I am using Azure SDK for python to create resource using python script.After giving the required credentials like CLIENT_ID,TENANT_ID,CLIENT_SECRET,SUBSCRIPTION_ID..It throws a error message like
"msrestazure.azure_exceptions.CloudError:
Azure Error: AuthorizationFailed
Message: The client 'CLIENT_ID' with object id 'OBJECT_ID' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope ''."
(I am using azure in free trial type of subscription)
There needs to be a service principal(SP) associated with the application. Also, to assign a role to SP you need to be an 'owner' or the Azure portal does not show you that option if you are a 'contributor' in UI.
Related
I have a requirement where I will create a azure Http trigger using python function app.
For this function app I need to provide Authorization by using client Id or client Secret. Where the http link has to approved only with the client secret
I couldn't found any reference in python.
If any one has done this method can u show ur code for reference or guide me to solve this
Here's Microsoft documentation that you can use to get an idea of how to implement Azure AD Authentication into your Python Function App via code.
It includes other authentication methods also like Authentication with service principals, user credentials, AzureCliCredential or Managed Identity and DefaultAzureCredential.
Instead of facing difficulties in accessing the Client Id or Secret from Azure AD if you do not have access to it, you can store them in Azure Key Vault and access through Python Code in the same Azure Function App:
import os from azure.identity
import DefaultAzureCredential from azure.keyvault.secrets
import SecretClient
vault_url = os.environ["KEY_VAULT_URL"]
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url=vault_url, credential=credential)
retrieved_secret = secret_client.get_secret("secret-name-01")
And this Microsoft Blog Article presents you to register the Azure Python Function App with Azure AD using Azure CLI Commands and access the HTTP Trigger URL secured with the Client Id.
I am trying to debug and work with an Azure function in Rider - this error only occurs when I run it locally, deploying the function to Azure works correctly.
When I run the this block of code
default_credentials = DefaultAzureCredential()
keyvault = SecretClient(
vault_url=azure_shared.key_vault,
credential=default_credentials
)
api_key = keyvault.get_secret("apikey").value
I get the following error:
ClientAuthenticationError: (Unauthorized) AKV10032: Invalid issuer. Expected one of https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-4a5f0358090a/, https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-5f571e91255a/, https://sts
.windows.net/xxxxxx-xxxx-xxxx-xxxx-dee5fc7331f4/, found https://sts.windows.net/xxxxxx-xxxx-xxxx-xxxx-579c58293b4b/.
I only have one subscription.
AZ ACCOUNT SHOW confirms the account I am logged in as is the one ending in 90a, so an expected account.
However, if I run AZ LOGIN and login with my work account, the tenantId is the b4b one.
Why the heck is Rider / Azure Functions using a different credential that I have provided? Is it stored somewhere locally?
Thank you JamesTran-MSFT | Microsoft Docs and User Madhanlal - Stack Overflow Stack Overflow. Posting your suggestions as answer to help other community members.
You can try below way to resolve AKV10032: Invalid issuer. Expected one of https://sts.windows.net/... error:
This error could be cross-tenant issue;
If you set the sub as default just before, it should work:
az account set --subscription {SubID}
az keyvault secret list --vault-name myVault
Re-execuate the code:
default_credentials = DefaultAzureCredential()
keyvault = SecretClient(
vault_url=azure_shared.key_vault,
credential=default_credentials
)
api_key = keyvault.get_secret("apikey").value
References: Unable to retrieve password from keyvault - ERROR: AKV10032: Invalid issuer - Microsoft Q&A and How to solve azure keyvault secrets (Unauthorized) AKV10032: Invalid issuer. error in Python - Stack Overflow
I am using an Azure Government account that has the base URL of portal.azure.us. I am trying to use the azcopy executable on my macOS and run the command ./azcopy login --tenant-id=<tenant ID>. I am 100% sure the tenant ID I am using is correct. However, I get the following error:
Failed to perform login command:
failed to login with tenantID "XXXX", Azure directory endpoint "https://login.microsoftonline.com", autorest/adal/devicetoken: -REDACTED- occurred while handling response from the Device Endpoint: Error HTTP status != 200
Is this because I am not logged into the Azure Government account properly? How can I get this command to run?
To login to Azure Government with AzCopy, you will need to specify the --aad-endpoint for Azure Government. Try using:
azcopy.exe login --tenant-id <tenantid> --aad-endpoint https://login.microsoftonline.us
I have created a sample congnito app and added few users, now i am trying to access the users from python code , but getting below error, i have developer access. Please let me know how to get user details from cognito
code:
import boto3
client = boto3.client('cognito-idp',region_name='us-east-2')
response = client.admin_get_user(
UserPoolId='us-east-2_XXXXXXX',
Username='newuser'
)
error:ClientError: An error occurred (ExpiredTokenException) when calling the AdminGetUser operation: The security token included in the request is expired
I am doing a POC for an application that will use SSO from Salesforce using OpenID and pass the id_token to cognito user identity to get temporary credentials for s3. I have set up all the roles and services and app on AWS/Salesforce. I am able to access s3 when I enable unauthorized access for my identity. But whenever I try to pass the id_token for authenticated access it throws me this error:
botocore.errorfactory.NotAuthorizedException: An error occurred
(NotAuthorizedException) when calling the GetId operation: Invalid
login token. Issuer doesn't match providerName
I am following the tutorial here https://aws.amazon.com/blogs/security/building-an-app-using-amazon-cognito-and-an-openid-connect-identity-provider/
I am using python Boto3. This is my current code:
import boto3
id_token='aaaaaa.bbbbbbbb.cccccccc' #Got from the url salesforce sends after successful authentication
client = boto3.client('cognito-identity', 'us-east-2')
resp = client.get_id(AccountId='123456789123', IdentityPoolId='us-east-2:xxxxxxx-yyyy-zzz-hhhhh-jj888hhhh',
Logins={
'provider_url': id_token
}
)
Any help would be greatly appreciated.
Apparently the problem was the provider_url as the error suggested. I was simply putting login.salesforce.com when instead i had to change it to what the id_token was returning as their issuer id. I had to change it in the AWS access providers in IAM as well as in code.