user { 'acc1':
ensure => present,
managehome => true,
password => 'Test123',
groups => ['Administrators'],
auth_membership => 'minimum',
notify => Exec['app config']
}
exec { 'app config':
path => 'c:\\program files (x86)\\app\\bin',
command => 'config.bat -f responsefile.rsp',
refreshonly => true
}
The user is getting created, but I need the local account to be used for the app configuration.
The above puppet script is executed by domain account abc\myname, and the application requires a local account to be used for the configuration.
So I have created a local account through puppet and using notify to tell exec to use the account created by the puppet. But when it is executed, the application is throwing error: need a local account or administrator
In logs the error is myname is not a local account or administrator.
I see that exec is not using the local user acc1 created by puppet.
Is there any other way wherein I can direct the exec to use a particular local user account to use for configuration.
Please advise.
Specify user => 'acc1' in the exec resource: Resource Type Reference: exec: user.
So I have created a local account through puppet and using notify to tell exec to use the account created by the puppet.
The notify is a ordering and refreshing mechanic - when resource A notifies resource B, no information is carried between them other than an update to resource B is required. It doesn't specify that resource B uses resource A necessarily, it doesn't inherit any properties from the resource A.
Related
Goal
get and set IAM Policies for auto-provisioned GCP Projects and Service Accounts within said projects using the Node.js Client Library for Google APIs. As well as give a the service account in the project the Dialogflow API Admin role (roles/dialogflow.admin)
Issue
I get the following error when I try to get the IAM policy for a project I just automatically created.
Error: 7 PERMISSION_DENIED: Permission 'resourcemanager.projects.getIamPolicy' denied on resource '//cloudresourcemanager.googleapis.com/projects/va-31b899e6' (or it may not exist).
at Object.callErrorFromStatus (/home/aeglad22/va-project-provisioning/node_modules/#grpc/grpc-js/build/src/call.js:31:26)
at Object.onReceiveStatus (/home/aeglad22/va-project-provisioning/node_modules/#grpc/grpc-js/build/src/client.js:180:52)
at Object.onReceiveStatus (/home/aeglad22/va-project-provisioning/node_modules/#grpc/grpc-js/build/src/client-interceptors.js:365:141)
at Object.onReceiveStatus (/home/aeglad22/va-project-provisioning/node_modules/#grpc/grpc-js/build/src/client-interceptors.js:328:181)
at /home/aeglad22/va-project-provisioning/node_modules/#grpc/grpc-js/build/src/call-stream.js:182:78
at processTicksAndRejections (node:internal/process/task_queues:78:11) {
code: 7,
details: "Permission 'resourcemanager.projects.getIamPolicy' denied on resource '//cloudresourcemanager.googleapis.com/projects/va-31b899e6' (or it may not exist).",
metadata: Metadata {
internalRepr: Map(3) {
'grpc-server-stats-bin' => [Array],
'google.rpc.errorinfo-bin' => [Array],
'grpc-status-details-bin' => [Array]
},
options: {}
},
note: 'Exception occurred in retry method that was not classified as transient'
}
Here is the function I am trying to do this in.
async function setServiceAccountRolesV2(projectID, serviceAccountID){
const authClient = await auth.getClient();
const resourcemanagerClient = new ProjectsClient();
var request = {
resource: "projects/"+projectID,
auth: authClient
}
await resourcemanagerClient.getIamPolicy(request, function(err, response) {
if (err) {
console.error(err);
return;
}
console.log(JSON.stringify(response, null, 2));
});
}
Authentication Info
I am using a service account key to authenticate all of my functions in this node app with. This service account has the following permissions granted at the organization level
This service account I am using to authenticate my app with succeeds at getIamPolicy when I try to get the policy of the project it was created in itself. But I get the error when I try to get the policy of new projects I have created using this "admin project" service account.
Summary
Why is permissions denied when trying to get the IAM Policy of projects I have created programmatically, but successful when getting the policy of the "admin" project that I have this service account and the node.js app running. I thought that if I granted my service account proper permissions at the organization level, and the projects I am creating programmatically were in that same organization, my authenticating service account should inherit all of the right permissions to grant service account roles and change IAM policy in these newly generated accounts.
A potential thought/gut feeling I have that could be completely wrong - is it possible these new projects I'm making don't have IAM Policies at all? so when I try to get and set them there's nothing to change?
Update for clarifications
I have a project that acts as an "administration project" which contain hosts the VM my Node.js app for provisioning GCP resources runs on.
This project is also where I created my service account that the Node.js app authenticates with.
I am creating new projects and service accounts within those projects with this Node.js app.
I have given the aforementioned service account the Owner permission at the organization level.
In my setServiceAccountRolesV2() method, I have tried making the resource my provisioned project manually, as opposed to passed as a parameter to make sure the the project is located correctly. I manually copy and pasted the project ID from one of the auto-provisioned projects into the resource field like this for example
resource: "projects/va-31b899e6",
and I get the same permission denied error (full error message shown above).
However when I try to use this getIamPolicy method with the "admin" project that my node.js app and service account were created in, I get a successful policy return.
resource: "projects/provisioning-admin-339515"
I don't understand why one works, and one doesn't while the service account I'm using to make the call has Owner role at the organization level. The va-31b899e6 project shown above is in fact under the same organization my admin project is.
When I run the gcloud command gcloud projects get-iam-policy va-31b899e6 --format=json > ~/policy.json to check the policy of the api-generated project (not the admin project), I get the following policy back:
{
"bindings": [
{
"members": [
"serviceAccount:tf-admin-sa#provisioner-admin-339515.iam.gserviceaccount.com" ],
"role": "roles/owner"
}
],
"etag": "ByXXh29efSc=",
"version": 1
}
This service account listed in the members is the service account I authenticate my Node app with. Again, Owner granted at the Org level. This to me looks like it should be able to use the get and setIamPolicy methods on this project, as well as any other project in my organization.
New edits to follow trouble shooting tips from answer.
1
Confirmed I am using the correct project in the api call:
async function setServiceAccountRolesV2(projectID, serviceAccountID){
const authClient = await auth.getClient();
const resourcemanagerClient = new ProjectsClient();
var request = {
resource: "projects/va-31b899e6",
auth: authClient
};
await resourcemanagerClient.getIamPolicy(request, function(err, response) {
if (err) {
console.error(err);
return;
}
console.log(JSON.stringify(response, null, 2));
});
}
(project ID copied from GCP Console) : resource: "projects/va-31b899e6",
2
I have verified my credentials are used correctly, I am using a json key file of the service account I created to create more projects and service accounts programmatically. This is how I am authenticating :
const auth = new google.auth.GoogleAuth({
keyFile: 'provisioner-admin-339515-411d1e284a77.json',
scopes: ['https://www.googleapis.com/auth/cloud-platform'],
});
Then in my function, I create a new instance of auth like this:
const authClient = await auth.getClient();
which is then sent in the request of the api call: auth: authClient
3
Verified permissions for my authenticating service account:
When I run
gcloud projects get-iam-policy va-31b899e6 \
--flatten="bindings[].members" \
--format="table(bindings.role)" \
--filter="bindings.members:tf-admin-sa#provisioner-admin-339515.iam.gserviceaccount.com"
I get the output ROLE: roles/owner
Your service account has too many roles. Most of the roles are redundant and included within other roles that you assigned. For example, Billing Account Administrator contains the permissions of Billing Account User. The role Owner possesses almost all of the roles in your screenshot.
Next, you need to understand the Principle of Least Privilege. Seth Vargo put together a good intro video. In summary, only grant the required privileges and no more. Your service account IAM roles are vast and a serious security weakness.
To solve the problem in your question, follow these steps:
STEP 1:
Confirm that the Project ID is correct in the API call. Make sure you are using the Project ID and not the Project Name. List the projects:
gcloud projects list
STEP 2:
Verify that your code is using the correct credentials (the ones you think you configured). Your question does not show how you are authorizing your code. You are using ADC (Application Default Credentials) which means the credentials could be found from several sources (CLI remembered credentials, the environment variable, metadata server).
If you are using the environment variable GOOGLE_APPLICATION_CREDENTIALS, open the file using the variable and make sure that it is a service account JSON key:
vi $GOOGLE_APPLICATION_CREDENTIALS
If you are using the CLI credentials, verify which identity is being used:
gcloud auth list
As a debugging test, clear the environment variable and use a user identity that has the role Owner and then login. Then retest your application.
unset GOOGLE_APPLICATION_CREDENTIALS
gcloud auth application-default login
STEP 3:
Once you have determined the correct Project ID and which service account your code is using, double-check the roles assigned to the service account at the project level. List the IAM roles with this command. Replace with your Project ID and Service Account Email address:
gcloud projects get-iam-policy <PROJECT_ID> \
--flatten="bindings[].members" \
--format="table(bindings.role)" \
--filter="bindings.members:<SERVICE_ACCOUNT_EMAIL>"
The service account needs one of these roles or similar to view IAM bindings:
roles/browser aka Browser
roles/iam.roleViewer aka Viewer
The service account needs this role or similar to modify IAM bindings:
roles/resourcemanager.projectIamAdmin aka Project IAM Admin
Manage access to projects, folders, and organizations
I try to add AzureAppConfiguration to my dotnet core web application using the following Code:
var azureCredential = new DefaultAzureCredential();
config.AddAzureAppConfiguration(options =>
options.Connect(new Uri("https://MYCONFIGURATION.azconfig.io"), azureCredential).ConfigureKeyVault(kv =>
{
kv.SetCredential(azureCredential);
})
....
this fails with the Following Error:
Azure.RequestFailedException: Service request failed.
Status: 403 (Forbidden)
If I do use the Connection String to connect to the AzureAppConfiguration itself it does work:
var azureCredential = new DefaultAzureCredential();
config.AddAzureAppConfiguration(options =>
options.Connect("Endpoint=https://ac-mobileapps-dev.azconfig.io;Id=MYID;Secret=MYSECRET").ConfigureKeyVault(kv =>
{
kv.SetCredential(azureCredential);
})
....
I run this on my local machine, so the default credentials return my AzureCLI Creds. With those same creds I can run
az appconfig kv list -n MYCONFIGURATION
and retrieve all values.
Please make sure you grant your identity App Configuration Data Reader or App Configuration Data Owner role in the Access Control of your App Configuration instance and wait for ~15 minutes for the permission to propagate.
More details can be found at
https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-enable-rbac
BTW, the CLI command you used doesn't use AAD auth. Use the --auth-mode parameter to specify how you want to authenticate.
az appconfig kv list -n MYCONFIGURATION --auth-mode login
i'm getting the error below when i want to create a vm on azure :
does not have authorization to perform action 'Microsoft.Storage/register/action' over scope
I created an application on the classic portal and followed this tutorial :
https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/
after that i created a resource group on the new portal and assigned owner to this application.
I'm using this puppet script to create the vm :
azure_vm { 'sample':
ensure => present,
location => 'westus',
image => 'canonical:ubuntuserver:14.04.2-LTS:latest',
user => 'azureuser',
password => 'Password',
size => 'Standard_A0',
resource_group => 'puppettest123',
}
when i run it i get this exact error :
Error: {"error"=>{"code"=>"AuthorizationFailed", "message"=>"The client '5b0bc6d-fcad-4223-8527-a2c9afc2661' with object id '5b0bc6d-fcad-4223-8527-a2c9afc2661' does not have authorization to perform action 'Microsoft.Storage/register/action' over scope '/subscriptions/5ad96a9-45de-4fe1-91e8-2514dd5e6a9'."}}
Error: /Stage[main]/Main/Azure_vm[sample]/ensure: change from absent to present failed: {"error"=>{"code"=>"AuthorizationFailed", "message"=>"The client '5b0bc6d-fcad-4223-8527-a2c9afc2661' with object id '5b0bc6d-fcad-4223-8527-a2c9afc2661' does not have authorization to perform action 'Microsoft.Storage/register/action' over scope '/subscriptions/5ad96a9-45de-4fe1-91e8-2514dd5e6a9'."}}
https://forge.puppet.com/puppetlabs/azure
Any ideas on how i can fix this issue ?
I fixed the problem using this command :
azure role assignment create --objectId 7dbc8265-51ed-4038-8e13-31948c7f4ce7 -o Owner -c /subscriptions/{subscriptionId}/
azure role assignment create --objectId 7dbc8265-51ed-4038-8e13-31948c7f4ce7 -o Owner -c /subscriptions/{subscriptionId}/
I am using puppet version 3.4.2 when adding a domain user to a local user group I get the following Errors
Active Directory The specified account name is already a member of the group
And
change from Domain Users,Example-Service Accounts to Administrators,Domain Users,Example-Service Accounts failed: (in OLE method `Add': ) OLE error code:80070562 in Active Directory The specified account name is already a member of the group
The Code is
user { 'remote-user':
name => $remoteUser,
ensure => present,
groups => "Administrators"
}
$remoteUser is from hiera { "remoteUser" : "Domain\\example-service"}
According to this ticket https://projects.puppetlabs.com/issues/17031 This issue should be fixed, can anyone see what I have missed.
There is a folder on the machine that currently own by Administrators group and I want to add a new owner without removing the existing one. Here is the code that I came up with.
file { 'my_destination':
path => extlookup('my_destination'),
ensure => directory,
recurse => true,
source => extlookup('my_source'),
owner => 'XXX',
group => 'TEST_XXX',
mode => 0777,
require => File['my_root_destination'],
}
Unfortunately, this code removes existing users and groups and sets owners to XXX and *TEST_XXX* which is not what I want.
How to grant permissions to new groups or new users on Puppet without removing the existing ones.
Puppet currently cannot manage complex ACLs on windows file resources. All it does it translate Unix style permissions to windows and ensures those don't change (which is why your modifications on the permissions are removed).
To accomplish what you're looking to do, you'll have to remove the owner, group, mode parameters from the file resource and create an exec resource to set the ACLs via icacls.