So I am using dialogflow in my ios app. I have created a service account and have given the permission of owner to use it. I export the access token via terminal and use it in the app. It will work for some time and will start giving me 401 after some time. Could you please help me on this issue?
Thanks
When creating your Service Account make sure you aren't creating short-lived service account credentials as this type of only lasts a couple of hours.
In this link you can find how to create service accounts, and here you can find how to grant access to the desired resources.
Related
I would like to run frontend end to end test from an azure devops pipeline, the website requires login using azure ad.
Unfortunately it is not easy to automate the login (sometimes involves sending code via email).
I tried using oauth and jwt tokens, but for some reason my app authentication does not recognize it when deployed to azure website.
What is the best way to have access to login protected website from azure pipeline?
Thanks
I think using an orgnization wide AD account is not secure, especially you're in a public cloud, that's why Azure provides a life-time limited project scope account. If you really want to use AD account, save its credentials in Azure Key Vault, then during the pipeline time, retrieve the credentials by the default project scope token, then you can do anything you want with the credentials.
I don't have a lot of experience regarding this, but I've done something similair using a Service Principal or Managed Identity.
I tried using oauth and jwt tokens, but for some reason my app authentication does not recognize
After a while I actually figured out that there was an identity provider configured, and there was kind of double authentication configured. After removing the jwt token started working perfectly.
In any case thanks a lot for your answers!
So my goal is to create a Rundeck job that runs on a schedule and isn't run as my personal user, or any "regular" user, but rather a bot user. Ideally this bot user wouldn't have login access and restricted permissions for security reasons, but would be able to run certain jobs. I've tried searching, but the only information I'm finding is about how to create a "regular" user in Rundeck. Even if I go down that route of creating the bot user as a "regular" user, to use it, you need to pass in either the login credentials or an API token. An API token would be fine, if it could be generated and pulled in on the fly. However, that is not the case, the API has an expiration itself. If there is something I'm missing, please let me know. I'd love to get this working.
Rundeck Version: Rundeck 3.2.1-20200113
Rundeck Cli Version: 1.1.7
You can set the following configuration in your rundeck-config.properties file (usually at /etc/rundeck/ directory):
rundeck.api.tokens.duration.max=0
This will disable your maximum period, you can see this in the official documentation here.
With that, your "bot user" can do it through API / RD CLI as you wrote.
Try using webhooks https://docs.rundeck.com/docs/manual/12-webhooks.html
You can trigger a job by making a http-request
The way I've implemented bots is as a user who is a member of a 'bot' user group, with ACLs that lock down that group as required. Any passwords required for the scheduled job are loaded into the key storage of the bot user.
With this approach you still need someone who knows the bot credentials to login as them and set passwords/SSH keys, but that's a one-off. Is that what you're trying to avoid?
The one annoying thing I've found is that a scheduled job always seems to run as the last user to edit the job - so I grant edit access to bot users and make sure to set/reset the schedule after any edit by a normal user. Hoping to address this through https://github.com/rundeck/rundeck/issues/1603, you might want to give it a 👍.
I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow:
I have a Bluemix account with organization defined, but when I login to IoTF via the webpage https://internetofthings.ibmcloud.com/ my organization is not shown. I see a message that says "You are not a member of any organization".
I am unable to add any devices as a result. What could be causing this issue?
The likely explanation is that you were a temporary member of your IoTF organization and that has subsequently expired.
When you create an IoTF service using Bluemix, an IoTF organization is created and your IBM ID is added as a temporary member. This temporary membership expires after 24 hours and the effect is similar to what you are describing.
If you were to access IoTF using the service tile in Bluemix (Launch Dashboard) then you would be logged straight in to your organization. At this point you will be able to add members (including yourself) to the IoTF organization and then be able to log in directly at https://internetofthings.ibmcloud.com/
The reason for this is that if a Bluemix user created an IoTF service, there is not necessarily the affirmation that that user will forever be authorized to access it. By making that user a temporary member, it is able to log in directly for 24 hours only until the ID is added as a permanent member, or that user always accesses the IoTF dashboard using the Bluemix service tile. The intention is that without positive action the user creating the service will still need access in Bluemix, in order to access IoTF.
Scenario:
I have a console application that needs to access a network share with read/write permissions.
There is no problems when run it manually.
The problem:
When I add this application as a job in my quartz.net server, it cannot access the share. I do not have access to change permissions on the network share, so basically I need my quartz job or if necessary my quartz server to run jobs as me (or as a user that has the proper permissions).
Any ideas in how to accomplish this?
Thanks
You need to change the user that the service is ran with (so this actually isn't a Quartz.NET issue). Open service properties in services and change the user from SYSTEM or NETWORK SERVICE to some named user account that has proper rights to the network share.
You can also use impersonation to change the user you're running as on the fly.