I have a shell script in a container, that needs to access the ArgoCD API.
The script asks the API for a token, and then uses this token to restart a deployment.
JSON=$(jq -c -n --arg username "$USER_NAME" --arg password "$PASSWORD" '$ARGS.named')
TOKEN=$(curl -k $ARGOCD_SERVER/api/v1/session -d "$JSON" | jq -r ".token")
PARAMETERS="namespace=$NAMESPACE&resourceName=$RESOURCE_NAME&kind=Deployment&group=apps&version=v1"
curl -k -H "Authorization: Bearer $TOKEN" \
-d "\"restart\"" \
"$ARGOCD_SERVER/api/v1/applications/argocd/resource/actions?$PARAMETERS"
This only seems to work when I have the login option enabled in my argo-cd-cm.yaml enabled.
...
data:
admin.enabled: "false"
accounts.<service-user>: apiKey, login
accounts.<service-user>.enabled: "true"
...
As I am using OIDC for regular users, I would not like this login option to be disabled.
Is there a way to specify an apiKey for a given user in the one of the configmaps?
Yep! This was our configuration (helm values) since 2 years.. Just to confirm
However, make sure to authorize him as well using rbacConfig as below:
server:
config:
accounts.cibotuser: apiKey, login
accounts.cibotuser.enabled: "true"
rbacConfig:
policy.csv: |
p, cibotuser, applications, get, */*,allow
p, cibotuser, applications, sync, */*,allow
Related
Using the github API I am trying to manually start a workflow using:
curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: MY_TOKEN" \
https://api.github.com/repos/djpr-data/djprdashdata/actions/workflows/refresh-data.yaml/dispatches
but I keep getting an authentication error:
{
"message": "Must have admin rights to Repository.",
"documentation_url": "https://docs.github.com/rest/reference/actions#create-a-workflow-dispatch-event"
}
This seems to be a similar issue to this question. But my PAT token has all admin and repo scopes selected. I also have my user account setup as admin for the repository and I have added a workflow dispatch to the workflow yaml file.
workflow_dispatch:
inputs:
tags:
description:
"run from cmdline"
I have been following the docs at https://docs.github.com/en/rest/actions/workflows#create-a-workflow-dispatch-event and have had no problems using the API to retrieve all previous workflow jobs. I have also tried the runs and jobs endpoints but get the same error. So I am now not sure what else I can do. Is there somewhere else I need to set permissions?
Thanks
This is a poor error message to tell you that your request is not formed correctly. If you want to pass a PAT as a header, you need to prefix it with token, as described in the docs:
-H "Authorization: token MY_TOKEN"
Once that's resolved, however, you'll also get an error because you don't pass the required ref payload. Assuming your default branch is main, here's a correct curl command:
> export MY_TOKEN=gha_abcdef
> curl \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token $MY_TOKEN" \
-d '{"ref": "main"}' \
https://api.github.com/repos/djpr-data/djprdashdata/actions/workflows/refresh-data.yaml/dispatches
I am trying to trigger the workflow_dispatch action for a GitHub workflow via REST but I am getting a "not found" error.
My question is similar to this one but the difference is that I am still getting the "not found" error even though the header indicates I am authenticated (the rate limit has increased to 5,000).
Here's my script:
#!/bin/bash
# https://docs.github.com/en/rest/reference/actions#create-a-workflow-dispatch-event
OWNER='myGithubOrganization'
REPO='myRepo'
WORKFLOW_ID='main.yml'
POST_URL="https://api.github.com/repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/dispatches"
echo "Calling $POST_URL"
GITHUB_PERSONAL_ACCESS_TOKEN=$(echo "$PLATFORM_VARIABLES" | base64 --decode | jq '.GITHUB_PERSONAL_ACCESS_TOKEN' --raw-output)
# -i to include headers.
curl \
-i \
-X POST \
-H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token $GITHUB_PERSONAL_ACCESS_TOKEN" \
$POST_URL \
-d '{"ref":"ref"}'
In the headers, I see the rate limit has increased to 5,000, so I know I am logged in.
The personal access token has the following permissions:
repo
workflow
admin:org_hook
The personal access token is for a machine user.
In the repo settings, under "Collaborators and teams", the machine user account has the "Read" role.
What more do I need to do to trigger the workflow?
The machine user needs to have write access, not read access.
This is true even if the workflow does something like run CI tests and does not write any code.
I want to use username and password in Rundeck to run jobs on node instead of public / private keys. How do I do it?
Rundeck CLI always asks for the user and password by default, also, you can define environments vars RD_USER and RD_PASSWORD in your .bashrc file. Take a look at this (Credentials section).
Example:
export RD_USER=username
export RD_PASSWORD=password
Using API you can use use the "cookie way" to access an endpoint, take a look at this.
And check the following example:
#!/bin/sh
curl -v -c cookie -b cookie -d j_username=admin -d j_password=admin http://localhost:4440/j_security_check \
-H "Accept: application/json" \
http://hyperion:4440/api/31/system/info/
I have microservice ecosystem and all users interacting with it need to authenticate to a keycloak installation and receive a jwt token.
All is fine, I enabled audience support using this snippet:
/opt/jboss/keycloak/bin/kcadm.sh \
create clients/d3170ee6-7778-413b-8f41-31479bdb2166/protocol-mappers/models -r your-realm \
-s name=audience-mapping \
-s protocol=openid-connect \
-s protocolMapper=oidc-audience-mapper \
-s config.\"included.client.audience\"="your-audience" \
-s config.\"access.token.claim\"="true" \
-s config.\"id.token.claim\"="false"
as described here: Add protocol-mapper to keycloak using kcadm.sh
Which is fine, it works. My problem is, how do I enable multiple values for audience? I mean, I would like to allow the same user to use 2 different services with the same token - each of them should have a different audience.
And the token should look like:
{
"aud": [
"audience-1",
"audience-2"
]
}
Where audience-1 is the audience expected by the first service and audience-2 is the one expected by the 2nd service.
Is it even possible to do that via command line?
I think I may have found the answer. Or at least it worked for me:
kcadm.sh create clients/CLIENT_ID/protocol-mappers/models -r REALM_NAME \
-s name=audience-mapping \
-s prodocol=openid-connect \
-s protocolMapper=oidc-audience-mapper \
-s config.\"included.client.audience\"="audience" \
-s config.\"access.token.claim\"=\"true\" \
-s config.\"id.token.claim\"=\"false\"
Is there a simple way to use a cURL request to the REST API to access a file on my Sharepoint account? For example
curl -i -H "Authorization: Bearer <some-key-here>" https://mysharepoint.com/_api/web/Lists
I have read all the documentation about authentication and authorization for apps, but in this case I don't have an "application" that I can register. I simply need an API key of some kind to use in REST requests. How can I use the REST API in this way?
I appreciate any insight into this problem.
Create a bash script:
$ nano get_access_token.sh
Paste the next content to it, changing YourTenant, client_id, client_secret to your own values (you could get in Sharepoint's part below).
wwwauthenticate=$(curl -i -H "Authorization: Bearer" -s "https://YourTenant.sharepoint.com/_vti_bin/client.svc/" | grep -i "www-authenticate")
bearer_realm=$(echo $wwwauthenticate | awk -F"," '{print $1}' | awk -F"=" '{print $2}' | tr -d '"')
app_id=$(echo $wwwauthenticate | awk -F"," '{print $2}' | awk -F"=" '{print $2}' | tr -d '"')
grant_type="grant_type=client_credentials"
cl_id="client_id=c2xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx#$bearer_realm"
cl_secret="client_secret=3zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"
res="resource=$app_id/YourTenant.sharepoint.com#$bearer_realm"
url="https://accounts.accesscontrol.windows.net/$bearer_realm/tokens/OAuth/2"
content_type="Conent-Type: application/x-www-form-urlencoded"
access_token=$(curl -X POST -H $content_type --data-urlencode $grant_type --data-urlencode $cl_id --data-urlencode $cl_secret --data-urlencode $res -s $url | awk -F":" '{print $NF}' | tr -d '"}')
echo $access_token
Apply proper permissions: chmod 700 get_access_token.sh
You could use curl with that token the next way:
curl -i -H "Authorization: Bearer $(./get_access_token.sh)" -H "Accept: application/json;odata=verbose" -s "https://YourTenant.sharepoint.com/_api/web"
You could replace ./ by the full path to the script.
Sharepoint's part:
Register a new app by
following https://YourTenant.sharepoint.com/_layouts/15/appregnew.aspx link
generating Client Id and ** Client Secret** values
filling Title, App Domain and Redirect URI fields (I've input localhost.com as on the picture - it works)
clicking Create button
Save somewhere into file the next parameters:
The app identifier has been successfully created.
Client Id: 898c898f-89238-43d0-4b2d-7a64c26f386a
Client Secret: 4/T+21I1DSoAJdOX9DL1Ne4KssEaP7rqb11gdtskhXn=
Title: SomeTitle
App Domain: localhost.com
Redirect URI: https://localhost.com/default.aspx
Apply permissions to this app by
following https://YourTennant.sharepoint.com/sites/SharePointRND/_layouts/15/appinv.aspx
inserting Client Id: 898c898f-89238-43d0-4b2d-7a64c26f386a into App Id field
clicking Lookup button
pasting into Permission Request XML the next code (in my case I needed only Read access, so I changed Rights value from FullControl to Read):
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" />
</AppPermissionRequests>
Create bottom button clicking
Trust it button clicking
Here's Postman related but similar answer
If this is still relevant, this did it for me:
curl https://mysharepoint.com/_api/web/Lists -v --ntlm --negotiate -u user:password
You basically authenticate using ntlm (Note that some sharepoints might require Kerberos) and then can easily access the REST API like you can via browser.
Edit does not work with Office 365 apparently.