Trying to upload a ssl certificate and private key file through the console and using sdk returns with the error message that i am not the administrator/owner for the domain(s), even though i have verified the domain(s) using webmaster and the owned websites are listed in the response.
gcloud app ssl-certificates create --certificate=tls.crt --display-name=harambee --private-key=tls.key
ERROR: (gcloud.app.ssl-certificates.create) User [yournamehere#harambeecloud.com] does not have permission to access app [app-project-id] (or it may not exist): Caller is not authorized to administer this certificate. You must be a verified owner of the certificate's domain(s) [www.harambee.mobi, www.harambee.co.za, harambee.co.za, www.vulindlelejozi.mobi, vulindlelejozi.co.za] to create, modify, or delete this resource. Your authorized domain(s) are [harambeecloud.com, harambee.mobi, harambee.co.za]. If you own the certificate domain(s), you can obtain authorization by verifying ownership via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification.
Related
In Azure Active Directory I've registered a new app and given it the Read and create online meetings permissions. I've granted admin consent for the permission and now I'm trying to create a meeting through the command line.
I generated a client secret for the app.
Then I'm requesting a access token using my tenant GUID, client ID of the app and client secret I generated. This gives me back a jwt. When I decode the JWT amongst the roles I can see "OnlineMeetings.ReadWrite.All" which gives me hope that I can actually create meetings using this bearer token.
I then send a POST request to https://graph.microsoft.com/v1.0/users/<my-user-guid>/onlineMeetings
with the following body:
{
"startDateTime":"2021-03-16T14:33:30.8546353-07:00",
"endDateTime":"2021-03-16T15:03:30.8566356-07:00",
"subject":"Application Token Meeting",
"participants": {
"organizer": {
"identity": {
"user": {
"id": "<my-user-guid>"
}
}
}
}
}
and the response comes back with
"code": "Forbidden",
"message": "Application does not have permission to Create online meeting on behalf of this user.",
Am I missing something?
Edit:
As some of the comments have suggested I should create an application access policy. So I'm following the documentation which asks me to Connect using admin credentials
When i run Connect-MicrosoftTeams -Credential $userCredential with my account it fails with the following error:
Connect-MicrosoftTeams: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed: Response status code does not indicate success: 406 (NotAcceptable).
Connect-MicrosoftTeams: accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed
Connect-MicrosoftTeams: Response status code does not indicate success: 406 (NotAcceptable).
Connect-MicrosoftTeams: : Unknown error
But this is what is confusing me. I don't really know if I'm trying to login with the correct account. I'm using my personal account on azure which is (afaik) not a business account with skype for business.
I'm running the commands to log in on the azure portal's PowerShell interface. Am I supposed to run this on my local machine instead?
I think I'm not fully understanding what all of the moving parts are that need configuration.
Can I add those application Access Policies in the azure portal interface somewhere?
According to the api documentation, make sure you grant the OnlineMeetings.ReadWrite.All application permission to the application. Then you need to use the client credential flow to obtain an access token.
Please note that when you create an online meeting with an application token, administrators must create an application access policy and grant it to a user, authorizing the app configured in the policy to create an online meeting on behalf of that user (user ID specified in the request path).
I have a user managed identity, for which I want to generate a token
I tried in user's context
az login
az account get-access-token --resource "<client-id of user managed identity>"
I get the error
Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Microsoft Azure CLI'. Send an interactive authorization request for this user and resource.
Regarding the above error, I have come across threads which suggest to add Azure CLI as preAuthorizedApplication. However I did not find this managed identity in App RegistrationsI did find an entry in `Enterprise Applications, but did not find how to pre-authorize Azure CLI here.
I tried to achieve the same in a non-user context
az login --service-principal -u <capp-id> -p <client-secret> --tenant <tenant-id>
az account get-access-token --resource "<client-id of user managed identity>"
This works.
Why does the command fail in user context? How can I make it work?
Managed Identities do not have app registrations, only a service principal (aka enterprise app).
The way you are trying to use them is not the way they are meant to be used in my opinion.
The second one working is actually just the feature of Azure AD that allows an application using the client credentials flow (client id + secret) to acquire a token for any app in the tenant.
The token won't have any permissions though, so it wouldn't be valid if you are doing authorization correctly.
You usually don't want to use the managed identities as token targets, only for acquiring tokens.
So if you need to protect an API, you'd need an app registration, where you can then allow Az CLI to call it.
You can also define application permissions and allow applications using client credentials flow to access the API with proper authorization.
I'm trying to create a GCP App Engine domain mapping via Terraform with the following configuration:
provider "google" {
version = "3.36.0"
region = var.region
}
resource "google_app_engine_domain_mapping" "domain_mapping" {
project = local.project_id
domain_name = var.domain_name
ssl_settings {
ssl_management_type = "AUTOMATIC"
}
depends_on = [
google_app_engine_application.backend_app
]
}
Terraform is configured to use an organization level service account for the GCP provider with the following IAM permissions (no conditions):
Billing Account User
Project Creator
Service Config Editor (I've added this thinking it would resolve the issue based on this and this doc page.)
The Google account that is the owner of the organization has verified the domain in question, yet I'm getting the following error:
Error: Error creating DomainMapping: googleapi: Error 403: Caller is not authorized to administer the domain 'testing.redacted.com'. If you own 'testing.redacted.com', you can obtain authorization by verifying ownership of the domain, or any of its parent domains, via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification?domain=testing.redacted.com. We recommend verifying ownership of the largest scope you wish to use with subdomains (eg. verify 'example.com' if you wish to map 'subdomain.example.com').
I've also tried adding the service account's email as a user in the Google Search Console to the domain to no avail.
The solution is rather simple but sort of hidden in the docs. You need to add your service account email as owner of the domain.
Go here
Select the property you want
Tap the "Add an owner" button at the bottom of the page and add the email address (e.g. terraform#<PROJECT_ID>.iam.gserviceaccount.com)
I am using a daemon auth API and I am able to get /groups but if try and use /groups/GROUPID/planner/plans I get a UnknownError and the message says
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials
that you supplied.
I have Group.Read.All, Directory.Read.All, Group.ReadWrite.All, Directory.ReadWrite.All permissions as per the documentation. And I am using the https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0 (Get access without a user
) steps to get my token. I have got my administrator to click the Grant access (they are all "Granted").
Only planner stuff seem to be the issue (I can get, create, delete groups, and everything else) I am using v1.0 of the API and I tried beta both didn't work.
I checked my access token on jwt and it has
"roles": [
"Group.Read.All",
"Directory.ReadWrite.All",
"Group.ReadWrite.All",
"Directory.Read.All"
],
Which I assume means they are all there.
You are using client credentials flow which uses application permission. But GET /groups/{group-id}/planner/plans api doesn't support application permission. It needs delegated permissions. See the difference here.
I am trying to update a SSL certificate for a Google App Engine project via CLI:
gcloud app ssl-certificates update NNNN --project XXX --configuration XXX --display-name=xxx.co.za --certificate=./fullchain.pem --private-key=./privkey_gae.pem
This command used to work previously but I am now getting the following error:
ERROR: (gcloud.app.ssl-certificates.update) PERMISSION_DENIED: Caller is not authorized to administer this certificate. You must be a verified owner of the certificate's domain(s) [xxx.co.za, *.xxx.co.za] to create, modify, or delete this resource. Your authorized domain(s) are []. If you own the certificate domain(s), you can obtain authorization by verifying ownership via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification.
This error does not make sense as the domains are verified according to the URL (as they are also the custom domain used by the app itself). Also this was working just last month, so it seems that something changed?
I found the issue. Domains are verified by an IAM user, but I use a different IAM/Service-account for the CI/CD server.
It seems that the security around accessing verified domains has changed, in that the Service-account will not automatically have access to the verified domains, even though the App does.
I was able to fix this issue by adding the service-account (jenkins#XXX-ci.iam.gserviceaccount.com) as verified owner here: https://www.google.com/webmasters/verification/verification