I'm writing a custom task to publish documents to the Azure API portal. I want the UI for the task to list out the available API Management services for a selected Subscription and Resource Group. According to this issue, this should technically be possible by specifying the endpointUrl inline with my datasource binding. I've tried to model the endpoint after the datasources in the Azure RM Web Deployment task, but I can't seem to get it working. In my task I am able to select my subscription, select my resource group, but the pickList for my custom data source is always empty. I'm not doing any explicit authentication in my task defintion, so I'm not sure if that's somehow related. Below are the inputs and dataSourceBindings for my task:
"inputs": [
{
"name": "ConnectedServiceName",
"type": "connectedService:AzureRM",
"label": "Azure RM Subscription",
"defaultValue": "",
"required": true,
"helpMarkDown": "Select the Azure Resource Manager subscription for the deployment."
},
{
"name": "ResourceGroupName",
"label": "Resource Group",
"type": "pickList",
"required": true,
"helpMarkDown": "Select resource group which contains the API portal"
},
{
"name": "ApiPortalName",
"type": "pickList",
"label": "API Portals",
"defaultValue": "",
"required": true,
"properties": {
"EditableOptions": "True"
},
"helpMarkDown": "Select the Azure Resource Manager subscription for the deployment."
}
],
"dataSourceBindings": [
{
"target": "ResourceGroupName",
"endpointId": "$(ConnectedServiceName)",
"dataSourceName": "AzureResourceGroups"
},
{
"name": "ApiPortals",
"target": "ApiPortalName",
"endpointId": "$(ConnectedServiceName)",
"endpointUrl": "https://management.azure.com/subscriptions/$(endpoint.subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.ApiManagement/service?api-version=2016-07-07",
"resultSelector": "jsonpath:$.value[*].name",
"parameters": {
"ResourceGroupName": "$(ResourceGroupName)"
}
}
UPDATE
After inspecting the console in Chrome I received an error message indicating that I cannot call URLs that don't start with {{endpoint.url}}. I updated my task with {{endpoint.url}} at the root and I did see it attempt to make the API call I expected:
{
"name": "ApiPortals",
"target": "ApiPortalName",
"endpointId": "$(ConnectedServiceName)",
"endpointUrl": "{{endpoint.url}}/subscriptions/$(endpoint.subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.ApiManagement/service?api-version=2016-07-07",
"resultSelector": "jsonpath:$.value[*].name",
"parameters": {
"ResourceGroupName": "$(ResourceGroupName)"
}
}
The problem now is that for some reason endpoint.url resolves to https://management.core.windows.net for Azure RM endpoint types. Azure RM APIs are hosted at https://management.azure.com. As a result I am receiving a 403 since my endpoint credentials are for an Azure RM Service Principal, not the Azure Classic Management APIs.
I've updated my Github Issue with this information as well. I believe this is a bug and endpoint.url for the Azure RM Service endpoint should resolve to https://management.azure.com. If you look at the data sources that are defined in the Azure RM Service Endpoint, they all reference APIs hosted at https://managemnet.azure.com not https://management.core.windows.net.
Check Custom build task JSON schema, you cannot use "endpointUrl" and "resultSelector" for "dataSourceBindings" in task.json. There are used to define the custom service endpoint in vss-extension.json file. And you also missed the "dataSourceName" for "ApiPortals".
If you want to call the Rest API with URL and use the selector from task.json, you can use "sourceDefinitions" instead of "dataSourceBindings". Refer to my answer in this question for details. However, only basic authentication is supported with "sourceDefinitions" for now which means that this is not applicable to you scenario either.
So you need to create a custom service endpoint to achieve the feature you want for now.
Related
I am creating my first logic app which connects to SharePoint and adds entries into some sharepoint list.
Whenever I create a SharePoint Connection it adds below resource to my logic app.
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2018-07-01-preview",
"name": "[parameters('sharepointonline_1_Connection_Name')]",
"location": "[parameters('logicAppLocation')]",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'sharepointonline')]"
},
"displayName": "[parameters('sharepointonline_1_Connection_DisplayName')]",
"nonSecretParameterValues": {
"token:TenantId": "[parameters('sharepointonline_1_token:TenantId')]"
}
}
Could anyone give an explanation of "token:TenantId". How/where to get this value in my dev tenant. How this can be moved to UAT/PROD environment?
Whenever I recreate my logic app with the SharePoint connection it loses the connection and shows me below screen with a warning icon.
Is there a way we can authenticate this connection via PowerShell or via Azure DevOps deployment?
This seems to the OAuth connection and will need to be re-authorized after the template deployment to obtain valid access token. Some connections support using an Azure Active Directory (Azure AD) service principal to authorize connections for a logic app that's registered in Azure AD.
Documentation here shows how Azure data lake's connection resource definition can be configured to use parameter values of the template and Azure AD service principal to generate the token so you might want to check if SharePoint connection can be configured in same way or not.
{
<other-template-objects>
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2016-06-01",
"name": "[parameters('azuredatalake_1_Connection_Name')]",
"location": "[parameters('LogicAppLocation')]",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', 'resourceGroup().location', '/managedApis/', 'azuredatalake')]"
},
"displayName": "[parameters('azuredatalake_1_Connection_DisplayName')]",
"parameterValues": {
"token:clientId": "[parameters('azuredatalake_1_token:clientId')]",
"token:clientSecret": "[parameters('azuredatalake_1_token:clientSecret')]",
"token:TenantId": "[parameters('azuredatalake_1_token:TenantId')]",
"token:grantType": "[parameters('azuredatalake_1_token:grantType')]"
}
}
}
Reference: https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-azure-resource-manager-templates-overview#authenticate-connections
Last week I've been looking at Bot framework Samples, honestly BotFx isn't my area of expertise.
I was playing with these samples from the sample library:
18.bot-authentication
24.bot-authentication-msgraph
46.teams-auth
The required steps for making work each of them are almost the same, for #18 and make it work in the emulator this include:
Register the BotApp in Azure AD
Generate a Secret
Add the Redirect URI (as documented it should be: https://token.botframework.com/.auth/web/redirect)
Create an azure bot service
Customize the OAuth Connection Settings
Then in the solution Modify appsettings.json (sample values below)
{
"ConnectionName": "juank",
"MicrosoftAppId": "cee1234562074c-1b3e-49b4-9e76-b727d73453454e018d",
"MicrosoftAppPassword": "uxPdfgwo.JAYmgrtU]w5I7KdgxLZSJ.a[qtgtrFxYZ02"
}
After that It's required to run the emulator and configure the
following settings
Up to this point the bot works as expected
Then I type any... and it just doesn't work. I receive this answer
from the bot :
And this data from the trace Operation returned an invalid status
code 'Unauthorized'
{
"channelId": "emulator",
"conversation": {
"id": "77631280-22e8-11ea-93e0-6dc9b0b41a7c|livechat"
},
"from": {
"id": "61bab030-214b-11ea-9cf4-193735472c4b",
"name": "Bot",
"role": "bot"
},
"id": "ae429e60-22e8-11ea-9786-a543cb22378b",
"label": "TurnError",
"localTimestamp": "2019-12-20T00:22:13-05:00",
"locale": "en-US",
"name": "OnTurnError Trace",
"recipient": {
"id": "f6982626-923e-4fd3-b930-eabf095e96df",
"role": "user"
},
"replyToId": "aacb51f0-22e8-11ea-9786-a543cb22378b",
"serviceUrl": "https://7eec83e4.ngrok.io",
"timestamp": "2019-12-20T05:22:13.958Z",
"type": "trace",
"value": "Operation returned an invalid status code 'Unauthorized'",
"valueType": "https://www.botframework.com/schemas/error"
}
And that's all.
I've successfully acquired the token from the OAuth setting Test tool in azure portal and also using Postman, but i haven't been able to make these Demos work properly once OAuthCard should be presented for login. Debugging hasn't been helpful since there isn't other information apart from JSON exposed above.
Any guidance or orientation about how to fix this will be appreciated.
There is no need to configure Azure Bot Service configurations in emulator. The Application Id and Application Password should be the same as those in appsettings.
And you should got these values from Azure portal under Configuration part.
Before doing this, please make sure the auth connection works.
Update:
You can change the Microsoft APPId here:
I am trying to create an Azure bot using Azure Rest API.
I am hitting this API (PUT Request) via the code by replacing the subscription id, resource group name
https://management.azure.com/subscriptions/{subscription id}/resourceGroups/{resourcegroupId}
/providers/Microsoft.BotService/botServices/{botName}?api-version=2018-07-12
Request body as follows
{"location":"global","properties":{"displayName":"{botName}","description":"{botName}","iconUrl":"https://docs.botframework.com/static/devportal/client/images/bot-framework-default.png","endpoint":"{endPoint}","msaAppId":"{app ID}"}}
However I am getting the error as
{
"error": {
"code": "InvalidBotData",
"message": "Bot is not valid. Errors: RuntimeVersion is required. See https://aka.ms/bot-requirements for detailed requirements."
}
}
I tried using nodejs (arm-botservice SDK) to create the bot using the same parameters (of course changing the parameters according to our azure portal ids) but I am still getting the same error. I guess internally it will call the same API as above.
Any help would be appreciated to resolve this issue.
Finally, I was able to do it.
I added the kind parameter and then it worked.
Following is the request
{"location":"global",kind="registration","properties":{"displayName":"{botName}","description":"{botName}","iconUrl":"https://docs.botframework.com/static/devportal/client/images/bot-framework-default.png","endpoint":"{endPoint}","msaAppId":"{app ID}"}}
Programmatic bot creation can not be done with REST at this time.
How to create Web App bot in azure using programmatically?
Use az cli as #joey-cai mentioned.
To create a Microsoft.BotService/botServices/channels resource, add the following JSON to the resources section of your template.
{
"name": "string",
"type": "Microsoft.BotService/botServices/channels",
"apiVersion": "2018-07-12",
"location": "string",
"tags": {},
"sku": {
"name": "string"
},
"kind": "string",
"properties": {
"channelName": "string"
}
}
Source : https://learn.microsoft.com/en-us/azure/templates/microsoft.botservice/2018-07-12/botservices/channels
I have made a Logic app that listens to an Event Grid Topic and it works fine, but if I delete it and try to create from the template it doesn't work. It never runs.
The problem is that while it does create the API connection to the event grid, it leaves it unauthorized and it doesn't create any subscription to the event grid topic either. At no point are any errors displayed. Everything succeeds, but it just doesn't create everything it is supposed to.
To get around this, I added commands to the Powershell script to authenticate it. This works fine, but this of course does not create the subscription.
If I run the ARM-template again, I expected it to create it now as connection is not valid, but no, it doesn't. I suppose Azure realizes nothing has changed in the template and does nothing? If I edit the ARM-template and change the subscription name, and deploy it again, then the subscription is created and it starts working.
I could of course call the template twice with 2 different subscription names as parameter but that sounds silly. There has to be some better way.
So what would be the best way to create that kind of logic app from templates and scripts?
You can create both your Event Grid Topic Subscription and the Logic Apps connection to it as separate resources. Examples template objects are below. Keep in mind that the connection is using oauth.
Event Grid Topic Subscription
{
"type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
"name": "[concat(parameters('TopicName'), '/Microsoft.EventGrid/', variables('name'))]",
"location": "[parameters('Location')]",
"apiVersion": "2018-01-01",
"properties": {
"destination": {
"endpointType": "WebHook",
"properties": {
"endpointUrl": "[parameters('Endpoint')]"
}
},
"filter": {
"includedEventTypes": [
"[parameters('EventType')]"
]
}
},
"dependsOn": [
]
}
Web Connection
{
"type": "Microsoft.Web/connections",
"name": "[variables('connectionName')]",
"apiVersion": "2016-06-01",
"location": "[parameters('ConnectionLocation')]",
"properties": {
"displayName": "[variables('connectionName')]",
"api": {
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/northcentralus/managedApis/azureeventgrid/')]"
},
"parameterValues": {
"token:clientId": "[parameters('ConnectionClientId')]",
"token:clientSecret": "[parameters('ConnectionClientSecret')]",
"token:TenantId": "[parameters('ConnectionTenantId')]",
"token:resourceUri": "https://management.core.windows.net/",
"token:grantType": "client_credentials"
}
},
"dependsOn": []
}
I believe there isn't a way to workaround the authorization required after the first time you deploy. So the simplest solution would be to have 2 separate templates - one for the API connection and the other for the Logic App.
Your PowerShell script would deploy the API Connection first, authorize it and then deploy the Logic App.
You could also have them in the same template too and control which is deployed by using a condition on each resource.
I'm trying to call above API provider via REST with the following URL:
https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings with api-version=2017-04-01-preview
However, even though the Service Principal I am using is a member of the "Global Administrator" role in my AAD tenant I am getting a does not have authorization to perform action error.
This endpoint doesn't seem to be documented though.
Anybody know what is required to call this API endpoint with a service principal?
Thanks,
David
Try to add a custom role with the action of microsoft.aadiam/diagnosticsettings/write in your AD App.
According to doc, you can use the custom role to do the operation.
This article lists the operations available for each Azure Resource Manager resource provider. These operations can be used in custom roles to provide granular role-based access control (RBAC) to resources in Azure.
For more details to create the custom role, refer to this link.
Sample:
{
"Name": "Test Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "xxxxxx",
"Actions": [
microsoft.aadiam/diagnosticsettings/write,
microsoft.aadiam/diagnosticsettings/read
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
]
}
Update:
You can use a user account with global admin role, refer to the steps below.
1.Navigate to Azure Active Directory -> Diagnostic settings -> Add diagnostic setting -> set the properties and open the Developer Tools(F12) ->Save.
2.In the request we caught, copy the Bearer token.
3.Then we can test the api in the postman.
Request URL:
Put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview
Request Header:
Request Body:
{
"properties": {
"logs": [
{
"category": "AuditLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "SignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
],
"metrics": [],
"storageAccountId": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx"
}
}
It works on my side.
I test it with global administrator user, it works correctly for me.
The following is the detail steps:
Create an native azure AD application and grant permission for it.
2.create an global administrator user, please also change the default password.
Note: the user format should be xxxx#xxx.onmicrosoft.com, or you can't use the password way to get the token based on my test
3.Assign the owner role to the subscription
4.Then we could use the following way to get the access token
Post https://login.windows.net/<tenant-id>/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource={resource}
&username={username}
&password={password}
&client_id={client-id}
4.Try to operate the diagnosticSettings
put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview
{"properties":{"logs":[{"category":"AuditLogs","enabled":true,"retentionPolicy":{"days":0,"enabled":false}},{"category":"SignInLogs","enabled":false,"retentionPolicy":{"days":0,"enabled":false}}],"metrics":[],"storageAccountId":"/subscriptions/{subscriptionId}/resourceGroups/{groupname}/providers/Microsoft.Storage/storageAccounts/{accountName}"}}