We used to have below field for OAuth2 in snapLogic while connecting to snowflake.
Authentication parameter value: refresh_token session:role:
However, while using key pair authentication, there is no field to put the functional role.
Hence, if the technical user was not created with default warehouse and default functional role, the snaplogic is unable to connect.
Any suggestions?
Thank You.
Related
I have a Azure Logic App, which is connecting to the SQL Server Database. Currently I am saving the connection string in configurations section of the logic app.
I am planning to use the azure keyvault and get the connection string from there.
I have gone through the online articles which tells about the keyvault connector. but I am not looking for that.
I want to use the Keyvault secret for my sql server connections in the Azure Logic App.
I have also tried with the SQL GetRows as you can see below but I don't see any connection string textbox, where I can use the GetSecret Action Result
As #Skin mentioned You can use Azure Key Vault's Get Secret action in your case. For this search for Azure Key Vault Connector and select Get secret action.
Now you need to establish a connection to your Key Vault by providing your Vault name and Tenant.
Then select the secret that you want to retrieve
After you run the logic app you can see the value that got stored in your key vault.
In Vault:-
The connection strings are saved as application settings of the Logic App.
Change connection string in configuration
There you can edit the app setting related to your connection string (sql_connectionString in my case) with #Microsoft.KeyVault(SecretUri=<keyvault name>.vault.azure.net/secrets/<name of your secret>) or optionally #Microsoft.KeyVault(SecretUri=<keyvault name>.vault.azure.net/secrets/<name of your secret>/<version>).
Once you save your application settings, you will see a green check and Key vault Reference in the source column of your application setting.
Key vault Reference
I created an Azure Function to load data from Eudonet CRM to my Azure SQL Database. I have two databases :
named Datawarehouse
named Datawarehouse-Dev
Both databases are identical and are in the same server.
When I load data directly to "Datawarehouse" the copy works fine, but when I change the database name to "Datawarehouse-Dev", I receive the following errors :
Index #0 Message: Login failed for user 'AzureFunction'. LineNumber: 65536 Source: Core .Net SqlClient Data Provider Procedure: Error Code:18456
-- Sql server error. If error code <17: => check sql transac code (user error). Else: => software or hardware errors (check availability of database)
Login failed for user 'AzureFunction'.
If anyone has an idea on where the problem could come from I would be very grateful and I also don't understand why there is an authentification error since they're both in the same server and are accessed with the same user/password.
Thanks in advance
Though #adnane already resolved the issue after using the connection string directly into Function application setting instead of storing it into Vault. This approach might compromise the application security because using connection string directly might expose it to unauthorized person.
Azure Key Vault is a good place to keep our application credentials in a secured and centralized manner. Moving the secrets to Key Vault becomes even more important while our Azure solution is growing.
In case, if anyone still looking for the solution by storing the connection string in Azure Key Vault and then using it in the Function, please follow the below steps.
Firstly, open the Azure Key Vault service and from the Settings menu select Access policies. Then select + Add new access policy.
Then choose Select principal and search for the name of the Function App as shown in below example.
Once your principal is selected choose the Secret permissions menu. In this case, we’ll only need to get the secret from the Key Vault (concretely read our connection string). Therefore, check Get permission only and then select OK.
At the end, select Save to store the new functionapp-demo-mw access policy.
ADDING SECRET TO AZURE KEY VAULT
Adding a secret to Azure Key Vault is straightforward. From the Key Vault, Settings menu select Secrets and then select + Generate/Import secret.
For Key Vault secret two values are required – name and the value. In this case we’ve called our secret OrderManagementDbConnectionString and as a value we put our SQL Database connection string. Select Create to save the secret.
By default, the secret is Enabled so it’s ready to use. Once the secret is created, we’ll need to get its URI (a unique location identifying the secret). Go to the Settings menu and select Secrets. We’ll find here our recently added secret (OrderManagementDbConnectionString). Select the secret and we’ll see it’s the only version in the list.
Select the current version of secret and copy its secret identifier. The identifier is an URI with pattern : https://<url_of_the_key_value>/<secret_name>/<secret_version>.
GETTING SECRET FROM KEY VAULT IN AZURE FUNCTION APP
Go back to the Azure Function App (functionapp-demo-mw) and on the Overview tab, select Configuration in Configured featured section.
Well, Select + New application settings. Put a name that describes the new setting (we’ve put OrderManagementConnectionString). At the end of the last year, Microsoft has added an option of sourcing Key Vault secrets directly from App Settings. This simplifies a lot the way how the secrets were used before. So, set the value of the setting to a secret reference in the following format:
#Microsoft.KeyVault(SecretUri=**secret_uri_with_version**)
We just need to replace secret_uri_with_version with the value we’ve previously copied from the secret in Azure Key Vault.
In Azure Function, you’ll just retrieve the value from the application settings and work with it the same way as it was directly a connection string stored in application settings.
// get value from appliction settings
var connectionString = Environment.GetEnvironmentVariable("OrderManagementConnectionString");
// create connection
SqlConnection connection = new SqlConnection(connectionString);
lets say I have two on-premise domains (DomainA.org, domainB.org) and one tenant (domainA.onmicrosoft.com). Both domains are sync thanks to Azure AD Connect, so user from domainA can log to office.com, there is no problem. Hoever user from domainB getting this "Error validating credentials due to invalid username or password.", and when I changed password from portal.office.com for this user from domainB. I can log with this new password, but only to office365 services, its not sync to On-prem.
And another wierd thing is, that I cant change password for users from domainA.
Do You know where the problem is?
Thanks
I understand you have synced your 2 domains to Azure AD through Azure AD connect . Initially you have registered both the domain in Azure AD and verified both. Kindly check what kind of authentication you were using for Domain A since you were not able to change the password from Azure End. If you have federated that domain it is not possible to change from the cloud. If you were using password hash synchronization then the authentication will happen if cloud and you can change for managed domain.
I request you to go through this article about password writeback . When you are getting an error message while logging before resetting the password kindly note the correlation ID and time stamp and need to get a support ticket since it will be due to multiple reasons.
I'm working on improving the user experience for our org when logging into snowflake. We have adfs sso enabled and are provisioning mapping users to roles using azure ad. I had a colleague attempt to sign in with SSO who didn't have a user account created in snowflake and they were greeted with
"The signed in user <user#email.com> is not assigned to a role for the application (Snowflake)".
My question is, is it possible to have users sign into snowflake without being mapped to a default role, perhaps only have the public role assigned, and without being synced with azure ad.
If it is, i'd appreciate any pointers to documentation i can reference. The goal is to get all users that can SSO, to by default be able to login
AD group syncing occurs every 40 minutes in Microsoft, and I don't believe it's possible to force a sync or change this time frame. In addition, like the OP mentioned Snowflake cannot connect to an on-prem ADFS server so all users must be in Azure AD.
AD group syncing is somewhat configurable via the "Scope" (see Step 15 of this tutorial)
If your Scope is set to "Sync only assigned users and groups", you can either
Change the scope to "Sync all users and groups" (may cause issues if you don't want to import all this data into Snowflake)
or
Confirm that your desired users' AD group is one of those assigned to be synced to Snowflake (requires manually assigning these users, or that all of these users are part of the same AD group that you choose to sync to Snowflake).
By seeing the error its not allowing user who don't have appropriate role for the application.
In these why can't we create generic stored procedure to assign default role and instance to new user based on the group they belong to.! Each time if we add any new user then we have to run stored procedure to assign default role and object prior to his login to snowflake.
Just had a query that can WSO2 Identity Server be integrated with both LDAP and DB at the same time. To elaborate my query more, say we have a group of users defined in LDAP and another group of users defined in DB and I want Identity Server to act authorization gateway for both of these groups. Is it possible?
Also, while integrating with DB WSO2 adds its own tables in our existing DB. Is there any way we can add custom attributes(claims) support in DB without altering the WSO2 tables?
WSO2 Identity Server supports only one active user realm at a given time. But if your requirement is to use WSO2 IS as an authorization gateway which connects to a LDAP server as well to a DB for populating claims, etc then it is possible to use XACML support in WSO2 IS with a custom PIP(policy information point). In that case, you can connect to the LDAP server as the primary user store and write a custom PIP to connect to the DB to read the required claims.
Following two posts on PIPs will be helpful.
[1] - http://xacmlinfo.com/2011/12/18/understanding-pip/
[2] - http://blog.facilelogin.com/2011/04/xacml-policy-information-point.html
Answering the second query, with the default configuration in the JDBC mode, WSO2 IS uses its own set of tables for maintaining its user store. But if required, you can write your own user store implementation which connects to your database.