We have a python Cloud Run service that's CI/CD managed via the repo in Github.
It deployed without any issues, but after adding the firebase sdk and the firebase_config.json configs into the service, the CI/CD failed with this error:
"Push": denied: Token exchange failed for project 'phre-promgt'. Access denied.
The added features of utilizing firebase within the service works locally (checked the firebase auth side to make sure it's working), but it seems to throw this error when we redeploy it via the CI/CD.
Any ideas?
Related
I want to access the Key Vault from my Service Fabric application via Managed Service Identity (MSI). I have enabled MSI on the virtual machine scale set in the Azure Portal and given it access to my Key Vault resource. This works like a charm up in the cloud. However, I am having problems with my local develop environment.
As far as I understand, I can grant myself access to the Key Vault and run az login in Azure CLI. Alas, this doesn't work when running the application in a local Service Fabric cluster.
I am using .net core 2.1 in service fabric and getting below mentioned exception.
Azure.Identity.AuthenticationFailedException: DefaultAzureCredential failed to retrieve a token from the included credentials.
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
SharedTokenCacheCredential authentication failed: Persistence check failed. Inspect inner exception for details
Visual Studio Token provider can't be accessed at C:\Users\Default\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json
VisualStudioCodeCredential authentication failed: A specified logon session does not exist. It may already have been terminated.
Services are likely running under the built-in 'NetworkService' account, which cannot access the CLI for credentials because it has run in your user session.
Try creating machine level environment variables to access the vault:
Create a service principal with a password. Follow steps here to create a service principal and grant it permissions to the Key Vault.
Set an environment variable named AzureServicesAuthConnectionString to RunAs=App;AppId=AppId;TenantId=TenantId;AppKey=Secret. You need to
replace AppId, TenantId, and Secret with actual values from step #1.
Run the application in your local development environment. No code change is required. AzureServiceTokenProvider will use this
environment variable and use the service principal to authenticate to
Azure AD.
Don't forget to restart, so the environment variables are added to all processes.
As the document shows about DefaultAzureCredential, Environment and Managed Identity are deployed service authentication. Azure CLI needs to login with your Azure account via the az login command.
So, Environment and Managed Identity are appropriate for you. For example, Using the environment needs to set Environment Variables first, see here. Then you could create a secret client using the DefaultAzureCredential.
// Create a secret client using the DefaultAzureCredential
var client = new SecretClient(new Uri("https://myvault.azure.vaults.net/"), new DefaultAzureCredential());
I was able to get this working with with local service fabric development by opening Services.msc on my local development machine and configuring the 'Service Fabric Host Service' to run as my local user account rather than the default local service.
Only then would DefaultAzureCredential work for picking up the Az CLI login.
I'm not able to expose a local rest API through API connect on cloud.
API Connect on Cloud : error
I created a Rest API in my laptop using IIS, and I want to expose it through API Connect on IBM Cloud. Since the "Push Rest API" option in IIB Web Admin is not working, I used the swagger.json file to get the API details manually to APIC on Cloud. I followed the following steps:
In IBM Cloud created resources for API Connect and Secure Gateway cloud foundry services
Created a Secure Gateway Destination and have the SG client running in my laptop
Created a simple Rest API using IIB V10 and deployed it to my local Integration Node.
Tried to push the Rest API using the IIB Web admin by giving host as api.us-south.apiconnect.appdomain.cloud and my IBM Cloud account username/pwd, but it failed saying unable to connect:
Unable to connect to IBM API Connect at host 'api.us-south.apiconnect.appdomain.cloud' port '443'
Then I tried to create an API manually using the swagger.json file available in the IIB RestAPI project. I used the option to create new API using "from file or URL" option in the APIC on IBM Cloud.
I gave my laptop IP as the "Host" value in APIC designer
In the "Assembly", I included a "Proxy" policy and updated its Target URL to cap-sg-prd-2.securegateway.appdomain.cloud:17041
When I try to test the above, I get the following error:
<httpMessage>Internal Server Error</httpMessage>
<moreInformation>Backside URL invalid</moreInformation>
Can you please help to resolve it?
You're missing one or both of the following:
1) The "Target URL" must be a valid URL. Looks like you just entered a hostname, so likely you need https://cap-sg-prd-2.securegateway.appdomain.cloud:17041 Doing that and republishing the API should resolve the "Backside URL invalid" error.
Once you do that, you may find that you still can't reach the backend due to either a timeout or connection refused error.
If so:
2) Did you allow access to the secure gateway destination via the client on your local machine? You have to intentionally set an ACL on the client to allow traffic to the host/port on your network.
I'm trying to get my spinnaker interface authenticated using this tutorial:
https://www.spinnaker.io/setup/quickstart/halyard-gke-public/
Prior to the tutorial, spinnaker was confirmed up and running on http://localhost:9000. I have tried the following on 1.3.1, 1.4.1 and 1.4.2.
After editing/applying/enabling the google security, I try the login and successfully am challenged with a google login screen. Upon completing the two-factor auth and I am redirected as expected to http://localhost:8084/login, though I receive the following error:
{
"error": "Unauthorized",
"message": "Authentication Failed: User's info does not have all required fields.",
"status": 401,
"timestamp": 1506985726074
}
Here is a log of my setup steps:
kross#halyard:~$ hal config security authn oauth2 edit --provider google \
> --client-id $CLIENT_ID \
> --client-secret $CLIENT_SECRET \
> --user-info-requirements hd=$DOMAIN
+ Get current deployment
Success
+ Get authentication settings
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully edited oauth2 method.
kross#halyard:~$ hal config security authn oauth2 enable
+ Get current deployment
Success
+ Edit oauth2 authentication settings
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
+ Successfully enabled oauth2
kross#halyard:~$ hal deploy apply
+ Get current deployment
Success
+ Apply deployment
Success
+ Deploy spin-clouddriver
Success
+ Deploy spin-front50
Success
+ Deploy spin-orca
Success
+ Deploy spin-deck
Success
+ Deploy spin-echo
Success
+ Deploy spin-gate
Success
+ Deploy spin-igor
Success
+ Deploy spin-rosco
Success
Problems in default.security:
- WARNING Your UI or API domain does not have override base URLs
set even though your Spinnaker deployment is a Distributed deployment on a
remote cloud provider. As a result, you will need to open SSH tunnels against
that deployment to access Spinnaker.
? We recommend that you instead configure an authentication
mechanism (OAuth2, SAML2, or x509) to make it easier to access Spinnaker
securely, and then register the intended Domain and IP addresses that your
publicly facing services will be using.
I'm not quite sure what to do with this. It seems I am authentic, yet for some reason the required user fields are not allowed in the interaction.
I have reviewed spinnaker's authentication setup as well and repeatedly made a few changes and tested with a fresh incognito browser, yet no change.
Since the google provider is a packaged OAuth 2 provider with spinnaker, I'm confused as to what further configuration would be necessary, as I am not "bringing my own provider".
Where can I start looking next? Any references/pointers to documentation?
The problem is the --user-info-requirements hd=$DOMAIN argument. This is (generally) only needed if you're using a G Suite/Google Apps for Work account as your OAuth identity provider - it restricts login to only users in your domain. Otherwise, anyone with a valid #gmail account would be able login.
If you do use the --user-info-requirements hd=$DOMAIN and the $DOMAIN specified is invalid, you will receive this error. Be sure to use the fully qualified domain name as the value.
After creating a new HDInsight Cluster, I am receiving the following error when I provide the authentication information and try to access the HDInsight web portal at https://{Cluster Name}.azurehdinsight.net/
403 - Forbidden: Access is denied.
Have tried recreating clusters, different browsers, clearing browser cache but have not been able to login. Pls suggest.
The interactive console has been discontinued and the team now recommends the usage of Windows Azure PowerShell
http://www.windowsazure.com/en-us/documentation/articles/hdinsight-submit-hadoop-jobs-programmatically/
You mention clearing browser cache, have you also tried clearing cookies as well? I have had this problem after a failed login to the HDInsight portal and needed to clear cookies and cache.
Also if you have an active directory integration and are trying to login with a domain account, try logging in with the cluster user that you created at deployment instead.
Use windows azure management portal instead, https://manage.windowsazure.com.
I have an application that monitors CI jobs, and I've added a jenkins installation to my account. Typically, this application is internal to the company I work at, but our jenkins servers aren't accessible outside the LAN.
To lookup the status of a build, I to a python urllib.urlopen on
http://hostname/job/job_name/lastBuild/api/json
then parse the json result
When trying to connect to https://webiken.ci.cloudbees.com, I get an HTTPError because the URL requires authentication. Is there anyway to configure my jenkins to be public?
Thanks,
Sam
you can use HTTP Basic authentication with your cloudbees credentials to access the API :
curl https://webiken.ci.cloudbees.com/job//api/json --user ndeloof#cloudbees.com:
Also see this wiki page on how to make your Jenkins instance public.