I am trying to create an aks cluster with Terraform. Here are the config files for the same. Validation went well. But plan gives the following error.
Got some experience with Terraform as well as azure and aks, but not with Azure Ad. So enlighten whats going wrong.
Looked into this so question and this one as well, but no clue.
Error: building account: getting authenticated object ID: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: AADSTS50076: Due to
a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'.
│ Trace ID: 3391ac9b-4e8d-43a3-88f5-0cb1093a2d00
│ Correlation ID: fe984fa6-71ff-42d6-b487-7b988a7e1dd6
│ Timestamp: 2022-08-23 13:39:59Z
│ To re-authenticate, please run:
│ az login --scope https://graph.microsoft.com//.default
│
│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on tf1-provider.tf line 48, in provider "azurerm":
│ 48: provider "azurerm" {
az login is already done (below, ids removed).
Update
It turns out its something to do with az auth. When I ran
az ad sp list --all
I got exactly the same message.
Then I ran
az login --scope https://graph.microsoft.com//.default
as suggested. Then it asked me to run
az login --tenant <tenantId>
And this time it logged me in after two factor(mobile OTP). Then finally this error went away.
Did not understand fully, but thats how I resolved it for now.
The Azure AD error AADSTS50076 is thrown whenever MFA is required. In order to prompt MFA you need to re-authenticate interactively which is what you just did.
If you were not facing this issue before it's because MFA was not enabled or was not required but now it is. You will need to reach the a tenant admin to get more information about such setup.
For more information about Azure AD errors take a look to Azure AD Authentication and authorization error codes.
Related
I try to setup CI/CD for my salesforce project on bitbucket.
On bitbucket pipeline I run this command
sfdx force:auth:jwt:grant --username $DEV_USERNAME --clientid $DEV_CLIENTID --jwtkeyfile jwt/server.key --instanceurl=$DEV_URL --setalias=vin3sDev
It shows me this error.
ERROR: This org appears to have a problem with its OAuth configuration. Reason: invalid_grant - audience is invalid
I tried on my local machine, it's Successfully authorized.
What's the difference? And how to fix
Thanks in advance.
I have been having this issue for days and have not been able to figure out what it is.
In my Blazor WASM Standalone program I Handle Authentication with Azure Active directory and followed these exact steps to set it up: 1
It worked great locally out of the box, but after publishing it form Azure DevOps to the Static Web App Service of Azure the Authentication redirect simply stopped working, after looking at the requests the site is making with Fiddler, it is obvious that the redirect to Microsofts authentication site never happens.
Interestingly there is no authentication error message in the URL of the call back (as I was usually getting them when something was wrong) - there simply is no information, and the pop-out window does not even open too. Here is the only error Message that I get from the browser console.
Deployment to Azure Static App works just like in this tutorial 2 and here is my DevOps pipeline yaml in case it helps.
# Example Taken From https://reddit.fun/96630/devops-pipeline-unable-deploy-blazor-static-package-private
# research documentation https://learn.microsoft.com/en-us/aspnet/core/blazor/host-and-deploy/webassembly?view=aspnetcore-6.0#standalone-deployment
# Documentation of Azure Static Web App Task https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/azure-static-web-app?view=azure-devops
trigger:
- main
pool:
vmImage: ubuntu-latest
variables:
buildConfiguration: 'Release'
dotNetFramework: 'net6.0'
dotNetVersion: '6.0.x'
steps:
- checkout: self
submodules: true
- task: UseDotNet#2
inputs:
version: $(dotNetVersion)
includePreviewVersions: true
- task: CmdLine#2
inputs:
script: "dotnet workload install wasm-tools"
- task: DotNetCoreCLI#2
displayName: "dotnet restore"
inputs:
command: restore
projects: '**/*.csproj'
- task: DotNetCoreCLI#2
displayName: "Publish Blazor App"
inputs:
command: publish
publishWebProjects: true #required for publish
arguments: '--configuration $(buildConfiguration) --framework $(dotNetFramework) --output $(Build.ArtifactStagingDirectory)'
zipAfterPublish: false
- task: DownloadPipelineArtifact#2
displayName: "Download Artifacts"
inputs:
targetPath: '$(Build.ArtifactStagingDirectory)'
- bash: cd $(Build.ArtifactStagingDirectory); echo $(ls); cd 'KapaBlazorWeb'; echo $(ls);
- task: AzureStaticWebApp#0
inputs:
cwd: $(Build.ArtifactStagingDirectory)
skip_app_build: true # skip build because restore of build will probably fail?!
app_location: '[BlazorAppName]/wwwroot'
azure_static_web_apps_api_token: '[TOKEN]]'
My question is, if you have had anything similar happen and if you know a way to fix this as I am very new to working with Azure and have never worked with Azures Static Webservice.
Maybe the issue is not with the Blazor-App itself but with the Static-App-Service? Is there anything I could have missed? Is there a way to see more information about what is happening on the ASW?
EDIT: Update
I also published the default Blazor Wasm AAD project (also standalone) as it is generated by the Visual studio template, and again locally it works great but when on the Static Web Service by Azure, the Redirect to Microsofts authentication page never happens, it always goes to the '/authentication/login-failed' path.
I am guessing that the IIS Server has some kind of configuration issue that I haven't been able to find yet.
OK so I finally found the issue, and I want to leave it here:
After testing everything with the default Blazor AAD Template I at least got an Error which turns out to be answered in this question:
Blazor WASM Net 6 Preview 4 Azure AD - There was an error trying to log you in: 'Cannot read property 'toLowerCase' of undefined'
Then I just added these three rows to the csprj file (DIRECTLY UNDERNEATH the Itemgroup that contains all PackageReferences)
<ItemGroup>
<TrimmerRootAssembly Include="Microsoft.Authentication.WebAssembly.Msal" />
</ItemGroup>
It now just magically works - apparently because this package gets trimmed in the publishing process which leads to issues down the line.
Hope it helps someone in the future :)
After a recent password change, I've been unable to perform "terraform plan" operations (or anything else that requires authentication to our Azure subscriptions. I actually suspect that this is more-properly an Azure AD issue, but decided to ask in the Terraform area first on the off chance someone else has encountered this (Googled multiple variations, but nothing definitive for the Powershell case)
The error message is:
│ Error: building account: getting authenticated object ID: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: AADSTS50173: The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '2021-09-20T19:11:35.3441875Z' and the TokensValidFrom date (before which tokens are not valid) for this user is '2021-10-11T21:32:17.0000000Z'.
│ Trace ID: <GUID>
│ Correlation ID: <GUID>
│ Timestamp: 2021-10-11 23:41:09Z
│ To re-authenticate, please run:
│ az login --scope https://graph.windows.net//.default
│
│ with module.policyset_definitions.provider["registry.terraform.io/hashicorp/azurerm"],
│ on modules\policyset-definitions\main.tf line 1, in provider "azurerm":
│ 1: provider "azurerm" {
The Trace, Correlation, and Timestamps vary, of course, by attempt.
I've attempted:
Clear-AzContext
Clear-AzDefault
exit Powershell
(even rebooted, since this has occurred over several days now and I shut down after work) then log in again.
I've also tried:
$c = Get-AzContext
Remove-AzContext -InputObject $c
The closest Powershell equivalent to Azure Shell "az login --scope https://graph.windows.net//.default" appears to be:
Connect-AzAccount -AuthScope https://management.azure.com/
That didn't change anything about the error- still occurs, still reports same time that the token was last issued.
Since the problem appears to be with my token and the grants associated with it, I decided to attempt to force a refresh of the grants by doing:
Connect-AzureAD
Get-AzureADUser -SearchString "<AzureADEmailAccount>"
Revoke-AzureADUserAllRefreshToken -ObjectId <GUID>
The results are one of the reasons I suspect this is an AAD problem, not Terraform; the error message didn't change, but the time reported in "grant was issued on" changed from the time I changed my password to the time I ran Revoke-AzureADUserAllRefreshToken.
Any suggestions? I'm also going to try to reach out to Microsoft, but wanted to start here for a publicly-available answer.
I was never able to get the Token refreshed from Powershell.
At the suggestion of MS Support, I installed the Azure CLI (had to beg hard to get the admin permissions to do so, that's the reason I hadn't tried that previously) so I could do the following:
az login --use-device-code
That resolved the issue.
I am attempting to deploy a cron.yaml file with gcloud app deploy with a service account that has the "GAE admin" role on my project.
It is apparently not sufficient to update my cron config. It seems I need to give the service account the "project editor" role to continue.
The error I got was:
ERROR: (gcloud.app.deploy) Server responded with code [403]:
Forbidden Unexpected HTTP status 403.
You do not have permission to modify this app
Is there a way to update cron.yaml without requiring the "project editor" role.
As documented here, to deploy cron.yaml, you need the "Cloud Scheduler > Cloud Scheduler Admin role".
This has worked for years. Today is not working.
Running appcfg.py download_data --flags..., and cannot get properly authorized.
Ran gcloud auth login
and got back:
Saved Application Default Credentials.
You are now logged in as [correct#gmail.com].
Your current project is [correct].
but when I run appcfg.py download_data ... I get this error:
raise ApplicationDefaultCredentialsError(ADC_HELP_MSG)
oauth2client.client.ApplicationDefaultCredentialsError: The
Application Default Credentials are not available. They are available if
running in Google Compute Engine. Otherwise, the environment variable
GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file
defining the credentials. See
https://developers.google.com/accounts/docs/application-default
credentials for more information.
I updated the Google Cloud SDK, and now get a different error:
client.py:539 Attempting refresh to obtain initial access_token
client.py:797 Refreshing access_token
Error 302: --- begin server output ---
--- end server output ---
I have also set the credentials in Terminal:
set GOOGLE_APPLICATION_CREDENTIALS "https://www.myurl/credentials.json"
set CLOUDSDK_PYTHON_SITEPACKAGES 1
gcloud config set project "correct_project_name"
I have also tried setting the env_variable flag in the appcfg command:
--env_variable=GOOGLE_APPLICATION_CREDENTIALS:"https://www.myurl/credentials.json"
Seems to be a GAE bug. Removing the login:admin from the remote_api handler in app.yaml fixes it in production, but not local dev server. The 302 was telling me that the app was trying to redirect, perhaps to a Google login page. Was never seeing the prompt asking for email and password.
handlers:
- url: /remote_api
script: google.appengine.ext.remote_api.handler.application
#login: admin <-- removing admin fixes it in production
secure: always
On the dev server, removing the admin login yields this:
client.py:797 Refreshing access_token
Error 401: --- begin server output ---
You must be logged in as an administrator to access this.
--- end server output ---
Did Google change something in the --oauth2 workflow? I appear to be authorized, but the download crashes at the auth step.
Thanks.
Seems to be a bug in GoogleAppEngineLauncher-1.9.27, where it does not allow a login prompt. When reverting back to 1.9.26, it works. Interestingly, my gcloud components still have the 1.9.27 version:
>$ gcloud version
Google Cloud SDK 0.9.83
alpha 2015.10.08
app 2015.10.16
app-engine-python 1.9.27
beta 2015.10.08
core 2015.10.16
core-nix 2015.09.03
gcloud 2015.10.16
temporary solution: go to https://console.developers.google.com/storage/browser/appengine-sdks/featured/ to get version 1.9.26
Submitted bug report: https://code.google.com/p/google-cloud-sdk/issues/detail?id=340