I've written an Azure Function in PowerShell and I'd like to make some queries to my Azure Table from this Function. I'm not sure how to authenticate.
How do i get my function to access my azure table ?
*Tried to leverage Managed Identity but did not go anywhere with it
*Same with Service Principal
*It works if i use connect-azuread but the function prompts me with a link and a machine code to authenticate
Thanks!
David
For Azure Function, if you enable the Identity and assign the role assignment for it. And then it will already have the permission according to the assignment if you create the PowerShell script and run it. So you do not need to authenticate for the Managed Identity. You just need to assign the permission to the MSI.
You can check it through the command like this:
$context = Get-AzContext
$context.Account
Then you can see the output shows like this:
Related
i am trying to create a DialogFlow CX agent and call webhook Cloud function. The primary criteria for authentication is to use the service account. I expected this to be created automatically as per the docs mentioned here but I just cant see it in my IAM list.
Is this a bug or am i looking at something else?
Services accounts are created only when needed. If you proceed to add the webhook to the cloud Function, test it and then go to the IAM & Admin page you should be able to see it. Please, remember to mark the Include Google-provided role grants checkbox to be able to see it. If it is not created you can always manually do it as it shows in the documentation that you linked with the command:
gcloud beta services identity create --service=dialogflow.googleapis.com --project=agent-project-id
I have a Google Cloud Function. I also have a web application. I want to authenticate requests to the cloud function by using a service account.
I have the json key file.
I know that I have to follow https://cloud.google.com/functions/docs/securing/authenticating#service-to-function. But that is leading me to an IAP page that does not apply to google cloud functions.
Another similar instructions are found in https://developers.google.com/identity/protocols/oauth2/service-account
But if I am following the python library code, I end up with the sample code there :
import googleapiclient.discovery
sqladmin = googleapiclient.discovery.build('sqladmin', 'v1beta3', credentials=credentials)
response = sqladmin.instances().list(project='exciting-example-123').execute()
This does not directly relate to invoking a cloud function.
This question's answer somewhat deals with my requirement but is using a Call API which is only suitable for testing.
Also, I want to expose this API to multiple applications using another tech like .net. So I believe the best option for me will be to use the HTTP method (given on the same page):
https://developers.google.com/identity/protocols/oauth2/service-account#httprest
But whatever I do I am unable to get the signature right.
Any help to get this sorted will be highly appreciated as I am stuck on this for the past few days.
You can use the Google auth library like this
from google.oauth2.id_token import fetch_id_token
from google.auth.transport import requests
audience="my_audience"
r = requests.Request()
token=fetch_id_token(r,audience)
print(token)
The fetch_id_token method will use the default credentials
The service account key file defined in the environment variable GOOGLE_APPLICATION_CREDENTIALS
The service account loaded in the Google Cloud environment
For now, I followed this answer in PHP
In the claims section, I removed the scope. Instead added a claim of target_audience.
"target_audience" => "google-function-http-trigger"
the cloud function http trigger will look like https://us-central1-test-project-name.cloudfunctions.net/function-name",
This will give the required assertion key.
Then I follow https://developers.google.com/identity/protocols/oauth2/service-account#httprest to get the id_token
Then with the id_token as the bearer token we can call the cloud function.
please note that the token expires depending on the time set in the "exp" claim. Once expired you have to redo the steps to generate the new id_token
I want to authenticate requests to the cloud function by using a service account.
I am not sure I understand the context correctly, but I would try to assign a roles/cloudfunctions.invoker IAM role to that service account (which is used to run your code in the web application) - see Cloud Functions IAM Roles .
In that case a code under that service account "Can invoke an HTTP function using its public URL"
I reckon no json keys are required in this case.
I'm attempting the verification process for an Apps Script web app that uses the URL Fetch service via class URLFetchApp. Per URLFetchApp documentation, this requires the scope https://www.googleapis.com/auth/script.external_request. I can't find any Google documentation for this scope, and it doesn't appear on this list of OAuth2 scopes. I'm having a hard time demonstrating how my app uses the data provided by the scope when I don't actually know what user data the scope provides. I mean, I don't think I'm using any user data... I'm just calling API executable functions from another Google Apps Script project.
What user data is this scope giving me access to? Or do I just need to explain why/how I'm using URLFetchApp?
If you head over the editor dashboard of your script, you will see further information about this scope stating :
Connect to an external service under project OAuth scopes.
Moreover, when you run your script for the first time, the permissions it is asking for are:
Create a network connection to any external service (e.g., to read or write data)
Therefore, despite not having much more description in the documentation (just in UrlFetchApp), I don't think you are using any user data apart from getting the user to use your script and connect to an external service.
I hope this has helped you. Let me know if you need anything else or if you did not understood something. :)
According the documentation if you wish to use UrlFetchApp Service then external_request is the scope you'll have to add to you manifest. Like it or not.
UrlFetch Service
I need one cloud function (CF) to invoke another CF that is protected. Protected meaning it can only be invoked by other CFs but not from Internet.
Protected CF:
I disabled the "Allow unauthenticated invocations" when creating this.
I now need to give this function the correct Role and Permission so that it can be accessed from other CFs.
I have tried almost all options but keep getting 403 from the invoker.
Any ideas? Thanks!
You can specify that a receiving function accepts requests from other functions by granting the Cloud Functions Invoker role to the calling function identity. More info on this here.
Cloud Functions run under a specific identity, given by the service account they run under. By default, this service account is the same as for App Engine, PROJECT_ID#appspot.gserviceaccount.com. So by giving the invoker role to this service account, you'll allow all your other functions to call this function. You may want to give a different identity/service account to each of your functions to specify access permissions in a more granular way. More info on this here.
I (user1) have an Apps Script that connects to a Cloud SQL instance, like so:
var conn = Jdbc.getCloudSqlConnection("jdbc:google:rdbms://blah:instance1/foo")
And it works like a charm. I am trying to share this script as a Library and possibly monetize it in the future.
When I login as a different user (user2) and add it as a library, it fails when the library runs a function that tries to make the connection:
Failed to establish a database connection. Check connection string, username and password.
So it seems like the connection is coming from user2 even though the code executing the connection is coming from a library that is owned by user1. Is that true? Is there any way to make this work beyond adding user2 as an editor to my Cloud SQL instance?
Yes, this is the expected behavior. The library being owned by a different user does not really matter. The cloud-sql jdbc connector only authorize connections if the effective user can edit the database.
To workaround this you have turn this "library" into a webapp, running as you and shared to anyone, even anonymous. That accepts queries and commands to your database via HTTP parameters (either GET or POST). This webapp will return the results using ContentService on any of text formats available. I guess the easiest one is JSON, since you can work with regular js objects on Apps Script and then just JSON.stringify and JSON.parse to make the communication.
To make things easier you could then make a library to access to this webapp, abstracting the UrlFetch calls and parameters you have on the 1st script, allowing easy "native" plugin by other scripts.