When running below workflow in ISE on my Azure Automation Hybrid Runbook Worker it works just fine. When executing the same workflow through Azure Automation I get:
Connecting to remote server servername failed with the following error
message : Access is denied.
I also tried to execute the Runbook using runas with the same account I used logging into the Hybrid Runbook Worker to run the workflow in ISE. The target server and the Hybrid Runbook Worker are both domain joined, although in different domains.
Could it be that executing the workflow through Azure Automation introduces another hop and I run into a multi-hop issue?
workflow Temp
{
$User = 'domain\username'
$Password = ConvertTo-SecureString 'password' -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential ($User, $Password)
hostname
[Environment]::UserName
InlineScript
{
hostname
[Environment]::UserName
} -PSCredential $Credentials -PSComputerName servername
}
Executing the workflow on Azure Automation Hybrid Worker does not introduce any other hop. Are you sure that you were running the job on the Hybrid Worker and not in the cloud ?
This is likely a authentication issue as indicated by the message too. Are you running ISE as Admin ? Can you try to use the RunAs account as the same account that you are trying to connect to and see if that works.
Also can you try running this in a PowerShell script and not Workflow and see if that works.
Related
I have a .net core app installed as a docker on google cloud run, this app that needs to be connected to cloud sql (mysql).
When using the private ip address it, it's not working.
When using public IP, it's working, but It's not a good solution for production.
this is my connection string:
"ConnectionString": "server=10.4.16.6;database=mydb;user=root;pwd=mypwd"
When I create the app, Im able to select the database i need to connect to:
But this is not helping to connect.
The relevant docs are explaining how to do it for python and java explictly.
If you do not want to use public IP then you would need to rely on service account to connect to Cloud SQL. However, .net MySQL driver has no understanding of GCP IAM and Service accounts. So you will need to use a proxy called Cloud SQL Proxy. Cloud SQL Proxy understands IAM and Service accounts.
The flow will basically look like this:
Your app -> Regular MySQL Port -> Cloud SQL Proxy(Installed in the
app's network or locally) -> CloudSQL
You will need to do the following:
Create a service account
Assign the role of Cloud SQL Client to the created service account
Download the service account key in the json format
Set env variable GOOGLE_APPLICATION_CREDENTIALS=C:\Downloaded.json
Download Cloud SQL Proxy
Run it `cloud_sql_proxy -instances=projectname:regioname:instanceid=tcp:3306
At this point you MySQL proxy ready to accept connections at 3306, modify the connection string to take localhost or wherever you installed the Cloud SQL Proxy.
Learn more at About the Cloud SQL Proxy
You can create the Cloud Run app from the console (and select the Cloud SQL Connection) or from the gcloud command line and specify
--add-cloudsql-instances <INSTANCE-NAME> --set-env-vars INSTANCE-CONNECTION-NAME="INSTANCE_CONNECTION_NAME"
These settings automatically enable and configures the Cloud SQL proxy. You can connect to the proxy, from your asp.net Core app, using the unix domain socket using the format: /cloudsql/INSTANCE_CONNECTION_NAME.
I used the following connection string in my appsettings.json and it worked for me:
"Server=/cloudsql/INSTANCE_CONNECTION_NAME;Database=DB_NAME;Uid=USER_NAME;Pwd=PASSWORD;Protocol=unix"
NB. Make sure you have given the service account that your Cloud Run app is running under Cloud SQL Client role in IAM
I am writing Azure CLI scripts to automate creating cloud-side components in Microsoft Azure. In particular, I am using the CLI to create Azure Function Apps. However, while I am able to create a Function App using the CLI, I have not been able to identify a way to configure authentication against Azure Active Directory, other than by using the Azure Portal user interface (see https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad for a description of the interactive process).
It's clear that the interactive process performs several steps behind the scenes, including creating an AAD Application registration and associating the registration with the Function App. My questions are:
What are details of the steps performed?
Is there a programmatic way, either with the CLI or some other interface, to perform the same set of steps?
Easy Auth is actually a module on IIS. You can enable it using Azure CLI:
az webapp auth update -g myResourceGroup -n myUniqueApp --enabled true \
--action LoginWithAzureActiveDirectory \
--aad-allowed-token-audiences https://webapp_name.azurewebsites.net/.auth/login/aad/callback \
--aad-client-id ecbacb08-df8b-450d-82b3-3fced03f2b27 --aad-client-secret very_secret_password \
--aad-token-issuer-url https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7983a3e9c5a/
https://learn.microsoft.com/en-us/cli/azure/webapp/auth?view=azure-cli-latest#az_webapp_auth
Deploying via Azure Release Pipeline - and in our Deploy Azure App Service step, we set App Service's Application Settings via the
.
Our contingency if the deployment fails, is redeploy an old release (months old) to the same app-service.
However, we need to delete some of the App Service's Application Settings that were set. Just removing these in the old release pipeline does not remove them from the App Service Configuration App Settings section.
Now we don't have the luxury of deleting these app-settings manually on the App Service Configuration.
So what is the recommended way to achieve this through the pipeline?
Remove App Settings During Azure App Service Deployment
You could use the Azure CLI task in the pipeline to delete appsettings, like:
az webapp config appsettings delete --name MyWebApp --resource-group MyResourceGroup --setting-names {setting-names}
Check the az webapp config appsettings delete for some more details.
On the other hard, you also could use API Web Apps - Update Application Settings to delete application settings.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/config/appsettings?api-version=2016-08-01
You can check the answer here.
Hope this helps.
I am trying to figure out what is involved to write a console application that will run as part of a VSTS Release task and that program will read a connection string (secret) from a preconfigured keyvault and then connect to an Azure SQL db using that connection string and apply some changes.
Currently I have my Web Apps connecting to KeyVault and the Azure SQL Server
using Azure AD Application Token authentication so I know what is involved on that front.
When you check "Allow scripts to access OAuth token" on agent settings page,
can this token be used (using ADAL) to connect to KeyVault and SQL Server.
(Assuming the VisualStudioSPNxxx has the appropriate access to the above resources).
If not what should I be looking for?
The vsts token (Allow scripts to access OAuth token) can’t be used to connect to KeyVault.
You need to register app with Azure Active Directory and enable to communicate with Azure Active Directory and Key Vault, then get the connectionstring dynamically.
More information, you can refer to: Protecting Secrets using VSTS and Azure Key Vault
This is made relatively very easy now with Variable Groups - https://learn.microsoft.com/en-us/vsts/pipelines/library/variable-groups?view=vsts
You can link a secret by connecting your Azure KV to a variable and then use this variable as you would normally use it in any script/task.
I'm trying to deploy my Node.js app on Google App Engine and it deployed fine, but it can't connect to Google Cloud SQL for some reason. Here's what it throws:
Error: connect ENOENT /cloudsql/my-project-id:asia-east1:my-sql-instance
Here's how I configured the connection:
if (process.env.INSTANCE_CONNECTION_NAME) {
exports.mysqlConfig = {
user: process.env.GCLOUD_SQL_USERNAME,
password: process.env.GCLOUD_SQL_PASSWORD,
socketPath: '/cloudsql/' + process.env.INSTANCE_CONNECTION_NAME
}
} else {
// Use settings for localhost
}
I'm using node-mysql module to connect to the database.
The App Engine and Cloud SQL are already in the same project.
My theory is that the App Engine and the Cloud SQL has to be in the same project and same region, but I'm not sure.
Check your logs for any errors during startup using:
the following cmd gcloud app logs tail -s default or,
with the log viewer https://console.cloud.google.com/logs/viewer
Chances are that you have not enabled the Cloud SQL API for your project: https://console.developers.google.com/apis/api/sqladmin/overview
make sure you have added following setting in app.yaml
beta_settings:
# The connection name of your instance, available by using
# 'gcloud beta sql instances describe [INSTANCE_NAME]' or from
# the Instance details page in the Google Cloud Platform Console.
cloud_sql_instances: YOUR_INSTANCE_CONNECTION_NAME
ref:https://cloud.google.com/appengine/docs/flexible/nodejs/using-cloud-sql-postgres
Apparently the order you do things matters...
enable Cloud SQL API
then (re)deploy your app (gcloud app deploy)
When I did deploy -> create databases -> enable sql ipi I got the ENOENT error
For anyone using 2nd gen Cloud Functions - they added a portion in the documentation:
If you're using Cloud Functions (2nd gen) and not Cloud Functions (1st
gen), the following are required (also see Configure Cloud Run):
They go on to list the steps required. They're a bit scary, but do work eventually.
(If you find yourself looking for the SQL Connection in the new Cloud Run revision, notice there is a separate "Connections" tab for this)