search

Azure / AppConfiguration

Questions, feedback and samples for Azure App Configuration service
MIT License
241 stars 73 forks source link

403 after adding options.SelectSnapshot #907

Closed vsarunov closed 6 months ago

vsarunov commented 7 months ago 
My code:
   var settings = config.Build();
        config.AddAzureAppConfiguration(options =>
        {

            var azureAppConfigurationSetting = new AzureAppConfigurationSettings();
            settings.GetSection("AppConfiguration").Bind(azureAppConfigurationSetting);
            options.Connect(new Uri($"https://{azureAppConfigurationSetting.Name}.azconfig.io"), new DefaultAzureCredential())
                .ConfigureRefresh(refresh =>
                {
                    refresh.Register("Sentinel", refreshAll: true)
                        .SetCacheExpiration(TimeSpan.FromSeconds(5));
                });

            options.SelectSnapshot($"{azureAppConfigurationSetting.SnapshotName}-{azureAppConfigurationSetting.SnapshotVersion}");

            _refresher = options.GetRefresher();

            _timer = new Timer(async (o) =>
            {
                await _refresher.RefreshAsync();
            }, null, TimeSpan.FromSeconds(30), TimeSpan.FromSeconds(30));
        });

After adding the line options.SelectSnapshot I am getting 403. Despite permissions configured via ARM template:

"Roles": {
      "AppConfigurationDataReader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071')]"
    }
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "dependsOn": [
        "[resourceId('Microsoft.AppConfiguration/configurationStores', variables('ConfigStoreName'))]"
      ],
      "apiVersion": "2020-04-01-preview",
      "name": "[guid(resourceGroup().id, variables('ManagedIdentityName'), variables('ConfigStoreName'), variables('Roles').AppConfigurationDataReader)]",
      "scope": "[concat('Microsoft.AppConfiguration/configurationStores/', variables('ConfigStoreName'))]",
      "properties": {
        "roleDefinitionId": "[variables('Roles').AppConfigurationDataReader]",
        "principalId": "[reference(resourceId(variables('ManagedIdentityResourceGroupName'), 'Microsoft.ManagedIdentity/userAssignedIdentities', variables('ManagedIdentityName')), '2018-11-30').principalId]"
      }
    },
    {
      "type": "Microsoft.Authorization/roleAssignments",
      "dependsOn": [
        "[resourceId('Microsoft.AppConfiguration/configurationStores', variables('ConfigStoreName'))]"
      ],
      "apiVersion": "2020-04-01-preview",
      "name": "[guid(resourceGroup().id, variables('BackendEngineersGroupObjectId'), variables('ConfigStoreName'), variables('Roles').AppConfigurationDataReader)]",
      "scope": "[concat('Microsoft.AppConfiguration/configurationStores/', variables('ConfigStoreName'))]",
      "properties": {
        "roleDefinitionId": "[variables('Roles').AppConfigurationDataReader]",
        "principalId": "[variables('BackendEngineersGroupObjectId')]"
      }
    }

Removing the line and accessing the configuration directly not via snapshot works fine.

My understanding is that data reader should have read access to snapshots based on this: https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-snapshots#:~:text=Read%20and%20list%20snapshots and this: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/integration#app-configuration-data-reader

I am using 7.x version of the nuget package and the composition of the snapshot is Key(default)

jimmyca15 commented 6 months ago

@vsarunov When a role is added it can take ~15 minutes for the role to propagate. Can you confirm that it's still occurring to rule out the possibility of the role not being propagated yet?

jayaraut commented 6 months ago

I'm experiencing the same issue. It's been half a day since the snapshot was created, and the roles for Azure Data Reader and Azure Data Owner have been added for quite some time.

jimmyca15 commented 6 months ago

@jayaraut

So you also are able to successfully read settings if you remove SelectSnapshot, but adding SelectSnapshot causes failure?

jayaraut commented 6 months ago

Yes, I am able to read from the azure app config but when I created snapshot and wanted to read the same using SelectSnapshot it is breaking with 403 exception.

jimmyca15 commented 6 months ago

@jayaraut

I am not able to reproduce this issue, but I want to try to pin down what the problem could be.

First, are you able to run the following with Azure CLI?

az login
az account set -s "<Target subscription id>"
az role definition list -n "App Configuration Data Owner"

If so, can you confirm the output has the following? 

    "permissions": [
      {
        "actions": [],
        "condition": null,
        "conditionVersion": null,
        "dataActions": [
          "Microsoft.AppConfiguration/configurationStores/*/read",
          "Microsoft.AppConfiguration/configurationStores/*/write",
          "Microsoft.AppConfiguration/configurationStores/*/delete",
          "Microsoft.AppConfiguration/configurationStores/*/action"
        ],
jayaraut commented 6 months ago

I have the permissions you mentioned above.

jimmyca15 commented 6 months ago

@jayaraut Are you running this in Visual Studio / VS Code? Or is this deployed to Azure and running with a managed identity?

jayaraut commented 6 months ago

I am currently running it in visual studio using my visual studio identity. But I have managed identity for deployed code. Both managed identity and my visual studio login identity have same App Configuration Data Owner role.

jimmyca15 commented 6 months ago

I believe I know what the issue is, and I suspect it is server side. I don't expect this will be an issue if you are deployed to Azure and running with a managed identity. But indeed, if what I suspect it is true the setup you have described will be broken.

I will attempt to reproduce to confirm and if I do confirm I can discuss details of resolution.

Edit: Just want to mention, I don't believe this would have ever worked. I don't expect it's a regression.

jimmyca15 commented 6 months ago

I have confirmed the issue. This occurs when using a visual studio login to access snapshots. This occurs when running in visual studio and using either VisualStudioCredential or DefaultAzureCredential (only while running in visual studio) for authentication.

This is not a regression, but rather this specific scenario was never enabled. A service update will be made to enable this scenario.

To work around this issue that can occur when running from visual studio, AzureCliCredential can be used. This does require downloading and logging in to the Azure CLI.

samgovier commented 6 months ago

Hey @jimmyca15 , I work with @jayaraut , just wanted to say thank you for your quick work on this. We just started implementing Azure App Configuration at our org and this will help immensely in our developers' workflows. Have a great weekend!

jayaraut commented 6 months ago

@jimmyca15 , can you please let us know under this thread when the service update is completed enabling this scenario as I want to use DefaultAzureCredential in my code.

jimmyca15 commented 6 months ago

Yes.

jimmyca15 commented 6 months ago

This should be fixed now.

jayaraut commented 6 months ago

Thanks, this is working now!

vsarunov commented 3 months ago

Hi @jimmyca15 thank you for looking into this. Apologise for not replying in timely fashion. I can confirm that indeed locally it worked fine for me with MSI, it was failing when deployed to AKS. The Pod had the MSI identity correctly assigned. I will retry and see if it is now resolved.