I am running a docker container consisting of a asp.net core 2.2 api. This api needs access to Azure key vault and I have signed in into Visual studio with a user that has the right access policies on the Key Vault to retrieve secrets. However, when I use visual studio tools for docker to debug the container, this particular sign in does not seem to propogate inside the container running locally. But when i run the application locally(without running it in docker container) the asp net core configuration provider seems to pick up my visual studio login. Any pointers on this is helpful
I had the same problem with docker and MSI on my mac. I ended up doing the following workaround:
First get an access token from CLI and set it to environment (and remember pass it to docker)
export ACCESS_TOKEN=$(az account get-access-token --resource=https://vault.azure.net | jq -r .accessToken)
In the code, pick it up if token is in environment:
KeyVaultClient keyVaultClient;
var accessToken = Environment.GetEnvironmentVariable("ACCESS_TOKEN");
if (accessToken!=null)
{
keyVaultClient = new KeyVaultClient(
async (string a, string r, string s)=> accessToken);
}
else
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
}
I read this post ~ month ago. I was looking for answer on the similar question. I found that Docker can run Kubernetes and there is AAD-Pod-Identity https://github.com/Azure/aad-pod-identity which doesn't work for Docker Kubernetes. I forked their repository and make modification for mic component. Now it works for Docker Kubernetes, not sure whether Azure team has plans get these modifications on board or not.
You can get detailed instructions how to get things running here:
https://github.com/Wallsmedia/aad-pod-identity
One more option, which avoids secret injection, is to use the device code authentication flow to obtain a user_impersonation access token. The downside, the developer must manually complete the flow every time the container starts up.
These posts outline the process,
https://joonasw.net/view/device-code-flow
https://blog.simonw.se/getting-an-access-token-for-azuread-using-powershell-and-device-login-flow/
Use the powershell clientId to avoid registering a new tenant app. Works like a charm.
Related
I'm trying to make a request in Go client.AnnotateVideo(ctx, &annotateVideoRequest) to the Google Cloud Video Intelligence API using the package cloud.google.com/go/videointelligence/apiv1.
I noticed that if I'm on a Google VM, i don't need any credentials or environment variable because the API says:
For API packages whose import path is starting with "cloud.google.com/go",
such as cloud.google.com/go/storage in this case, if there are no credentials
provided, the client library will look for credentials in the environment.
But I guess I can't authenticate because I'm running a Docker Container inside the Google VM, and I don't know if I really need a credentials file in that docker container, because I don't know if the library automatically creates a credentials file, or it just check if there is a $GOOGLE_APPLICATION_CREDENTIALS and then use that (But that makes no sense. I'm on a GOOGLE VM, and I'm supposed to have that permission).
The error is:
PermissionDenied: The caller does not have permissions
Some links that might be helpful:
https://pkg.go.dev/cloud.google.com/go/storage
https://cloud.google.com/docs/authentication#environment-service-accounts
https://cloud.google.com/docs/authentication/production#auth-cloud-implicit-go
https://cloud.google.com/video-intelligence/docs/common/auth#adc
Thanks in advance!
I am running an application inside of Docker that requires me to leverage google-bigquery. When I run it outside of Docker, I just have to go to the link below (redacted) and authorize. However, the link doesn't work when I copy-paste it from the Docker terminal. I have tried port mapping as well and no luck either.
Code:
credentials = service_account.Credentials.from_service_account_file(
key_path, scopes=["https://www.googleapis.com/auth/cloud-platform"],
)
# Make clients.
client = bigquery.Client(credentials=credentials, project=credentials.project_id,)
Response:
requests_oauthlib.oauth2_session - DEBUG - Generated new state
Please visit this URL to authorize this application:
Please see the available solutions on this page, it's constantly updated.
gcloud credential helper
Standalone Docker credential helper
Access token
Service account key
In short you need to use a service account key file. Make sure you either use a Secret Manager, or you just issue a service account key file for the purpose of the Docker image.
You need to place the service account key file into the Docker container either at build or runtime.
I have created a simple ASP.NET Core MVC application using EF Core and SQL Server. On the Windows development machine it is using localdb. I am trying to deploy to Azure App Service (Linux). I have created an Azure SQL database. Deploying from Visual Studio 2019, I have set the database as a dependency. In the publish profile settings I have selected the Azure SQL connection string for the database context I am using. I have also checked the EF Migrations and on deployment the script successfully created the tables for the application. I can connect to Azure SQL and see the tables. However when I run the deployed application and try a database operation I get: PlatformNotSupportedException: LocalDB is not supported on this platform
I can see from the docs various ways to set the connection string but I would like to know what the publish wizard in Visual Studio 2019 is trying to do and why it is not working? I'm also unclear where the password is stored. In the publish profile the password seems to be in the connection string as plain text, not good. I'd like to know how to get this right for production.
Update I have fixed this for the moment by following the steps in the Linux tutorial, using the Azure CLI and running the following command:
az webapp config connection-string set --resource-group [myResourceGroup] --name [app name] --settings MyDbConnection='[connection-string]' --connection-string-type SQLServer
I am not sure of the security of this approach and plan to investigate further.
The publish wizard simply handles the database creation/migration for you, it doesn't modify your project, as that's 1) not its purpose and 2) it can't make the configuration decision for you (i.e. use appsettings, environment variables, etc.)
You need to provide the connection string in production via configuration, just as in development. Since you're deploying to an Azure App Service, the most logical place for that would be to the App Settings in the Azure. These will be loaded in via environment variables. Simply specify the same key you're using in development and specify the production database target there.
Our OPS team have configured a SSO tile that connects to ADFS. I am building a sample application that utilize an SSO service instance. I can deploy my application to PCF and remote debug my SSO configuration. These things work.
What I need is a way to access the SSO service instance while I am developing on my PC. Otherwise only way to verify my code really works is to deploy my application to PCF and either add log statements or configure remote debugging. Both of these are pretty time consuming.
I looked into configuring ssh access to pivotal services. That works for database service instances, but not for SSO service instance. Has anyone figured it out?
After repeated trials and error, I found the solution. Posting it here in case someone else has similar issue
In PCF, for your SSO add a new application. Auth redirect url for this application should point to your localhost. In my case it is http://localhost:8080
run cf env . Copy the p-identity section only and save to vcap_services.json. Then update the clientId and clientSecret with the values from the new application created in previous step.
Use the following command to start your application
VCAP_APPLICATION=true VCAP_SERVICES=$(cat vcap_services.json) SPRING_PROFILES_ACTIVE=... ./gradlew bootRun
I have designed a simple windows service in .NET 2.0.
I am trying to deploy it on my local machine. I have switched to design view, and setup ServiceInstaller and ServiceProcessInstaller objects. There is a Project Installer. I have also wrapped the Windows Service into a .NET setup project and install it, leaving an .exe in the specified directory.
I have fired up cmd and entered the path to installutil. This works fine, but then I typeinstallutil and the full path to the service, in Visual Studio command prompt, and this does not work (I've also tried installutil /i and all sorts of things out of desperation). The permissions are local system (extensive).
Any ideas what I am doing wrong? For those here who have installed Windows Services, what was your methodology to install the service?
Thanks
We actually create an installer built into our application. It's a console app that has a command line to install/uninstall the server as well as run as a service or in console mode.
See this article on a Self Installing Service for some details. I like this method as it provides flexibility.
DESCRIPTION:
SC is a command line program used for communicating with the
NT Service Controller and services.
USAGE:
sc [command] [service name] ...
The option has the form "\\ServerName"
Further help on commands can be obtained by typing: "sc [command]"
Commands:
query-----------Queries the status for a service, or
enumerates the status for types of services.
queryex---------Queries the extended status for a service, or
enumerates the status for types of services.
start-----------Starts a service.
pause-----------Sends a PAUSE control request to a service.
interrogate-----Sends an INTERROGATE control request to a service.
continue--------Sends a CONTINUE control request to a service.
stop------------Sends a STOP request to a service.
config----------Changes the configuration of a service (persistant).
description-----Changes the description of a service.
failure---------Changes the actions taken by a service upon failure.
qc--------------Queries the configuration information for a service.
qdescription----Queries the description for a service.
qfailure--------Queries the actions taken by a service upon failure.
delete----------Deletes a service (from the registry).
create----------Creates a service. (adds it to the registry).
control---------Sends a control to a service.
sdshow----------Displays a service's security descriptor.
sdset-----------Sets a service's security descriptor.
GetDisplayName--Gets the DisplayName for a service.
GetKeyName------Gets the ServiceKeyName for a service.
EnumDepend------Enumerates Service Dependencies.
The following commands don't require a service name:
sc
boot------------(ok | bad) Indicates whether the last boot should
be saved as the last-known-good boot configuration
Lock------------Locks the Service Database
QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:
sc start MyService
Here's another reference specific to .NET services.
http://bytes.com/forum/thread739857.html
I'm calling installutil in my setup package and it works for me just fine.
That'd be great if you posted an error message that you're getting when running installutil.