According the documentation the HttpTrigger API Key has the variable name code, like this:
https://<yourapp>.azurewebsites.net/api/<function>?code=<ApiKey>
Can I change this variable name? In my case I want to change it to access_token like this:
https://<yourapp>.azurewebsites.net/api/<function>?access_token=<ApiKey>
I want to do this because I want to use Azure Functions together with a 3rd party webhook that is expects access_token as the variable name.
No that name cannot be changed - it is part of our API and isn't configurable.
Related
TLDR
Can I automatically retrieve values from App Configuration through the Function App Configuration variables section similar to AWS retrieving App Config/Secret values
I come from an AWS background and one thing I am used to doing is storing my sensitive information in App Config/Secrets Manager and then directly referencing the sensitive info in the lambda environment variables.
I've been looking for a way to replicate this in Azure and I've been struggling as everything I've found so far seems to want me to change my application code to get the data from App Configuration when all I want to do is update my terraform configuration.
The closest I thought I'd gotten was this documentation since it says
Use App Configuration references for App Service and Azure Functions (preview)
and the format looks like something you could store as a value in the function app's ENV var configuration section.. but when I attempted to do this, I got an error because of invalid characters. Now I'm thinking that the docs I referenced above are also just another way to change my application code to reference this new location.
I'm probably missing something obvious here so I was hoping someone could point me in the right direction because I do not want to have to change dotnet code to do something as simple as
- dotnet code references 'ENV_VAR'
- Function App configuration blade has key 'ENV_VAR' w/ a value of something like APP_CONFIG(KEY)
- Value automatically retrieved from App Configuration and used in code
What I would like to avoid
- dotnet code changed to reference App Configuration
- when app runs it bypasses function app configuration and gets directly from app config
The reason I would like to avoid this is
There's no reason I should have to update application code when the end result that I need is to use an ENV variable and
there are some ENV variables that are required by Azure for a function app to work and they contain things like the the storage API Key, which I'd prefer to keep in a centralized location that I can have more restrictive access policies for
EDIT
I received this error when it attempted to retrieve the value
The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
and
The request authorization key is not authorized for DEV-MyACCT-TEST.EASTUS-1.EVENTGRID.AZURE.NET. This is due to the reason: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters
EDIT 2
I verified that it's not attempting to get the secret from app configuration at all. Here's screenshots of what the environment variable is in the function and how i have it stored in app configuration
Returned ENV variable in response of request:
{
"message": "(Id: asdfasdfasdf) Env Var: #Microsoft.AppConfiguration(Endpoint=https://<my app config name>.azconfig.io; Key=EventGrid:Key:EVENTGRID_KEY)"
}
The issue was that while my Function App did have a user assigned managed identity which gave it permission to read the App Configuration, and i did have the app configuration as the target, I did not fully understand how permissions work in Azure, specifically that Granting access to a resource w/ a specific Role and then assigning that UAMI to a Function App is not enough to actually give it permission. I needed to do one more step which was to update a parameter for the keyvault, because even though I'm not using key vault, that is the parameter which uses the managed identity.
Additionally, Terraform's documentation hasn't been updated yet to indicate that you'd put the ID used for app configuration in the key vault ID section.
The last thing which threw me off is that instead of giving an error letting me know I didn't have access to App Configuration when attempting to access it, it seems it just didn't even try. It turns out that reason for that was because I had an extra ; at the end of the string before the parenthesis and instead of throwing an error, it just treated it like a plain string and didn't attempt to connect to App Configuration
I am parameterizing a Linked Service (SQL server) in ADF, but have trouble reusing parameters for different service properties as Dynamic Content.
I have created more parameters for the SQL Server properties:
ServerName
Environment
DatabaseName
DBUserName
A Key Vault is used to store sensitive information for the properties, where the Secret names are created like like "POC-USER-MYDOMAIN-MYUSER".
The DBUserName parameter for the Linked Service contains a Windows Login like "MyDomain\MyUser". I use the DBUserName parameter for property "User name" and for the password stored in Key Vault.
Property "User name" has this dynamic content "#{linkedService().DBUserName}", and the Key Vault Secret name has this dynamic content "#{linkedService().Environment}-USER-#{replace(linkedService().DBUserName, '', '-')}".
Linked service
When execute "Test connection" I use these parameters:
Parameters
And "Test connection" returns this error:
Error
I can get it working, if I create a new parameter named "DBUserNameCopy", copy value from "DBUserName". Then change either property "User name" or property "Key Vault Secret name" dynamic content to use the new parameter. And execute "Test connection" with:
DoubleParameters
So the two properties dynamic content is working correct, but only if they don't share one parameter.
I tried different things to avoid this error, but ended up with the conclusion: You can not use same parameter in more properties, if you use the replace function (I don't know if it's related to all functions).
Anyone know how to get this to work?
I tried this scenario, and it seems that you cannot use the same linked service parameter in two dynamic expressions. In your case you used the DBUsername twice, once in the user name dynamic expression and the second in constructing the key vault secret name. Aside from your workaround, to create a parameter with a different name, I would manipulate the value you pass to the key vault secret name parameter outside the linked service, do this in the data set that references the linked service, in the data set definition, include the dynamic expression that prepares the parameter value.
Context
I am willing to get a resource details with the Azure REST API. And more particularly, I want to get the IAM associated with a resource.
Problem
So, I searched in the doc reference and found that endpoint: https://learn.microsoft.com/en-us/rest/api/resources/resources/get which provides an identity response attribute that meets my needs.
However, I can't find any information about the required path parameter parentResourcePath. What does that parameter mean and how can I get its value for a specific resource ?
Also, when I tried going through the resources group path, I can get a path to the resource details but without the parentResourcePath parameter, and the response doesn't include the identity attribute.
Finally, am I going the right way (using GET resource API) ? And if so, where can I find that parentResourcePath value ?
Actually, you have a better choice - Resources - Get By Id.
The /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName} in the api Resources - Get named resourceId which used in the Resources - Get By Id.
But if you combinate the properties manually, it is not easy, Azure has many different resource providers, resourcetype.
Generally, you could find the resourceId in your resource in the portal -> Properties. Also, the response of this API will include the identity which you need.
Sample:
Get a web app resource.
The resourceId is like /subscriptions/xxxxxxx/resourceGroups/joywebapp/providers/Microsoft.Web/sites/joywebapp2.
You can click Try it in the doc to try the api.
Response:
Well I made it throught the Role assignment list for scope endpoint, giving the subscription/resourcegroup/resource in the scope. And the output contains a principalId attribute that seems to point to a user or group or service principal.
Ref: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/listforscope
For the New-AzureStorageContext cmdlet, assuming I know the value for both, what are the differences between the Endpoint and Environment parameters?
For example, let's say I want a new a new storage context named foo within the Azure China cloud, so the environment is AzureChinaCloud and the endpoint would be foo.core.chinacloudapi.cn I can pass either of those in as a parameter to the cmdlet, although it appears from the docs that they are mutually exclusive.
What would functionally be different between passing one or the other? If I pass Environment, does the created storage context not have an endpoint? If it does have an endpoint, is it not set to foo.core.chinacloudapi.cn? If I pass the Endpoint, does the context not get set to AzureChinaCloud? Is it even possible not to have one or the other?
Furthermore, the returned AzureStorageContext has a number of properties related to endpoint: BlobEndPoint, EndPointSuffix, FileEndPoint, QueueEndPoint, and TableEndPoint. Which of these properties should be set when passing either Environment or Endpoint?
what are the differences between the Endpoint and Environment parameters?
Endpoint: it contains the storage account name and the azure environment, if AzureCloud, it will be storagename.core.windows.net, if AzureChinaCloud, it will be storagename.core.chinacloudapi.cn like you mentioned, it belongs to Optional Parameters.
Environment: it just specify the environment, not contain the storage account name.
If I pass Environment, does the created storage context not have an endpoint? If it does have an endpoint, is it not set to foo.core.chinacloudapi.cn? If I pass the Endpoint, does the context not get set to AzureChinaCloud?
I think you dont need to use both of them, if you pass the account name and environment, the context will have the endpoint, also, if you pass the endpoint, it will have the environment.
Is it even possible not to have one or the other?
Of course, you could use other parameters to create the context, e.g. you could just use StorageAccountName and StorageAccountKey to create the context, you could find it in the doc you mentioned.
Which of these properties should be set when passing either Environment or Endpoint?
The four properties are all decided by the endpoint, if you pass the endpoint, I think you dont need to set them. e.g. If the endpoint is storagename.core.windows.net, the BlobEndPoint will be storagename.blob.core.windows.net.
Update:
what are the differences between the Endpoint and Environment parameters?
Different environments decide different endpoints, you could check it by the command: Get-AzureRmEnvironment. if AzureCloud, it will be core.windows.net, if AzureChinaCloud, it will be core.chinacloudapi.cn
AzureCloud:
AzureChinaCloud:
If I pass Environment, does the created storage context not have an endpoint? If it does have an endpoint, is it not set to foo.core.chinacloudapi.cn? If I pass the Endpoint, does the context not get set to AzureChinaCloud?
You could just use one of them, refer to the screenshot, note: actually the Endpoint means EndPointSuffix, you could find it in my test result. So we should pass e.g. -Endpoint "core.windows.net" instead of -Endpoint "storagename.core.windows.net". If we pass -Endpoint "storagename.core.windows.net", it will be incorrect, the EndPointSuffix will be storagename.core.windows.net in the result.
Incorrect result:
Which of these properties should be set when passing either Environment or Endpoint?
In the above screenshots, I dont pass any of these four endpoints, but you could find the result will have all of them. Also you dont need to pass EndPointSuffix, it equals EndPoint.
I have a Logic App with an HTTP initial trigger that is all set up:
When I make the POST to the URL that is given to me (looks like https://___.azure.com/workflows/___/triggers/manual/paths/invoke?____), I get back:
{"error": {
"code":"AuthorizationFailed",
"message":"The authentication credentials are not valid."
}}
For this case, I need to accept anonymous calls.
Where in the Azure Portal do I setup the permissions for this?
The closest I've found is the "Access Control Configuration", and it is set like this:
Logic Apps does not allow anonymous calls, you are required to provide the SAS key, which is provided in Url generated on the request card.
Found the issue. My client-side code was appending a parameter to the URL without realizing the URL already had query parameters. As such, it was adding to the last parameter rather than adding a new parameter. With that fixed, the call works.
Yes, the URL that will be present at the callbacK URL while creating should work, Does your URL has SP, sv and sig query paramemters?