When I try to list azure VMs on my account from their python API, I get the following error:
Message: The client 'xxxxxxxxxxxxxxxxxxx' with object id 'xxxxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Compute/virtualMachines/read' over scope '/subscriptions/xxxxxxxxxxxx/resourceGroups/xxxxxxxxx/providers/Microsoft.Compute/virtualMachines/xxxxxx'.
Does this type of API access require paid access or did I set up my authentication incorrectly?
You authentication is correct, but you just need proper permissions on the Azure side. So you need to grant yourself (the client you are acting from) a Virtual Machine Contributor or Contributor role to the resource group the VM is in (or to the subscription).
Take a look at this link.
Related
I am writing a script that logins into Azure, but I don't want to use my password explicitly. Therefore I switched on a system assigned managed identity:
And now in a shell script I do this:
az login --identity --username xxx
'xxx' is the Object (principal) ID, on the screenshot
when I execute the command, I get this (replaced ip and ID with 'xxx'):
Failed to connect to MSI. Please make sure MSI is configured correctly and check the network connection.
Error detail: HTTPConnectionPool(host='XXX.XXX.XXX.XXX', port=XX): Max retries exceeded with url: /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01&client_id=xxx (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x04B7DB08>:
Failed to establish a new connection: [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond'))
EDIT: it is fine, when I run this command in Cloud-Shell on Azure portal.
Why can't I login? Am I missing something?
A system assigned managed identity cannot be used to login. It is explicitly tied to the service you created it for, and is not meant for re-use.
System-assigned. Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD. The identity is tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
The most important part of that quote is the last sentence:
By design, only that Azure resource can use this identity to request tokens from Azure AD.
More information: What are managed identities for Azure resources?.
Also:
Can’t be shared.
It can only be associated with a single Azure resource.
EDIT:
Based on your question and the comment below you might be looking for a Service Principal. A managed identity, either system assigned or user assigned, is for use with an Azure resource.
Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.
For more information on Service principals, see Create an Azure service principal with the Azure CLI.
I have the following:
Azure App Services in Tenant A
Azure SQL Server in Tenant A
Azure App/Enterprise Registration in Tenant B
The point of this separation was to restrict specific users to the Azure App Services website. How can I get to the point that I can execute this code on my SQL server to grant access to the app registration which sits in Tenant B?
CREATE USER [tenant_b_app_reg] FROM EXTERNAL PROVIDER;
EXEC sp_addrolemember [db_datareader], [tenant_b_app_reg];
This post seems similar to my issue (Grant service principal access to application in other tenant), but I cannot follow just the code posting with little context. It is also unclear why we post the same value multiple times object-id-of-sp-in-one-tenant in one command and it is also unclear what role-id is.
• As per your query, the ‘’ is occurring multiple times in the related script because ‘object-id’ and the ‘principal-id’ of the app in one tenant is different as object-id refers to the unique id of the app registered in that tenant and the principal-id refers to the entity that requires access to that application in that tenant or across other tenants. The principal-id refers to the service principal object that defines the access policy and the permissions for that application in the Azure AD tenant.
• Whereas ‘role-id’ is the azure built-in role based on azure role-based access control functionality that is to be assigned to that application or any custom azure role that is created for assigning the scoped access controls and permissions within that concerned role, i.e., may that be ‘contributor’ or ‘user access administrator’.
‘New-AzureADServiceAppRoleAssignment `
-ObjectId <object-id-of-sp-in-one-tenant> `
-Id <role-id> `
-PrincipalId <object-id-of-sp-in-one-tenant> `
-ResourceId <app-id-in-other-tenant>’
• Thus, you can refer to the script in the other thread and replace the object-id and the principal-id with the ones in your environment appropriately. Also, you can try granting database access to a managed identity user in Azure AD for this purpose. You can do this by connecting to a SQL database with a system-assigned managed identity.
• Once, managed identity on app is enabled, grant permissions to that managed identity in SQL Database with the required SQL security role on the SQL prompt. Once done, modify the SQL connection string and publish the changes done. Also, ensure to enter the appropriate app-id and user-id in the powershell commands to assign the managed identity to access SQL database with the enterprise app registration. Please find the below documentation link for more details on creating a managed identity for the SQL DB for an application across the tenants: -
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi?tabs=windowsclient%2Cdotnet
https://learn.microsoft.com/en-us/azure/app-service/tutorial-dotnetcore-sqldb-app?pivots=platform-windows
I'm try to use the Azure VM Connector to start and stop a Virtual Machine.
When I edit the Logic App it uses my User Id to authenticate (successfully).
However, my User Id is in a different Tenant than the VM. The Start Virtual Machine connector allows you to specify the SubscriptionId, ResourceGroup, and VM Name, but not the TenantId.
I get an Authorization (401) error (InvalidAuthenticationTokenTenant) when I try to run the Logic App. How can I specify the correct TenantId to get it working?
"error": { "code": "InvalidAuthenticationTokenTenant", "message": "The
access token is from the wrong issuer
'https://sts.windows.net/a35caae4-15e1-4518-bd0f-c1fd0f22814c/'. It
must match the tenant
'https://sts.windows.net/600ab0db-7c24-401f-b5be-d765e88dfb09/'
associated with this subscription. Please use the authority (URL)
'https://login.windows.net/600ab0db-7c24-401f-b5be-d765e88dfb09b' to
get the token. Note, if the subscription is transferred to another
tenant there is no impact to the services, but information about new
tenant could take time to propagate (up to an hour). If you just
transferred your subscription and see this error message, please try
back later." }
I solved the problem by doing 3 things:
Enable Managed Identities for the Logic App
Add a new role assignment in the VMs Access Control (IAM) section for the Logic App
Updated the Start virtual machine task in the Logic App to connect using the managed identity
The following link regarding Azure Functions to Start/Stop VMS provided the basic steps that I applied to the Azure Logic App(s) in my case.
Im working on an Azure function that tries to get and update a client secret for an Azure app registration. Function runs as a managed identity, and tries to execute Azure powershell cmdlet New-AzADAppCredential, Remove-AzADAppCredential, and Get-AzADAppCredential.
But, upon the execution Im getting an error Insufficient privileges to complete the operation.
I tried assigning my function a Contributor role, under Azure role assignments, and I also tried giving a delegated permissions Directory.ReadWrite.All for an app registration that the function is trying to access. However, Im still seeing the same error.
I would like to know what permissions are necessary for a managed identity azure function to be able to manage an app registration client secrets.
Thanks!
The RBAC roles are used to manage resources in azure subscriptions, in this case, what you need is the permission in Azure AD, not in the subscription.
To fix the issue, the easiest way is to give the Application Administrator to your managed identity.
Navigate to the azure portal -> Azure Active Directory -> Roles and administrators -> Application Administrator -> add the managed identity to the role like below.
The Contributor role allows the assignee to manage and access the resource, but as you have discovered that does not include managing access. Similarly, Directory.ReadWrite.All is for user data not RBAC. There are two roles for RBAC- Owner and User Access Administrator. Owner is Contributor and UA Admin only allows access control.
When using Azure Key Vault management REST API or cmdlet Add-AzureRmKeyVaultNetworkRule to allow a virtual network to access a key vault, I get the following error:
The client '{guid}' with object id '{guid}' does not have authorization to perform
action 'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action'
over scope '/subscriptions/{guid}/resourcegroups/{resource-group}/providers/microsoft.network/virtualnetworks/{vnet-name}/taggedTrafficConsumers/Microsoft.KeyVault'
What is wrong?
Your subscription is not giving Microsoft.KeyVault resource provider permission to access Microsoft.Network resources. The fix is to register your subscription to Microsoft.KeyVault again:
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.KeyVault
This will add required permissions for Microsoft.KeyVault and Microsoft.Network integrations, including the ability to limit access to a given Virtual Network.
For more information: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services
This are the steps required to solve it:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#azure-portal
You just need to register the resource provider in the subscription, this doesn't only happens with Key Vault, my issue was with Sql Server as well :)
So I leave this answer here in case someone else needs it
This feels like a bug/limitation in both the Azure Portal and Azure CLI. We ran into this when trying to allow a subnet of a VNET in subscription X to access a storage account in subscription Y.
For us, the workaround was to look-up the name of the service principal that was mentioned in the error in our Azure AD directory using the "Search your tenant" box on the "Overview" tab of the directory (NOT the subscription but the Azure AD directory for the tenant). The name of the SP turned out to be "Storage Resource Provider" (yours may be different, so that's why you need to look it up in Azure AD), so we granted that SP "Owner" role (temporarily) in the other subscription. Then provisioning worked!
There should be a finer-grained set of permissions you need to grant than just "Owner" but when we granted just the "validate" permission, we got a new error:
Failed to save firewall and virtual network settings for storage account 'XXX'. Error: An operation is currently performing on this storage account that requires exclusive access.
Also experienced this error when adding a vnet to a storage-account in another subscription.
Fixed by adding a storage-account to the subscription using the portal. Then the vnet could be added to the storage-account.
Note: the result is the same as #fernacolo does with a powershell command.