I'm following this tutorial to discover and learn more about Entra Verified ID's Verifiable Credentials capabilities. However I'm stuck at this step. I need to provide access to Verifiable Credentials Service Request service principal but I can't find it in list of principals. I've tried to type the name of the principal and the app ID but I couldn't find it still. What could be the problem here?
I've been able to choose the Verifiable Credentials Service Request service principal after enabling the Verified ID service.
Related
I'm a newbie on GCP and going to transfer tables from azure blob storage to the cloud bucket.
I follow the instructions here (use data fusion).
When I finished deploying the pipeline and was going to run it, I got an error and in the advanced log is said
INVALID_ARGUMENT: User not authorized to act as service account '####-compute#developer.gserviceaccount.com'.
I looked through several documentation and also tried looking for answers on stackoverflow but none of them work for me.
How should I grant access to a service account and which service account should I be attached to?
Now on my IAM/service accounts console, I am also assigned as Service Account User, and I only have two default services one for compute engine and one for app engine.
Really don't know what to do. Thanks in advance for any help!
You need to grant the Service Account User role. Here is an example of that. This should be perofrmed to the current user/service account you are using to run the job. As exemplified below:
Go to the IAM & Admin Console
Click on IAM
Select the member you are using to run your job
Click on the pen icon in the right side of the member's info
Add the Service Account user role
In general terms, the error is related to the lack of Service Account user role (roles/iam.serviceAccountUser) associate to the user/service account used to run the job.
Keep in mind that service accounts are used to make authorised API calls, through the service account itself or through delegated users within it. Moreover, about impersonation service accounts, an user with particular permissions can act as another service account with the necessary permission to execute a specific job.
I have created an app to get various information from Azure AD, such as users and groups. It lives in one of my tenants as an app registration. This works fine, but now I would also like my app to get a list of the ids of other tenants I have in my account.
I have given my app user_impersonation permission on Azure Service Management, and I am able to make
GET https://management.azure.com/tenants?api-version=2016-06-01 requests using my client credentials. However, when I make that call I get a list only containing the tenant that my app/service principal lives in. Is there a way I can use this API call to see other tenant ids from within my app?
Yes, you could do that with auth code flow instead of client credentials flow.
Since you are trying to get the tenants of your account rather than the app/service principal, you have to include the account information when doing the authentication.
Client credentials flow is App-only. Auth code flow is App+user.
See reference here to learn how to implement Authorization code grant (interactive clients).
And here is the document about OAuth 2.0 authorization code flow.
You need to Request an authorization code first and then Request an access token with the code from the previous step. Using this access token, you can list the tenants you have in your account.
I have question related to Service Principle. Can we enabled multi - factor authentication for Service Principle. Can any one confirm me on this.
Also my second question is". How do MSIs differ from Service Principals in AAD?"
Thanks
Can we enabled multi - factor authentication for Service Principle.
Can any one confirm me on this.
In AAD, MFA is for user principals(users), NOT service principals. I believe that you may mean if we can enable MFA for client_credentials flow in AAD. It's not possible currently.
Also my second question is". How do MSIs differ from Service
Principals in AAD?"
MSI actually uses service principal in AAD. Azure registered a service principal to represent the Azure resource(it's a system managed service). However, this service principal is system managed. Therefore, you can use it but cannot configure it.
I have registered an app under a tenant. I was using Object Id of Service Principal that was generated. I realized that the Object Id isn't working any more & when i debugged, I realized it has changed.
Im not sure when does it change. Im not finding documentation stating the scenarios when it does change. Also, is there a way to track changes to it?
objectId of a Service Principal is it's unique identifier. It should never change for the lifetime of the service principal.
So the only way you can see the objectId of a service principal changing would be that for some reason, service principal got deleted and then created again.
One possible case is a multi-tenant application where consent was already given and Service Principal got created with let's say ID1.. now if you delete the service principal and go through consent process again, service principal will be created again and hence objectId may be a new one.
Other cases could be if you're again deleting and recreating the service principal (or the application for service principal itself) through some UI or through programmatic options like PowerShell, CLI, Azure AD Graph API or Microsoft Graph API.
I recently download IBM Watson personality insight demo (nodejs). when i am running that demo and trying to analyze any person that is already in list than it throws a error.
Here is the UI of that demo
I don't know why is it coming. please guide me accordingly.
Here is an error
As the error says, you are not authorised. You need to create a personality insights service, and set the credentials.
You can't use the default settings.
Double check your .env file.
IBM Cloud is migrating to token-based Identity and Access Management (IAM) authentication.
With some service instances, you authenticate to the API by using IAM. You can pass either a bearer token in an Authorization header or an API key. Tokens support authenticated requests without embedding service credentials in every call. API keys use basic authentication. Learn more about IAM.
If you pass in an API key, use apikey for the username and the value of the API key as the password.
In other instances, you authenticate by providing the username and password for the service instance. For more information, see Service credentials for Watson services.
To find out which authentication to use, view the service credentials by clicking the service instance on the Dashboard.
Source : apidocs/personality-insights
So in your .envfile the service credentials could either be
# service credentials
PERSONALITY_INSIGHTS_USERNAME= <YOUR USERNAME>
PERSONALITY_INSIGHTS_PASSWORD= <YOUR PASSWORD>
PERSONALITY_INSIGHTS_URL=<SERVICE URL>
Or
# service credentials
PERSONALITY_INSIGHTS_IAM_APIKEY= <YOUR API KEY>
PERSONALITY_INSIGHTS_URL= <SERVICE URL>