The Vault '' not found within subscription even though we have access to the subscription. I am following the documentation and trying to grant access to our Azure Key Vault:
When I try the command to create an access policy for our Key Vault that grants secret permission to our user account, we are getting the following error:
We tried adding the --debug command as follows; however, we're still unclear as to why our Key Vault is not found under the Subscription ID in our Azure portal:
https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-python?tabs=azure-powershell%2Cazure-cli
We used az login, and it looks like we have access to the correct subscription based off of the output below since the "id" matches our Subscription ID:
Edit: I found how it's suppose to work!
First, you need to make sure you are logged into the correct subscription.
https://learn.microsoft.com/en-us/powershell/azure/context-persistence?view=azps-8.2.0
Context is often picked by default and does not always go where you want it to. You can run Get-AzSubscription to check whether the correct subscription is listed.
Originally, when I ran Get-AzSubscription in PowerShell, I got the following error:
Turns out you need to install the Az module in PowerShell. You can also try running the command instead: az account tenant list && az account show --output table
Since context is often picked by default and does not always go where you want it to, you can set the default subscription as follows:
After logging into Azure, using e.g. Connect-AzAccount in PowerShell (version 7+), or whichever command you use to login, you can use the Update-AzConfig -DefaultSubscriptionForLogin <> command in PowerShell to update the default subscription so that in the future, it will always choose your specified default subscription.
Example of 3 different ways to change the default subscription:
az account set --subscription "XX-XXXXX-XXX-XXX-XXXX-XXX"
Set-AzContext -Subscription 'XX-XXXXX-XXX-XXX-XXXX-XXX'
Update-AzConfig -DefaultSubscriptionForLogin YourSubscriptionNameHere
You can check to make sure the default was changed by using the command:
az account show --output table
Related
For some reason I deleted so called brand entity at my gcloud console. Now I want to create new one using the command in the console:
gcloud alpha iap oauth-brands create --application_title='EmojiRave' --support_email='rebelusgames#gmail.com'
But the console returns me back : INVALID_ARGUMENT: Request contains an invalid argument.
I've used different formats (using brackets and without them)
I've checked whether I have enough permissions to do it (I use owner account, so it's enough permissions)
I'm desperate.
There are two potential reasons for the failure:
1. Incorrect email address. According to the docs: "This [support] email address can either be a user's address or a Google Groups alias. [...] Note: The user issuing the request must be an owner of the specified support email address."
2. Project is not in an organisation. According to this source (see under limitations): If you're [..] outside a Cloud Orginization most likely you'll get an error on step "Creating oauth brand".
Overall, my suggestion is to update the OAuth Consent Screen via GCP Console.
Go to the Google Cloud Platform Console.
From the projects list, select a project or create a new one.
If the APIs & services page isn't already open, click on the Navigation Menu on the upper left and select APIs & services.
On the left, click OAuth Consent Screen.
Click Edit App.
First, it's not possible to delete the OAuth Consent Screen (Brand) once created. This can be seen from #DaImTo's answer, and the lack of delete option in both gcloud command and in the console.
I also tested your command on my Cloud Shell and it works fine as well. I've checked the documentation with regards gcloud alpha iap oauth-brands and it is currently in ALPHA state. It may change without prior notice and it may not be stable or work to all users. If you still want to use the CLI and request to be allow-listed regarding this command, my suggestion is to contact sales, as instructed on the issue tracker you've made.
I'm following this documentation:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
And I found another question answered that I thought fit my case:
https://learn.microsoft.com/en-us/answers/questions/199433/can39t-add-role-assignments-to-azure-b2c-applicati.html
My problem is that the app that I registered will not appear as an option when I try to follow the "Enable user delete and password update" portion of the documentation.
I am also mindful of the notice "Please allow a few minutes to for the permissions to fully propagate." But I've at it for 2 hours now, so I don't think that is the problem.
Here is my App and its API permissions:
And my B2C Tenant:
Microsoft has answered this question on this thread as follows:
Hi All ยท Thank you for reaching out.
There seems to be an issue with the UI. I will report the issue to the product team and get it addressed.
However, as of now, you can follow below steps and use PowerShell to add application to the User Administrator role:
Install latest Azure AD PowerShell Module.
Run Connect-AzureAD -TenantId Your_B2CTenant.onmicrosoft.com and sign in with Global Administrator account in that tenant.
Run Get-AzureADDirectoryRole cmd and copy the object id of the User Administrator role.
Navigate to Azure AD > Enterprise Applications > Search the app and copy the object id of the app.
Run Add-AzureADDirectoryRoleMember -ObjectId object_ID_copied_in_Step3 -RefObjectId object_ID_copied_in_Step4 cmdlet.
To verify, navigate to Azure AD B2C > Roles and Administrators > User Administrator. You should see the application present under this role
I am writing a .Net Core 2.0 MVC-like app where users log in and then do such operations on an AAD B2C tenant such as add new user, edit user, delete user etc.
Listing and adding users was pretty easy to do, but now when I try to remove certain users, I get a 403 Forbidden error. I'm assuming it's because I missed permissions somewhere, but I don't really know where.
I have enabled literally ALL possible App permissions in my AAD B2C Tenant b2c-extensions-app and most of the ones that sound right (30 app+30 delegated) in apps.dev.microsoft.com. I added the account I log in to test to owner list, too. Any clues on why I keep getting those errors would be much appreciated. What are the things I could have missed?
// I found out that to delete users, Directory.AccessAsUser.All is required. I already have it in delegated permissions but I keep getting the same error.
// Yes, I did add myself as owner to b2c-extensions-app and I also added literally every possible permission to it. Windows Azure Active Directory has 7+9, Microsoft Graph has 37+78.
// Okay it seems that the same error occurs when I try to edit a user's password (or any contents, really), too.
Did you setup your permissions through Azure portal or PowerShell?
Delete permissions for a B2C application must be created using PowerShell.
You can find instructions on this page of Microsoft Docs, under the section 'Configure delete permissions for your application'.
Let me know if it helped!
I try to check code-push.
I use Cordova into a docker machine into a virtual machine, in Windows.
My problem is that when I try to create an account with "code-push register", I get "A browser is being launched to authenticate your account...". This doesn't help me at all because this runs into a docker machine and no browser can start.
What can I do?
It could help me if I could link a Microsoft account.
Thanks in advance
You can use following commands to be able to authenticate against the CodePush service without launching a browser and/or without needing to use your GitHub and/or Microsoft credentials (e.g. in a CI environment),
code-push access-key add "VSTS Integration"
By default, access keys expire in 60 days. You can specify a different expiry duration by using the --ttl option and passing in a human readable duration string (e.g. "2d" => 2 days, "1h 15 min" => 1 hour and 15 minutes). For security, the key will only be shown once on creation, so remember to save it somewhere if needed!
After creating the new key, you can specify its value using the --accessKey flag of the login command, which allows you to perform "headless" authentication, as opposed to launching a browser.
code-push login --accessKey <accessKey>
if at any point you need to change a key's name and/or expiration date, you can use the following command:
code-push access-key patch <accessKeyName> --name "new name" --ttl 10d
I finally did the obvious: installed code-push on Windows, performed 'code-push login'. Then the browser opened and after I inserted microsoft login credentials I got the access token to use into Docker.
I'm running GitLab on local address http://192.168.0.18/. Upsource is running on http://192.168.0.11/.
I've added Upsource application as admin on GitLab. I've set client id and secret token as GitLab said. Authorization is set to http://192.168.0.18/oauth/authorize, token to http://192.168.0.18/oauth/token and user data to http://192.168.0.18/api/v4/user (according to GitLab documentation). In field mappings, I've set User ID to "id" and both e-mails to "email".
Then, on logging page of Upsource, I've oath authentication icon. After clicking on it, GitLab requires logging and user has to authorize application for its account:
Authorization required
Authorize Upsource to use your account?
You are an admin, which means granting access to Upsource will allow them to interact with GitLab as an admin as well. Proceed with caution.
This application will be able to:
Access your API
Read user information
Hovewer, after clicking authorize button, Upsource displays info: Authentication failed. Check your credentials and try again.. What have I set wrong? Field mappings?
Oh, I've found the answer. As happens often, I was fighting with this a good amount of hours and just after I asked this question, I've got idea to run this on my own. Rubber duck method, I guess...
As I suspected, the problem was in field mappings.
I looked in Network tab in Chrome and there was this response:
http://192.168.0.11/hub/auth/login?response_type=token&client_id=[CLIENT_ID]&redirect_uri=[REDIRECT_URI]&message=hub-auth-failed&developer_message=getValueByPath%28json%2C+aut%E2%80%A6userIdPath%29%21%21.textValue%28%29+must+not+be+null
I've manually went through all Gitlab workflow and then I could log in - and after running http://192.168.0.18/api/v4/user endpoint, I've got user data:
{"name":"username","username":"username","id":3,"state":"active","avatar_url":"http://www.gravatar.com/avatar/94232f2d1f8bb2fe940de439a4df1014?s=80&d=identicon","web_url":"http://debian/username","created_at":"2017-03-25T22:28:21.375Z","is_admin":true,"bio":null,"location":null,"skype":"","linkedin":"","twitter":"","website_url":"","organization":null,"last_sign_in_at":"2017-03-25T22:28:21.487Z","confirmed_at":"2017-03-25T22:28:21.376Z","email":"username#username.username","color_scheme_id":1,"projects_limit":100000,"current_sign_in_at":"2017-03-25T22:36:31.853Z","identities":[],"can_create_group":true,"can_create_project":true,"two_factor_enabled":false,"external":false}
The problem was in setting ID field name. As we can see in above JSON data, id field should be mapped to name/username, not id itself.
After this change I could sucessfully login into Upsource.