Azure Storage - Allowed Microsoft Service when Firewall is set - azure-storage

I am trying to connect a public logic app (not ISE environment) to a storage account that is restricted to a Vnet.
According to the Storage account documentation access should be possible using a system managed identity.
However I just tried in 3 different subscriptions and the result is always the same:
{
"status": 403,
"message": "This request is not authorized to perform this operation.\r\nclientRequestId: 2ada961e-e4c5-4dae-81a2-520397f277a6",
"error": {
"message": "This request is not authorized to perform this operation."
},
"source": "azureblob-we.azconn-we-01.p.azurewebsites.net"
}
Already provided access with different IAM roles, including owner. This feels like the service that should be allowed according to the documentation is not being allowed.
The Allow trusted Microsoft services... setting also allows a
particular instance of the below services to access the storage
account, if you explicitly assign an RBAC role to the system-assigned
managed identity for that resource instance. In this case, the scope
of access for the instance corresponds to the RBAC role assigned to
the managed identity.
Azure Logic Apps Microsoft.Logic/workflows Enables logic apps to
access storage accounts
[https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#exceptions][1]
What am I doing wrong?
Added screenshots:
https://i.stack.imgur.com/CfwJK.png
https://i.stack.imgur.com/tW7k9.png
https://i.stack.imgur.com/Lxyqd.png
https://i.stack.imgur.com/Sp7ZV.png
https://i.stack.imgur.com/Hp9JG.png
https://i.stack.imgur.com/rRbau.png

For authenticating access to Azure resources by using managed identities in Azure Logic Apps, you could follow the document. Azure Logic Apps should be registered in the same subscription as your storage account. If you want to access the blob in an Azure Storage container. You could add the Storage Blob Data Contributor(Use to grant read/write/delete permissions to Blob storage resources) role for the Logic App system identity in the storage account.
Update
From your screenshot, I found that you have not used a system-managed identity to design the Create blob logic but using an API connection.
For validating connecting a public logic app to a storage account with Allow trusted Microsoft services... setting enabled. You can design your logic using the managed identity with a trigger or action through the Azure portal. To specify the managed identity in a trigger or action's underlying JSON definition, see Managed identity authentication.
output
For more details, please read these steps in Authenticate access with managed identity.

Related

Store User info in app database for Azure AD Authenticated users

When creating ASP.NET Core web app, if you use Azure AD for authentication, is it possible to store user info in your app database? And if so, is there a best practice approach to doing this?
I'd like to store user role info in my app's database; I know you can use AD groups but
(a) I'd like to be able control this from within the app and
(b) I don't know if I have permissions to create new groups in my company's Azure AD.
yes, you can. After authentication with Azure AD, you can get userinfo from ID token if you are using OIDC. Then you can store the userinfo in your app's local database.
For (a), you wanna control user role in your app which used to edit in azure portal. Then you may take microsoft graph api user role into consideration. You may check the link if this api is what you need.
(b) create new groups, this can achieved by this api.
Calling microsoft graph api required an azure ad application which can be assigned api permission by admin, then it can be used to generate access token to call the api.

Interacting with Azure Service from Azure Function from Client app on behalf of the user (user impersonation)

Context
I have a client app, represented through an Azure Active Directory app that needs to send a HTTP request to a HTTP trigger Azure Function on behalf of the user that is logged in to the client app. To achieve that I followed https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad. Doing so I am successfully able to execute the function on behalf of the user.
Goal
From this triggered Azure Function on behalf of the user I want now to achieve that I can interact with another Azure Service (let's say an Azure Storage Account) on behalf of the user. The user can do on this Storage Account what is allowed by the roles the user has on the Storage Account.
Problem
I don't get it working. I tried the approaches described in How to impersonate logged in user to manage other Azure service and https://blog.brooksjc.com/2020/06/21/accessing-graph-api-with-an-azure-function-through-impersonation/ And in this context I also don't get it working for Azure Data Factory respective Graph as described in the posts. For instance, when I call .auth/me I just get an empty array.
Question
Given this context how can I achieve my goal of interacting with the Storage Account on behalf of the user via the Azure Function that has been triggered on behalf of the user?
Thanks
EDIT
I am aware of the OAuth 2.0 On-Behalf-Of flow (see https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) and this one works (i.e., I am able to authenticate the user, retrieve another token and use this one to interact with the Storage Account on the users behalf). What I would like to achieve is similar to the posts shared above that the user authenticates against the app and by doing so already a token is made available for the interaction with the Storage Account, so that I don't have to make the additional request to https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token to get that token using e.g. client credentials. And this is not about specific code (e.g. C#) but about the general set up. Is this possible?

How do I use Google's Identify Platform to authenticate against Cloud Endpoints?

In our organisation we use the Google Kubernetes Engine (GKE) to implement a micro-service architecture. As we are also G-Suite users, everyone in the organisation is guaranteed to have a Google account. In consequence we would like to use those accounts to manage authentication and authorization of micro services.
We have prototyped login using the angularfire2 client to authenticate against the Google Identity Platform. We also have Google Cloud Endpoints configured to control access to relevant services.
The piece we are missing is how to get from the identity in Google to an access token we can use on our services -- the access token coming back using the Firebase API has no claims in it, and the documentation on custom claims seems to make it quite clear that these go into the identity token.
My expectation would be to have JWTs with the appropriate audience (our backend), containing a sufficient set of claims to implement role based access control within the services. Ideally the infrastructure could validate a claim already -- some of our services are small enough to require only one role, which could be enforced outside the service. Or we could annotate our endpoints (Protobuf) with the required claims.
In the GCP environment, what is the standard process of creating access tokens to be used for accessing GKE services? Is there anything that supports this?
The piece we are missing is how to get from the identity in Google to
an access token we can use on our services -- the access token coming
back using the Firebase API has no claims in it, and the documentation
on custom claims seems to make it quite clear that these go into the
identity token.
Google OAuth Access Tokens do not have an identity in the sense that you want to use it. Identity is stored in the Identity Token. Add the scope "email" when authenticating the user. Google will return an ID Token. For some frameworks, you can request custom claims for the Identity Token.
In the GCP environment, what is the standard process of creating
access tokens to be used for accessing GKE services? Is there anything
that supports this?
There are two types of access excluding methods such as API keys. User Accounts and Service Accounts. Service-to-service typically uses service account Access Tokens (RBAC) or service account Identity Tokens (IBAC). In your case, you want to use Identity Platform which means User Accounts.
If I was designing this system, I would use User Accounts to authenticate with the system - Firebase is great for this purpose. I would look up what roles this identity supports/allows from my database (Firestore) and create a service account Access Token with the required scopes for GCP services. I would then use this Access Token for GCP service-to-service authorization. If I also required custom roles for my own services, I would create a custom Identity Token with my custom roles and include that as a custom HTTP header and include the Google Access Token in the standard HTTP "authorization: bearer" header. I would use the service account private key to sign my custom Identity Token or use a GCP IAM API to sign for me so that the other end can verify with the service account's public key. This method prevents data leakage at the client, no private keys are distributed, scopes/roles are not disclosed, etc.
I would suggest you follow this doc of authentication between services by using service account files.

Adding Applications programmatically in Azure AD using Client Credentials Flow

For use with the Azure API Management, I am trying to add Applications to an Azure Active Directory (AAD) programmatically, in my case by using the Graph API.
My scenario is the following: In order to secure a Web API I want to manage with Azure API Management, I want to leverage AAD's OAuth functionality to do the heavy lifting regarding authentication and issuing JWT Tokens, and then just use the validate-jwt policy to verify everything is okay in Azure API Management. This has the advantage I can more or less omit authentication in my backend service.
This works fine, as long as I have created an application in the Azure AD for the consuming web application, but this has to be done manually from the Azure Portal; Azure APIm does not do it automatically.
Now for what I am trying to do to get the done automatically: I wanted to delegate the subscription to APIs in APIm to some other web app I am writing, and from there I want to leverage the Graph API to create an Application in the Azure AD and grant permissions to the Application of the API.
The first thing I tried to do was to have a third application (my service application) to have full application permissions to the Windows Azure Active Directory application in the Azure AD; this lets my application access AAD using the Graph REST API. I manage to get an Access Token using the client_credentials grant (from login.microsoft.com), but this Token does not let me do a POST on https://graph.windows.net/(my AAD ID)/applications?api-version=1.5:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
I found (https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes) that even if I grant the Directory.ReadWrite.All permission, the application (app-only) will not be able to create or update Applications:
Note: Specifically excludes create or update for entities not listed above.
This includes: Application, Oauth2PermissionGrant, AppRoleAssignment, Device,
ServicePrincipal, TenantDetail, domains, etc.
The next thing I tried was the Resource Owner Password Grant (grant_type=password), passing my own credentials additionally, so that I can impersonate myself in the Graph API. Now, my POST to the applications end point succeeds.
My bottom-of-the-line question is: Can I grant sufficient permissions to my application so that I can add applications programmatically using the client credentials flow, and not any flow which acts on behalf of a user? And if so, how is it done?
Sorry Don. We don't currently have any permission scopes for the client credential flow (app-only) that can be used to create applications or service principals or create any oauth2 permission grants (or any of the other entities that you mentioned above through the Directory.ReadWrite.All permission). We are working on additional app-only permissions that will enable you to light up this scenario, but I don't have an ETA that I can give you.
This operation should be possible if you use the app+user (code flow) and grant the app the Directory.AccessAsUser.All permission - as long as there is a user using your app AND that they are a tenant admin. Not sure if this is an acceptable workaround for you (and I guess is similar to what you are using with the password flow - although I would recommend you use the code flow here).
UPDATE: There are a couple of new app only permissions we added for AAD Graph. Application.ReadWrite.OwnedBy (which allows an app to create/own another app - but only update the apps it created - it won't be able to touch any other apps it doesn't own) AND Application.ReadWrite.All (which allows an app to create/manage ALL apps in a tenant). Seems like the first one would be appropriate. You can see these show in the Azure Portal for the AAD Graph resource.

How to authenticate and authorize with AWS Identity and Access Management?

I am writing my own reporting software in Java and planning to use RDS for data storage. I want to do the A.A. with AWS IAM. Is there any example(s) of authenticating and authorizing with AWS Identity and Access Management that you might be aware and share with me?
I am not looking on how to set up the user from Amazon's console or how to issue console commands. Instead I would like to see some Java code how to identify if user is authenticated with his/her credentials (user id, password combination) and whether that person authorized to get access to specific report.
AWS IAM is not designed to authenticate users with your own app. AWS IAM is designed to authenticate users with AWS services.
The only way to see if a user is a real user(authentication) and if that user is authorized is to actually make an AWS API call.
For example, you can create a policy that looks like this and attach it to a user/group:
{
"Statement":[{
"Effect":"Allow",
"Action":["rds:CreateDBSecurityGroup",
"rds:DeleteDBSecurityGroup",
"rds:DescribeDBSecurityGroup",
"rds:AuthorizeDBSecurityGroupIngress",
"rds:RevokeDBSecurityGroupIngress"],
"Resource":"*"
}
]
}
And the user or group who has this policy can only make these API calls and not others.
See here: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.html
Amazon has something called Cognito which is designed to sync application profiles across mobile devices. What applies to your question, though, is that it also allows users to authenticate with Google, Facebook, or Amazon (it uses OAuth).
http://aws.amazon.com/cognito/