Closed Paqi closed 4 years ago
dingmeng-xue
commented
4 years ago I'm not sure token can be generated locally. Could you share your token to us? Ensure token is expired before sharing to us.
Another approach is you can try Invoke-RestMethod to verify your token.
Paqi
commented
4 years ago @dingmeng-xue Yes, SAS Tokens can be generated locally. Searching for "Azure Generate SAS Token" will yield several examples.
Here is an expired token I generated using the example script I shared in my post above:
SharedAccessSignature uid=integration&ex=2020-07-31T13:12:52.4713452Z&sn=J5P39xggTT3KYo0TrZeqa74xmHtQbR0LCDU6BQhEsdMtZHioJD0vJY3ZF74aZTxLsZ2w6mekw64+HiZ79xPVlw==
Like I said in that post, I have already verified these tokens are valid by executing a REST request to our APIM tenant. I verified this SAS token I'm sharing worked for that request as well.
dingmeng-xue
commented
4 years ago SAS token is for storage but it is not for connecting Azure. Access token of Azure PowerShell is used for Azure AD.
Paqi
commented
4 years ago @dingmeng-xue I don't understand, can you elaborate? I've seen usages of SAS tokens to access things other than storage. For example, the Azure API Management REST API uses SAS tokens to authenticate requests: https://docs.microsoft.com/en-us/rest/api/apimanagement/apimanagementrest/api-management-rest#Authentication
Here is the parameter set I'm using for Connect-AzAccount:
Connect-AzAccount
[-Environment <String>]
[-Tenant <String>]
-AccessToken <String>
[-GraphAccessToken <String>]
[-KeyVaultAccessToken <String>]
-AccountId <String>
[-Subscription <String>]
[-ContextName <String>]
[-SkipValidation]
[-SkipContextPopulation]
[-Force]
[-Scope <ContextModificationScope>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]Source: https://docs.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-4.4.0
What does this parameter set expect to be passed into the AccessToken parameter? Something other than a SAS Token?
Paqi
commented
4 years ago Here's some additional context that may be helpful:
I have a script that is run by an automated build process. That script needs to use the following cmdlets:
Set-AzContextNew-AzApiManagementContextGet-AzApiManagementTenantGitAccessInvoke-AzResourceActionBefore I can use those cmdlets, I need to use Connect-AzAccount. Because this script is run by an automated process, we can't use an interactive interface to provide Azure AD credentials. That's why I need to know what to pass into the AccessToken parameter. The documentation I have read has lead me to believe this should be a SAS Token, but if I should be using something else, please let me know what kind of token is expected by Connect-AzAccount
dingmeng-xue
commented
4 years ago @rabrahamOpti , token contains audience and scope information. Since SAS token and ARM token used by Azure PowerShell are different, you cannot use SAS token to access Azure resource management endpoints.
For your case, the correct way is to create service principal or managed identity and then Connect-AzAccount using that account in automation environment. Please search azure service principal and there are many docs around it.
Paqi
commented
4 years ago Hi @dingmeng-xue
I just rechecked the documentation for Connect-AzAccount. Connecting to a service principal account seems to use a different parameter set than the parameter set that uses AccessToken.
Could you please tell me what type of token should be passed into the AccessToken parameter?
Here is the documentation for connecting to the service principal account. Note that it does not include the AccessToken parameter:
Example 3: Connect to Azure using a service principal account
The first command prompts for service principal credentials and stores them in the
$Credentialvariable. Enter your application ID for the username and service principal secret as the password when prompted. The second command connects the specified Azure tenant using the service principal credentials stored in the$Credentialvariable. The ServicePrincipal switch parameter indicates that the account authenticates as a service principal.$Credential = Get-Credential Connect-AzAccount -Credential $Credential -Tenant 'xxxx-xxxx-xxxx-xxxx' -ServicePrincipal Account SubscriptionName TenantId Environment ------- ---------------- -------- ----------- xxxx-xxxx-xxxx-xxxx Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloud
Edit
This would be the way to do it in an automated process. It also does not use AccessToken
Example 7: Connect using certificates
This example connects to an Azure account using certificate-based service principal authentication. The service principal used for authentication must be created with the specified certificate. For more information on creating a self-signed certificates and assigning them permissions, see Use Azure PowerShell to create a service principal with a certificate
$Thumbprint = '0SZTNJ34TCCMUJ5MJZGR8XQD3S0RVHJBA33Z8ZXV' $TenantId = '4cd76576-b611-43d0-8f2b-adcb139531bf' $ApplicationId = '3794a65a-e4e4-493d-ac1d-f04308d712dd' Connect-AzAccount -CertificateThumbprint $Thumbprint -ApplicationId $ApplicationId -Tenant $TenantId -ServicePrincipal Account SubscriptionName TenantId Environment ------- ---------------- -------- ----------- xxxx-xxxx-xxxx-xxxx Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloud Account : 3794a65a-e4e4-493d-ac1d-f04308d712dd SubscriptionName : MyTestSubscription SubscriptionId : 85f0f653-1f86-4d2c-a9f1-042efc00085c TenantId : 4cd76576-b611-43d0-8f2b-adcb139531bf Environment : AzureCloud
Paqi
commented
4 years ago Can you please point me to an example of using the following parameter set?
Connect-AzAccount
[-Environment <String>]
[-Tenant <String>]
-AccessToken <String>
[-GraphAccessToken <String>]
[-KeyVaultAccessToken <String>]
-AccountId <String>
[-Subscription <String>]
[-ContextName <String>]
[-SkipValidation]
[-SkipContextPopulation]
[-MaxContextPopulation <Int32>]
[-Force]
[-Scope <ContextModificationScope>]
[-DefaultProfile <IAzureContextContainer>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]@rabrahamOpti , here is a doc for app and service principal creation. Then you can add secret to that app. Once you follow the steps, you can use below example. Credential is the combination of app id and secret. Certificate is a similar way and you need to create certificate with private key for it.
Connect-AzAccount -Credential $Credential -Tenant 'xxxx-xxxx-xxxx-xxxx' -ServicePrincipalAccessToken is normally used by Cloud Solution Providers because they can get an accesstoken via PartnerCenter and then access resources owned by their customers. If you are not CSP, one way you can try accesstoken is to copy token from Fiddler recording or Chrome Debugger Tools. But it's not correct way for normal job.
Paqi
commented
4 years ago @dingmeng-xue could you describe for me what to look for in the chrome debugger to see what this token looks like? I'd like to look
dingmeng-xue
commented
4 years ago Actually, it's out of our scope. Information can be found on internet. Below 2 are for your reference
https://developers.google.com/web/tools/chrome-devtools/network/reference http://www.infinitepartitions.com/cgi-bin/showarticle.cgi?article=art034
dingmeng-xue
commented
4 years ago I'm closing this issue now.
Paqi
commented
4 years ago @dingmeng-xue I know how to use the chrome debugger. Can you tell me what header to look for? I want to see what the format of that token is
dingmeng-xue
commented
4 years ago It should be authorization: Bearer ..... on request header.
Another approach is you can leverage Azure CLI. Once you az login, you can get access token by az account get-access-token
Paqi
commented
4 years ago Got it. Great, thank you for your help!
Description
I want to use
Connect-AzAccountto connect to my APIM tenant. I'm using the parameter set that usesAccessTokenandAccountId. I'm generating a SAS Token that I'm passing into the AccessToken parameter, and I'm passing in the string of theAccountIdfor my APIM tenant. I looked up theAccountIdon this page: https://resources.azure.com/When I run my script, I encounter an error that reads:
Connect-AzAccount : The access token is invalid.I'm sure the generated SAS Token is valid, because I'm able to successfully use it in the
Authorizationheader of this APIM REST API request:https://{APIM TENANT NAME}.azure-api.net/loggers/?api-version=2017-03-01Steps to reproduce
Environment data
Module versions
Debug output
Error output