAS to generate time valid links to blob content, and that makes sense for only allowing users to access content via our web-app (which would then deliver them the link), but that doesn't solve the problem of our web-app not being able to write to the blob when not publicly accessible.
Are we just trying to miss-use blobs? or is this a valid way to use them, but you have to do so via the VPN approach?
Another option would be to use Azure AD authentication combined with a managed identity on your App Service.
At the time of writing this feature is still in preview though.
I wrote on article on how to do this: https://joonasw.net/view/azure-ad-authentication-with-azure-storage-and-managed-service-identity.
The key parts:
Enable Managed Identity
Add the generated service principal the necessary role in the storage account/blob container
Change your code to use AAD access tokens acquired with the managed identity instead of access key/SAS token
Acquiring the token using https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication/1.1.0-preview:
private async Task<string> GetAccessTokenAsync()
{
var tokenProvider = new AzureServiceTokenProvider();
return await tokenProvider.GetAccessTokenAsync("https://storage.azure.com/");
}
Reading a blob using the token:
private async Task<Stream> GetBlobWithSdk(string accessToken)
{
var tokenCredential = new TokenCredential(accessToken);
var storageCredentials = new StorageCredentials(tokenCredential);
// Define the blob to read
var blob = new CloudBlockBlob(new Uri($"https://{StorageAccountName}.blob.core.windows.net/{ContainerName}/{FileName}"), storageCredentials);
// Open a data stream to the blob
return await blob.OpenReadAsync();
}
SAS Keys is the correct way to secure and grant access to your Blob Storage. Contrary to your belief, this will work with a private container. Here's a resource you may find helpful:
http://www.siddharthpandey.net/use-shared-access-signature-to-share-private-blob-in-azure/
Please also review Microsoft's guidelines on securing your Blob storage. This addresses many of the concerns you outline and is a must read for any Azure PaaS developer:
https://learn.microsoft.com/en-us/azure/storage/common/storage-security-guide
I'm using Knowledge Exploration Service by Azure. I've prepared a grammar and an index file. Since, the size of it was small I was able to run it on my local machine and on a Azure VM.
But now, I want to deploy this service. Issue is when I run the command kes deploy_service it is unable to download the blob from Azure Storage. Even when I try to provide the file from my local machine.
Followed the same steps on a Azure VM and I receive the same errors.
>kes deploy_service Some.grammar Some.index kes-example
00:00:00 Index: Some.index
00:00:00 ERROR: Invalid value for index parameter: 'Some.index' is not a blob URI.
>kes deploy_service Some.grammar https://storagename.blob.core.windows.net/containername/Some.index kes-example
00:00:00 Index: https://storagename.blob.core.windows.net/containername/Bell.index
00:00:02 ERROR: ResourceNotFound: The storage account 'storagename' was not found.
The container has public access. I can download the file via the browser and even via Azure CLI.
What am I missing here?
EDIT: Adding a sample index file which I've uploaded on Azure Storage with public access. This index file was generated using the Academic example in the documentation.
>kes describe_index https://kesstorage.blob.core.windows.net/kess/Academic.index
ERROR: ResourceNotFound: The storage account 'kesstorage' was not found.
kes.exe is using the old Service Management API. It is querying the API for Storage Accounts in your subscription, but this API predates Azure Resource Manager (ARM), and therefore has no knowledge of ARM Storage Accounts. You will need to use a Classic Storage Account instead.
For how to create a Classic storage account tutorial, refer to this link: https://learn.microsoft.com/en-us/azure/storage/common/storage-create-storage-account#create-a-storage-account