github-actions[bot]
commented
4 months ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzmonActionG @AzmonAlerts @AzMonEssential @AzmonLogA @dadunl @SameergMS.
Closed qingbojin closed 4 months ago
github-actions[bot]
commented
4 months ago Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzmonActionG @AzmonAlerts @AzMonEssential @AzmonLogA @dadunl @SameergMS.
jeremymeng
commented
4 months ago /cc @KarishmaGhiya @maorleger for EnvironmentCredential authentication errors.
qingbojin
commented
4 months ago @hectorhdzg Could you please take a look? I can provide testing code and credentials to you through MS Teams. Please let me know. Thanks for helping.
hectorhdzg
commented
4 months ago @qingbojin this looks like an error related to the authentication not the monitor query package, I do not own either of the packages involved, so hopefully @maorleger can help here.
maorleger
commented
4 months ago Hey @qingbojin - looking at the error this looks like a permissions / configuration issue that the Azure Identity library is surfacing, but the identity library is behaving as expected. I would suggest tackling this from the configuration side but I unfortunately am not an expert in that area.
Some resources I can share that may be helpful are our troubleshooting guide. Consider enabling verbose logging and looking through the logs to see what values you are sending and ensure they are correct.
Hope this helps, but like I mentioned it does appear the Azure Identity SDK is behaving as expected. I am hopeful that the troubleshooting guide + verbose logs can help you work through the configuration needed 👍
github-actions[bot]
commented
4 months ago Hi @qingbojin. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.
qingbojin
commented
4 months ago /unresolve
@maorleger Thanks for your comment. But I used the same identity and it works for both Python SDK and Java SDK. Please check the screenshot below.
Currently only JS SDK doesn't work for China region. I can send you the source code zip file so you can take a look. Let me know what you think, thanks.
maorleger
commented
4 months ago @qingbojin sure I can take a look - could you send me please:
You may send it via teams or email if preferred. Thanks!
github-actions[bot]
commented
4 months ago Hi @qingbojin. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
qingbojin
commented
4 months ago Hello @maorleger , I sent you the source code through email, please check, thanks.
maorleger
commented
4 months ago Hi @qingbojin - thank you so much for sending this over! In your sample you want to change
const logsQueryClient = new LogsQueryClient(credential , {
endpoint: "https://api.loganalytics.azure.cn/v1"
,audience: "https://api.loganalytics.azure.cn/.default",
});To
const logsQueryClient = new LogsQueryClient(credential , {
endpoint: "https://api.loganalytics.azure.cn/v1"
,audience: "https://api.loganalytics.azure.cn",
});And it should work as expected. Please do try it and let me know if this resolves your issue! I am going to mark this as addressed for tracking purposes, but feel free to unresolve as before. Thanks!
github-actions[bot]
commented
4 months ago Hi @qingbojin. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.
qingbojin
commented
4 months ago @maorleger Great news. I Just did a few tests, the query is working now. Thanks a lot.
maorleger
commented
4 months ago Glad we could figure it out! Feel free to reach out any time
jeremymeng
commented
4 months ago Look that Java and Python don't require passing audience and can infer it from endpoint? audience is optional in JavaScript SDK too. @qingbojin would it work if you don't pass audience?
npitsillos
commented
2 months ago Hello I am facing a similar issue and thought this might be the best place to ask. My use case is that I have an application running in an AKS cluster and I am trying to access a storage account to read its contents. Things I have tried:
All my attempts fail with Network unreachable I am also attaching the logs of the error here.
Listening on http://0.0.0.0:3000
[nuxt] [request error] [unhandled] [500] ChainedTokenCredential authentication failed.
CredentialUnavailableError: EnvironmentCredential is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.
CredentialUnavailableError: WorkloadIdentityCredential: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters.
In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables -
"AZURE_TENANT_ID",
"AZURE_CLIENT_ID",
"AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot
CredentialUnavailableError: ManagedIdentityCredential: Network unreachable. Message: network_error: Network request failed
CredentialUnavailableError: Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.
CredentialUnavailableError: Error: Unable to execute PowerShell. Ensure that it is installed in your system. To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.
CredentialUnavailableError: Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.
CredentialUnavailableError: Error: Unable to execute PowerShell. Ensure that it is installed in your system. To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.
CredentialUnavailableError: Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.
at ./.output/server/chunks/_/base.mjs:3074:30
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.withSpan (./.output/server/node_modules/@azure/core-tracing/dist/esm/tracingClient.js:33:28)
at async DefaultAzureCredential.getToken (./.output/server/chunks/_/base.mjs:3049:28)
at async tryGetAccessToken (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/util/tokenCycler.js:37:32)
at async beginRefresh (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/util/tokenCycler.js:45:17)
at async Object.defaultAuthorizeRequest [as authorizeRequest] (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/bearerTokenAuthenticationPolicy.js:22:25)
at async Object.sendRequest (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/bearerTokenAuthenticationPolicy.js:73:13)
at async Object.sendRequest (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/redirectPolicy.js:26:30)
at async Object.sendRequest (./.output/server/node_modules/@azure/storage-blob/dist/index.js:1784:32)
[nuxt] [request error] [unhandled] [500] ChainedTokenCredential authentication failed.
CredentialUnavailableError: EnvironmentCredential is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.
CredentialUnavailableError: WorkloadIdentityCredential: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters.
In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables -
"AZURE_TENANT_ID",
"AZURE_CLIENT_ID",
"AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot
CredentialUnavailableError: ManagedIdentityCredential: Network unreachable. Message: network_error: Network request failed
CredentialUnavailableError: Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.
CredentialUnavailableError: Error: Unable to execute PowerShell. Ensure that it is installed in your system. To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.
CredentialUnavailableError: Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.
CredentialUnavailableError: Error: Unable to execute PowerShell. Ensure that it is installed in your system. To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.
CredentialUnavailableError: Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.
at ./.output/server/chunks/_/base.mjs:3074:30
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.withSpan (./.output/server/node_modules/@azure/core-tracing/dist/esm/tracingClient.js:33:28)
at async DefaultAzureCredential.getToken (./.output/server/chunks/_/base.mjs:3049:28)
at async tryGetAccessToken (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/util/tokenCycler.js:37:32)
at async beginRefresh (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/util/tokenCycler.js:45:17)
at async Object.defaultAuthorizeRequest [as authorizeRequest] (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/bearerTokenAuthenticationPolicy.js:22:25)
at async Object.sendRequest (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/bearerTokenAuthenticationPolicy.js:73:13)
at async Object.sendRequest (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/redirectPolicy.js:26:30)
at async Object.sendRequest (./.output/server/node_modules/@azure/storage-blob/dist/index.js:1784:32)
From my understanding everything is setup correctly. Should there be some configuration in terms of allowing outbound rules to the IMDS service? I thought this was handled by default.
maorleger
commented
2 months ago Hello I am facing a similar issue and thought this might be the best place to ask. My use case is that I have an application running in an AKS cluster and I am trying to access a storage account to read its contents. Things I have tried:
- Service Principal with environment variables set and the role correctly set to Storage Blob Data Contributor for the service principal.
- Managed Identity Credential with the AKS cluster's default managed identity.
- Service Connector sample found here
All my attempts fail with
Network unreachableI am also attaching the logs of the error here.Listening on http://0.0.0.0:3000 [nuxt] [request error] [unhandled] [500] ChainedTokenCredential authentication failed. CredentialUnavailableError: EnvironmentCredential is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot. CredentialUnavailableError: WorkloadIdentityCredential: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters. In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - "AZURE_TENANT_ID", "AZURE_CLIENT_ID", "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot CredentialUnavailableError: ManagedIdentityCredential: Network unreachable. Message: network_error: Network request failed CredentialUnavailableError: Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'. CredentialUnavailableError: Error: Unable to execute PowerShell. Ensure that it is installed in your system. To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot. CredentialUnavailableError: Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot. CredentialUnavailableError: Error: Unable to execute PowerShell. Ensure that it is installed in your system. To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot. CredentialUnavailableError: Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot. at ./.output/server/chunks/_/base.mjs:3074:30 at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async Object.withSpan (./.output/server/node_modules/@azure/core-tracing/dist/esm/tracingClient.js:33:28) at async DefaultAzureCredential.getToken (./.output/server/chunks/_/base.mjs:3049:28) at async tryGetAccessToken (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/util/tokenCycler.js:37:32) at async beginRefresh (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/util/tokenCycler.js:45:17) at async Object.defaultAuthorizeRequest [as authorizeRequest] (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/bearerTokenAuthenticationPolicy.js:22:25) at async Object.sendRequest (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/bearerTokenAuthenticationPolicy.js:73:13) at async Object.sendRequest (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/redirectPolicy.js:26:30) at async Object.sendRequest (./.output/server/node_modules/@azure/storage-blob/dist/index.js:1784:32) [nuxt] [request error] [unhandled] [500] ChainedTokenCredential authentication failed. CredentialUnavailableError: EnvironmentCredential is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot. CredentialUnavailableError: WorkloadIdentityCredential: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters. In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - "AZURE_TENANT_ID", "AZURE_CLIENT_ID", "AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot CredentialUnavailableError: ManagedIdentityCredential: Network unreachable. Message: network_error: Network request failed CredentialUnavailableError: Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'. CredentialUnavailableError: Error: Unable to execute PowerShell. Ensure that it is installed in your system. To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot. CredentialUnavailableError: Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot. CredentialUnavailableError: Error: Unable to execute PowerShell. Ensure that it is installed in your system. To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot. CredentialUnavailableError: Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot. at ./.output/server/chunks/_/base.mjs:3074:30 at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async Object.withSpan (./.output/server/node_modules/@azure/core-tracing/dist/esm/tracingClient.js:33:28) at async DefaultAzureCredential.getToken (./.output/server/chunks/_/base.mjs:3049:28) at async tryGetAccessToken (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/util/tokenCycler.js:37:32) at async beginRefresh (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/util/tokenCycler.js:45:17) at async Object.defaultAuthorizeRequest [as authorizeRequest] (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/bearerTokenAuthenticationPolicy.js:22:25) at async Object.sendRequest (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/bearerTokenAuthenticationPolicy.js:73:13) at async Object.sendRequest (./.output/server/node_modules/@azure/core-rest-pipeline/dist/commonjs/policies/redirectPolicy.js:26:30) at async Object.sendRequest (./.output/server/node_modules/@azure/storage-blob/dist/index.js:1784:32)From my understanding everything is setup correctly. Should there be some configuration in terms of allowing outbound rules to the IMDS service? I thought this was handled by default.
Hey @npitsillos - thanks for reaching out. Have you checked out the TROUBLESHOOTING guide at https://aka.ms/azsdk/js/identity/troubleshoot? Enabling verbose logs should show you some additional information that may be helpful and is documented in the troubelshooting guide linked here.
The error message line ManagedIdentityCredential: Network unreachable. Message: network_error: Network request failed makes me think that your AKS workload isn't properly configured - I'd have expected to WorkloadIdentityCredential to pick up the required environment variables in a deployed and configured AKS instance. You could check whether the required environment variables are properly set on the AKS cluster and debug from there.
I would recommend starting with enabling verbose logs (you can set the environment variable AZURE_LOG_LEVEL=verbose to enable verbose logs) and inspecting them carefully. If you know you're going to use ManagedIdentityCredential you could also, for debugging purposes, use ManagedIdentityCredential directly to eliminate a lot of unnecessary noise from DefaultAzureCredential. This isn't necessary, but I find it helpful when possible.
To summarize:
If you remain stuck, feel free to open a new issue and we will try to help!
npitsillos
commented
2 months ago @maorleger thank you for the fast reply! I have went over the troubleshooting guide and couldn't find documentation for the specific error I am facing which makes sense since it's not something relating to the SDK itself I presume. Hence I apologise if this not the appropriate place for my question here. I will try to enable verbose logs which is something I didn't try yet. For that do I simply set the variable export AZURE_LOG_LEVEL=verbose?
I will also try to use ManagedIdentityCredential to minimise the noise as you mentioned but in terms of the configuration is there a resource I can follow that shows what the correct environment configuration is?
FYI I also created an issue here since I am using the Service Connector, however, I had the same issue with using a Service Principal and setting the necessary environment variables.
maorleger
commented
2 months ago Yes, in a linux machine you can set export AZURE_LOG_LEVEL=verbose; however, in an AKS environment you may need to set this variable in the kubeconfig.yaml or equivalent file that defines your pods and containers. You might check out the kubernetes documentation on environment variables and apply a kubernetes configuration that includes an entry for AZURE_LOG_LEVEL. Here's a smallish example:
apiVersion: v1
kind: Pod
metadata:
name: envar-demo
labels:
purpose: demonstrate-envars
spec:
containers:
- name: envar-demo-container
image: gcr.io/google-samples/hello-app:2.0
env:
- name: AZURE_LOG_LEVEL
value: "verbose"Thanks, on the kubernetes side I am confident just wanted to know the different level values. Thanks for your help here I'll look into this tomorrow and open a ticket if necessary.
Describe the bug One of customer tried to use monitor-query to query the log analytics, but getting an error: AuthenticationError: EnvironmentCredential authentication failed. invalid_resource: 500011 - [2024-07-03 23:06:26Z]: AADSTS500011: The resource principal named https://api.loganalytics.azure.cn/.default was not found in the tenant named Test_Test_CSSMooncake. they are using the example: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/monitor/monitor-query/samples/v1/javascript/logsQuery.js
To Reproduce Steps to reproduce the behavior:
code example below ` const { DefaultAzureCredential, EnvironmentCredential, ClientSecretCredential, AzureAuthorityHosts } = require("@azure/identity"); const { Durations, LogsQueryClient, LogsQueryResultStatus ,ClientSecretCredentialOptions} = require("@azure/monitor-query"); require("dotenv").config();
const monitorWorkspaceId = process.env.MONITOR_WORKSPACE_ID;
async function main() {
const credential = new DefaultAzureCredential();
const logsQueryClient = new LogsQueryClient(credential , { endpoint: "https://api.loganalytics.azure.cn/v1"
,audience: "https://api.loganalytics.azure.cn/.default", });
if (!monitorWorkspaceId) { throw new Error("MONITOR_WORKSPACE_ID must be set in the environment for this sample"); } const kustoQuery = "AppEvents | project TimeGenerated, Name, AppRoleInstance | order by TimeGenerated asc | limit 10";
console.log(
Running '${kustoQuery}' over the last One Hour);const queryLogsOptions = { // explicitly control the amount of time the server can spend processing the query. serverTimeoutInSeconds: 600, // optionally enable returning additional statistics about the query's execution. // (by default this is off) includeQueryStatistics: true, };
console.log('flag5'); // Corrected timespan format const timespan = { start: new Date(new Date().valueOf() - 60 60 1000), // 1 hour ago end: new Date(), };
const result = await logsQueryClient.queryWorkspace( monitorWorkspaceId, kustoQuery, // The timespan is an ISO8601 formatted time (or interval). Some common aliases // are available (like OneDay, OneHour, FoutyEightHours, etc..) but any properly formatted ISO8601 // value is valid. { duration: Durations.oneHour }, queryLogsOptions ); `
Expected behavior should be able to see the log analytics query result
Screenshots If applicable, add screenshots to help explain your problem.
Additional context
full stack error:
The sample encountered an error: AuthenticationError: EnvironmentCredential authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot. Status code: 400 More details: invalid_resource: 500011 - [2024-07-04 00:01:36Z]: AADSTS500011: The resource principal named https://api.loganalytics.azure.cn/.default was not found in the tenant named Test_Test_CSSMooncake. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: 6ee46463-0f61-41eb-843f-c983c4611600 Correlation ID: 74721357-86ff-4c61-b89a-3c292db85b53 Timestamp: 2024-07-04 00:01:36Z - Correlation ID: 74721357-86ff-4c61-b89a-3c292db85b53 - Trace ID: 6ee46463-0f61-41eb-843f-c983c4611600 at C:\working\monitor\javascriptMonitorQuery\node_modules\@azure\identity\dist\index.js:3673:49 at process.processTicksAndRejections (c:\working\monitor\javascriptMonitorQuery\lib\internal\process\task_queues.js:95:5) at async Object.withSpan (C:\working\monitor\javascriptMonitorQuery\node_modules\@azure\core-tracing\dist\commonjs\tracingClient.js:36:28) at async C:\working\monitor\javascriptMonitorQuery\node_modules\@azure\identity\dist\index.js:3340:29 at async Object.withSpan (C:\working\monitor\javascriptMonitorQuery\node_modules\@azure\core-tracing\dist\commonjs\tracingClient.js:36:28) at async DefaultAzureCredential.getToken (C:\working\monitor\javascriptMonitorQuery\node_modules\@azure\identity\dist\index.js:3330:27) at async tryGetAccessToken (C:\working\monitor\javascriptMonitorQuery\node_modules\@azure\core-rest-pipeline\dist\commonjs\util\tokenCycler.js:36:32) at async beginRefresh (C:\working\monitor\javascriptMonitorQuery\node_modules\@azure\core-rest-pipeline\dist\commonjs\util\tokenCycler.js:44:17) at async Object.defaultAuthorizeRequest [as authorizeRequest] (C:\working\monitor\javascriptMonitorQuery\node_modules\@azure\core-rest-pipeline\dist\commonjs\policies\bearerTokenAuthenticationPolicy.js:21:25) at async Object.sendRequest (C:\working\monitor\javascriptMonitorQuery\node_modules\@azure\core-rest-pipeline\dist\commonjs\policies\bearerTokenAuthenticationPolicy.js:72:13) {statusCode: 400, errorResponse: {…}, name: 'AuthenticationError', stack: 'AuthenticationError: EnvironmentCredential au…es\bearerTokenAuthenticationPolicy.js:72:13)', message: 'EnvironmentCredential authentication failed.…ace ID: 6ee46463-0f61-41eb-843f-c983c4611600'}