I am facing an issue while configuring Azure Key vault in Asp.net core Web API project .
Below is the code snippet as well as error for reference and I tried to find the root cause but no luck.
Error while Run() method execution.
Exception details
Please help me out in solving this issue .Thanks in advance.
It can be issue from .net end mostly ,in .NET Core 3.0.100 or 3.1. This seems to occur when running under the debugger in Visual Studio mostly and when long parallel calls are made and retrypolicy may help stop this from giving exception for sometime and tries again.
So Please try to Upgrade/Update the .NET Project SDK if any updates
available in Visual Studio.
Try running with command line
Also in the message of error you can see retry faild after 4 tries..
You can check ReloadInterval Property which is used in 3.0 and 3.1
builder.AddAzureKeyVault(
new Uri(Configuration["KeyVault:URI"]),
new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
ExcludeSharedTokenCacheCredential = true,
VisualStudioTenantId = Configuration["AzureAd:TenantId"]
}),
new AzureKeyVaultConfigurationOptions()
{
ReloadInterval = TimeSpan.FromMinutes(15)
}
);
You could try catching this exception and implementing a retry mechanism for your code if this exception is thrown so that it could try with retry time and delay required for next attempt.
Azure Key Vault throttling guidance | Microsoft Docs
SecretClientOptions options = new SecretClientOptions()
{
Retry =
{
Delay= TimeSpan.FromSeconds(2),
MaxDelay = TimeSpan.FromSeconds(16),
MaxRetries = 5,
Mode = RetryMode.Exponential
}
};
var client = new SecretClient(new Uri("https://keyVaultName.vault.azure.net"), new DefaultAzureCredential(),options);
//Retrieve Secret
secret = client.GetSecret(secretName);
Also see GitHub discussion
If still issue remains, it may be calling several times due to
network issue also.So please check the network , firewall and if there is any DNS issue for that endpoint.
Check URI if endpoint is incorrect or Managed Identity does not have
Data owner or Reader role.Please make sure that you have proper
permissions to access azure keyvault and give proper access
policies atleast get , list and create if needed .
Make sure to have one of the roles(RBAC) provided here to access the
keyvault .
References:
asp.net core - How to configure Azure KeyVault refresh interval
with the Azure.Security.KeyVault libraries - Stack Overflow
azure sdk .net issues(github)
Related
When i use the CallClient of #azure/communication-calling SDK to create a CallAgent, i'm getting 'No CommunicationTokenCredential provided' error even though i'm passing a valid CommunicationTokenCredential
Ex: this.callAgent = await this.callClient.createCallAgent(tokenCredential);
I'm able to successfully deploy a standalone react app & run the following sample application and make a web call as suggested in Microsoft docs. https://github.com/Azure-Samples/communication-services-web-calling-tutorial
But, when I integrate this into my existing React App, I start having issues in creating a CallAgent with the following error:
'azure:ACS:error 27/10/2021, 18:13:48:96 CallClient1:CallAgent1 op:Initialize failed, message=No CommunicationTokenCredential provided,'
I am passing the CommunicationTokenCredential properly while calling the createCallAgent(token) (verified by printing the token as well).
But still, I get this error. Has anyone else faced this issue?
[Update 1]
I could make it work using the following connection string
Server=tcp:mydatabaseserver.database.windows.net,1433;Initial Catalog=mydbname
and implementing an interceptor as mentioned in this article.
This proves that Azure is correctly configured, and the problem is somewhere in the application (maybe a missing package?).
Anyway, I would still like to be able to change the connection string and switch between AAD authentication and sql authentication, without additional logic in the application.
[/Update 1]
I'm using EF Core 3.1.4 on an Azure WebApp, and I would like to use the Azure AD identity assigned to the application for authentication, but I run into the following exception:
ArgumentException: Invalid value for key 'authentication'.
Microsoft.Data.Common.DbConnectionStringBuilderUtil.ConvertToAuthenticationType(string keyword, object value)
This is the connection string:
{
"ConnectionStrings": {
"Admin": "Server=tcp:mydatabaseserver.database.windows.net,1433;Initial Catalog=mydbname;Authentication=Active Directory Integrated"
}
}
I initialize the context using the following code:
var connectionString = this.Configuration.GetConnectionString("Admin");
services.AddDbContext<NetCoreDataContext>(builder => builder.UseSqlServer(connectionString));
The Microsoft.Azure.Services.AppAuthentication package is also imported (version 1.5.0)
Active Directory Integrated wasn't working for me in .NET Core 3.1 but it works now ever since I installed the NuGet package Microsoft.Data.SqlClient (I installed version v2.0.1). It now works with the following connection string:
"MyDbConnStr": "Server=tcp:mydbserver.database.windows.net,1433;Database=MyDb;Authentication=ActiveDirectoryIntegrated"
Note: it also works if I have spaces between the words like this:
"MyDbConnStr": "Server=tcp:mydbserver.database.windows.net,1433;Database=MyDb;Authentication=Active Directory Integrated"
And it also works if I include escaped quotes like this:
"MyDbConnStr": "Server=tcp:mydbserver.database.windows.net,1433;Database=MyDb;Authentication="Active Directory Integrated""
Finally, note that there are additional properties which can also be used in the connection string:
;User ID=myruntimeuser#mydomain.com;Persist Security Info=true;Encrypt=true;TrustServerCertificate=true;MultipleActiveResultSets=true
Welcome to the Net frameworks/runtimes hell.
Currently ActiveDirectoryIntegrated and ActiveDirectoryInteractiveauthentication options are not supported for NetCore apps.
The reason is that starting with v3.0, EF Core uses Microsoft.Data.SqlClient instead of System.Data.SqlClient. And the most recent at this time version of Microsoft.Data.SqlClient (also the preview versions) supports these two options only for NET Framework.
You can see similar question in their issue tracker Why does SqlClient for .Net Core not allow an authentication method 'Active Directory Interactive'? #374, as well as the documentation of the SqlAuthenticationMethod enum - ActiveDirectoryIntegrated (emphasis is mine):
The authentication method uses Active Directory Integrated. Use Active Directory Integrated to connect to a SQL Database using integrated Windows authentication. Available for .NET Framework applications only.
With that being said, use the Authentication workaround, or wait this option to be eventually implemented for Net Core.
Upgrading the Nuget packages:
Microsoft.EntityFrameworkCore and Microsoft.EntityFrameworkCore.SqlServer to 6.0.1 and using Authentication=Active Directory Managed Identity in the connection string helped me resolve the issue.
UPDATE
If you use azure msi, pls read this document.
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi
PRIVIOUS
Your problems maybe not configure in portal. You can follow the offical document to finished it, then try again.
First, you need to create SQL managed instances which maybe cost your long time. Then u need to configure Active Directory admin and your db. When you finished it, you will find ADO.NET(Active Directory password authentication) in your SQL database ->Connection strings in portal. You can copy and paste it in your code to solve the issue.
I have tried it by myself, and it works for me. For more detail, you can see this post.
I ended up on a point that Amplify fails to push any change I made, with a non existent UserPool clientId exception.
Something like
Resource Name: XXXXXXXXXXX (AWS::Cognito::UserPoolClient) Event Type:
update Reason: User pool client does not exist. (Service:
AWSCognitoIdentityProviderService; Status Code: 400; Error Code:
ResourceNotFoundException; Request ID: YYYYYYYYYYYYYYYYYY URL:
https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/xxxxxxxxxxx
I have explained my whole journey on a Github issue for Amplify Cli that you can see here, unfortunately, I'm not getting much support from Amplify team, as you can see there.
I also have created a StackOverflow question with the initial problem I was facing, that you can check here
After digging more into this issue for 3-4 long days, as this issue is blocking my deployment, I came to a guess to what happened:
I have added auth to my amplify project months ago
Eventually, I noticed one of the created clients were not being used, so I have deleted it, using the Cognito console.
I had not updated the auth during months
Now that I have introduced the social authentication Amplify tried to update it and because of the client Id not existing anymore, it can't and raises the mentioned error.
Now, anything I try to update it fails, and I guess the reason is this out of sync between what Amplify expects and what actually is the infra.
Every time I pull --restore my environment, I get my amplify-meta.json updated with this invalid client Id (and yes, I have tried changing it on the local amplify-meta.json and pushing it), something like:
"auth": {
"myproject": {
"service": "Cognito",
"providerPlugin": "awscloudformation",
"output": {
"GoogleWebClient": "111111111.apps.googleusercontent.com",
"AppClientSecret": "aaaaaaaaaaa",
"UserPoolId": "region-pooId",
"AppClientIDWeb": "VALID ID",
"AppClientID": "INVALID ID",
"FacebookWebClient": "2222222222",
"IdentityPoolId": "region:Id",
"IdentityPoolName": "myproject__env",
"UserPoolName": "mypoolname"
},
"lastPushTimeStamp": "2020-05-13T20:48:29.797Z",
"providerMetadata": {
"s3TemplateURL": "https://s3.amazonaws.com/myproject-deployment/amplify-cfn-templates/auth/lexis-cloudformation-template.yml",
"logicalId": "authmyproject"
},
"lastPushDirHash": "XXXXXXXXXXXXXX="
}
},
I have a different valid ClientId on my Cognito, so on my last resort, what I have tried is going direct to the S3TemplateURL pointed on this code and updating it there to the valid one, my guess was that this file was the single point of truth for Amplify.
But no success, still getting the same wrong Id after pull restore.
Any idea how can I make Amplify in sync again? Making it aware that this ClientId doesn't exist anymore and just getting rid of it on the CloudFormation/Templates?
Amplify Cli is not supporting this feature.
I had the same problem.
I updated Appsync and Cognitor in the cloud and I cannot pull the changes to my project.
When I run amplify status, it said no changes.
So I contacted AWS support and they said this is coming feature.
The solution is to change everything in amplify cli and manage amplify in the console. Don't change anything in the cloud.
I’m developing a VSTS extension with a build task which should create up to 20,000 work items in a single build. Work items are created using WorkItemTrackingApi/createWorkItem function of vsts-node-api package. In current implementation, extension sends a request to create each work item, VSTS starts to throttle after creating about 100 work items.
Following are the errors logged in the build console.
• (2017-01-08T12:35:13.1385597Z Error: connect ETIMEDOUT 11.11.111:111:111)
• 2017-01-08T12:36:45.0090704Z Error: Failed Request: Internal Server Error(500) - TF246020: Microsoft SQL Server encountered an error while processing the results from one of the Team Foundation Server databases. The error may be caused by insufficient resources on the server. Wait a few minutes and try the operation again. If the problem persists, contact a SQL Server administrator.
2017-01-08T12:36:45.0090704Z ThrottlingMode = Unknown, MildResourceType = None, SignificantResourceType = None
Is there a way to create a bulk of work item with vsts-node-api?
Please advise how to resolve this.
There are the VSTS REST APIs for creating batches of work items, but the vsts-node-api does not wrap them up yet as of January 2017.
You may want to leverage directly the work item batch REST APIs of VSTS with your preferred JavaScript based library.
Please refer Create Large Amount of Work Items in TFS Using Javascript REST API
You can use below for authentication,
httpntlm.patch(options, function(err,res) {
console.log("patch complete");
console.log(res.body);
})
Worklight PushAdapter sample works fine in development env, i.e. worklight studio, but couples issues occur while moving to production.
backend application can not call the push procedure due to security issues. if set securityTest="wl_unprotected" , it might be a risk in production, any other solutions?
in the onPoll function of the eventSource, if call other adapters' procedure, it raise security issues in production too, though works fine in dev.
e.g.
PushAdapter:
WL.Server.createEventSource({
name: 'PushEventSource',
onDeviceSubscribe: 'deviceSubscribeFunc',
onDeviceUnsubscribe: 'deviceUnsubscribeFunc',
securityTest:'SingleStepAuthAdapter-securityTest',
poll:{
interval: 120,
onPoll: 'getNotificationFromBackend'
}
});
function getNotificationFromBackend(){
var notifications = WL.Server.invokeProcedure({
adapter : 'MessageAdapter',
procedure : 'getMessages',
parameters : []
});
WL.Logger.error("notifications: " + JSON.stringify(notifications));
...
}
Error Messages:
[14-2-13 9:11:45:382 CST] 0000003d ht.integration.js.JavaScriptIntegrationLibraryImplementation E notifications: {"isSuccessful":false,"errors":["Runtime: The resource 'proc:MessageAdapter.getMessages' should only be accessed when authenticated in realm 'wl_antiXSRFRealm'."],"warnings":[],"info":[]} [project XXX]
Could you help pls? thanks in advanced.
The default security test for adapter procedures contains Anti-XSRF protection, but this configuration can be overridden by either:
a.Implementing your own authentication realm.
b.Disabling the authentication requirement for a specific procedure. You can do so by adding
the securityTest="wl_unprotected" property to the element in the adapter XML file.
Please refer to below post for a similar question.
IBM Worklight 6.0.0.1 - Push notifications polling not working in Production environment
Worklight should allow a listening port number which is protected by the enterprise firewall to be assigned to the push adapter. If such feature exists, then it should be just a matter of configuring the firewall on production to allow only the push requests from a specific push source.
If such a feature is not available, then the push adapter should be protected by a security test. And the push source should authenticate using a special login ID when pushing data. This should be doable.