I am trying to debug and work with an Azure function in Rider - this error only occurs when I run it locally, deploying the function to Azure works correctly.
When I run the this block of code
default_credentials = DefaultAzureCredential()
keyvault = SecretClient(
vault_url=azure_shared.key_vault,
credential=default_credentials
)
api_key = keyvault.get_secret("apikey").value
I get the following error:
ClientAuthenticationError: (Unauthorized) AKV10032: Invalid issuer. Expected one of https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-4a5f0358090a/, https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-5f571e91255a/, https://sts
.windows.net/xxxxxx-xxxx-xxxx-xxxx-dee5fc7331f4/, found https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-579c58293b4b/.
I only have one subscription.
AZ ACCOUNT SHOW confirms the account I am logged in as is the one ending in 90a, so an expected account.
However, if I run AZ LOGIN and login with my work account, the tenantId is the b4b one.
Why the heck is Rider / Azure Functions using a different credential that I have provided? Is it stored somewhere locally?
Thank you JamesTran-MSFT | Microsoft Docs and User Madhanlal - Stack Overflow Stack Overflow. Posting your suggestions as answer to help other community members.
You can try below way to resolve AKV10032: Invalid issuer. Expected one of https://sts.windows.net/... error:
This error could be cross-tenant issue;
If you set the sub as default just before, it should work:
az account set --subscription {SubID}
az keyvault secret list --vault-name myVault
Re-execuate the code:
default_credentials = DefaultAzureCredential()
keyvault = SecretClient(
vault_url=azure_shared.key_vault,
credential=default_credentials
)
api_key = keyvault.get_secret("apikey").value
References: Unable to retrieve password from keyvault - ERROR: AKV10032: Invalid issuer - Microsoft Q&A and How to solve azure keyvault secrets (Unauthorized) AKV10032: Invalid issuer. error in Python - Stack Overflow
Related
I am having trouble accessing Microsoft graph after receiving a token from /token. I'm including photos of the Azure AD Application Setup as well as code. Any assistance would be greatly appreciated.
I am able to receive a bearer token from Microsoft, but it is returning <401> Invalid Audience
I cannot yet post images, but I have the application permissions set up in Azure AD following microsoft documentation as well as adding an App Role with User.Read.All.
`
myBody = {
'client_id':'<clientID>',
'scope':['https://graph.microsoft.com/.default'],
'client_secret':'<client secret>',
'grant_type':'client_credentials'
}
token = requests.post('https://login.microsoftonline.com/{myTenant}/oauth2/token',myBody)
token = token.json()
newToken = token['access_token']
myHeaders = {'Content-type':'application/json','Authorization':f'Bearer {newToken}'}
users = requests.get('https://graph.microsoft.com/v1.0/users',headers=myHeaders)
users = users.json()
`
I've been googling for days. I have tried multiple libraries unsuccessfully. This gets me the furthest in the process, but I've been stopped by the 401 error.
I have added 'Host':'graph.microsoft.com' to the headers as well as made adjustments based on other articles to try and make this work.
Could you please try by using tenantId "common" ,
and use POST login.microsoftonline.com/common/oauth2/v2.0/token
please see the docs for more info - https://learn.microsoft.com/en-us/graph/auth-v2-user#token-request
Hope this helps
Thanks
I have created a sample congnito app and added few users, now i am trying to access the users from python code , but getting below error, i have developer access. Please let me know how to get user details from cognito
code:
import boto3
client = boto3.client('cognito-idp',region_name='us-east-2')
response = client.admin_get_user(
UserPoolId='us-east-2_XXXXXXX',
Username='newuser'
)
error:ClientError: An error occurred (ExpiredTokenException) when calling the AdminGetUser operation: The security token included in the request is expired
I've build the following script:
import boto
import sys
import gcs_oauth2_boto_plugin
def check_size_lzo(ds):
# URI scheme for Cloud Storage.
CLIENT_ID = 'myclientid'
CLIENT_SECRET = 'mysecret'
GOOGLE_STORAGE = 'gs'
dir_file= 'date_id={ds}/apollo_export_{ds}.lzo'.format(ds=ds)
gcs_oauth2_boto_plugin.SetFallbackClientIdAndSecret(CLIENT_ID, CLIENT_SECRET)
uri = boto.storage_uri('my_bucket/data/apollo/prod/'+ dir_file, GOOGLE_STORAGE)
key = uri.get_key()
if key.size < 45379959:
raise ValueError('umg lzo file is too small, investigate')
else:
print('umg lzo file is %sMB' % round((key.size/1e6),2))
if __name__ == "__main__":
check_size_lzo(sys.argv[1])
It works fine locally but when I try and run on kubernetes cluster I get the following error:
boto.exception.GSResponseError: GSResponseError: 403 Access denied to 'gs://my_bucket/data/apollo/prod/date_id=20180628/apollo_export_20180628.lzo'
I have updated the .boto file on my cluster and added my oauth client id and secret but still having the same issue.
Would really appreciate help resolving this issue.
Many thanks!
If it works in one environment and fails in another, I assume that you're getting your auth from a .boto file (or possibly from the OAUTH2_CLIENT_ID environment variable), but your kubernetes instance is lacking such a file. That you got a 403 instead of a 401 says that your remote server is correctly authenticating as somebody, but that somebody is not authorized to access the object, so presumably you're making the call as a different user.
Unless you've changed something, I'm guessing that you're getting the default Kubernetes Engine auth, with means a service account associated with your project. That service account probably hasn't been granted read permission for your object, which is why you're getting a 403. Grant it read/write permission for your GCS resources, and that should solve the problem.
Also note that by default the default credentials aren't scoped to include GCS, so you'll need to add that as well and then restart the instance.
I am using Azure SDK for python to create resource using python script.After giving the required credentials like CLIENT_ID,TENANT_ID,CLIENT_SECRET,SUBSCRIPTION_ID..It throws a error message like
"msrestazure.azure_exceptions.CloudError:
Azure Error: AuthorizationFailed
Message: The client 'CLIENT_ID' with object id 'OBJECT_ID' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope ''."
(I am using azure in free trial type of subscription)
There needs to be a service principal(SP) associated with the application. Also, to assign a role to SP you need to be an 'owner' or the Azure portal does not show you that option if you are a 'contributor' in UI.
I am trying to call a Azure ARM Rest API to create a resource group. I am passing tenant_id, client_id and client_secret to get the access token which will be later used as authorization header. My code is like below. The application ID is the client ID off the application and application secret is the key which is generated after selecting the time duration.
import adal
import requests
token_response = adal.acquire_token_with_client_credentials(
'https://login.microsoftonline.com/' + '<tenantId>',
'<ApplicationId>',
'<Application Secret>'
)
access_token = token_response.get('accessToken')
endpoint = 'https://management.azure.com/subscriptions/xxxx/resourcegroups/resourcename?api-version=2015-01-01'
headers = {"Authorization": 'Bearer ' + access_token}
json_output = requests.put(endpoint,headers=headers).json()
print json_output
But this is throwing me an error as below
{u'error': {u'message': u"The access token is from the wrong issuer 'https://sts
.windows.net/xxx/'. It must match the tenant 'h
ttps://sts.windows.net/xxx/' associated with th
is subscription. Please use the authority (URL) 'https://login.windows.net/xxx' to get the token. Note, if the subscription is
transferred to another tenant there is no impact to the services, but informatio
n about new tenant could take time to propagate (up to an hour). If you just tra
nsferred your subscription and see this error message, please try back later.",
u'code': u'InvalidAuthenticationTokenTenant'}}
What does this error mean and am I passing the right credentials. If I use the credentials mentioned in the error, I get another error which says application with mentioned client_id not found.
As the message says you need to go against login.windows.net instead of login.microsoftonline.com:
token_response = adal.acquire_token_with_client_credentials(
'https://login.windows.net/' + '<tenantId>',
'<ApplicationId>',
'<Application Secret>'
It seems that there is some problem with your AD application. To authenticate Azure ARM you need a AD with service principal.
You can refer to Create Active Directory application and service principal using portal or Authenticating a service principal with Azure Resource Manager to create a new AD application. Use these info in your code and try again.
It's the difference between common tenant and separate tenant which causes this issue.
Would you please see my answer in another thread Azure Active Directory Authorization "The access token is from the wrong issuer ' ?
Hope this helps.
In client credentials use
"https://management.core.windows.net/"
instead of https://login.microsoftonline.com/ in your code.
token_response = adal.acquire_token_with_client_credentials(
'https://management.core.windows.net/' + '<tenantId>',
'<ApplicationId>',
'<Application Secret>'
I fixed same problem with this.
Thanks,
Bhushan