Data Factory MSI authentication with Azure Event Hub through Web Activity - azure-data-factory

I am trying to send messages to an Event Hub through Data Factory's Web activity.
My Data Factory is set up with a system assigned managed identity (MSI), and that identity has been given the "Azure Event Hubs Data Sender" role on the Event Hubs Namespace (RBAC / IAM).
The Web activity is set up as follows:
{
"name": "Send to Event Hub",
"type": "WebActivity",
"dependsOn": [],
"policy": {
"timeout": "7.00:00:00",
"retry": 0,
"retryIntervalInSeconds": 30,
"secureOutput": false,
"secureInput": false
},
"userProperties": [],
"typeProperties": {
"url": "https://<eventhubnamespace>.servicebus.windows.net/<eventhub>/messages?timeout=60&api-version=2014-01",
"method": "POST",
"body": {
"DeviceId": "dev-01",
"Temperature": "37.0"
},
"authentication": {
"type": "MSI",
"resource": "https://servicebus.azure.net"
}
}
}
Unfortunately, it seems that the request is always unauthorized. The web activity fails with the following message:
{
"errorCode": "2108",
"message": "Invoking Web Activity failed with HttpStatusCode - 'Unauthorized'.",
"failureType": "UserError",
"target": "Event Hub",
"details": []
}
I also tried specifying the Content-Type header according to the send event REST API docs, but it made no difference.
According to this article, it should be possible to authenticate against Event Hub using a Service Principal with OAuth2.0 Bearer token. My understanding is that ADF's MSI is no different than a Service Principal, except that I don't have to manage the secrets and tokens on my own. What am I missing?

Related

Create a new user trough AWS ApiGateway secured with Cognito - how to allow access to the users before it is created?

I have an API in AWS API gateway secured with AWS-Cognito. In order to use the endpoint the user must to be recognized by Cognito that will return a token.
The question here is related to the CREATE USER process. In order to use this endpoint the user must to exist in the Cognito, then receive the token and use it to connect to the CREATE USER endpoint. But at the moment of the creation of the user in the database (api-endpoint) the user is not created in Cognito and has no permission to get access to the API.
So, how should be the best approach to this process?
You don't need to always use the TOKEN authorizer. API Gateway allows you to configure another type of authorizer: REQUEST.
In that case it's entirely up to you how you want to tell if someone is (or is not) authorized to make a call to your API endpoint.
The event will look something like this (taken from AWS documentation):
{
"type": "REQUEST",
"methodArn": "arn:aws:execute-api:us-east-1:123456789012:abcdef123/test/GET/request",
"resource": "/request",
"path": "/request",
"httpMethod": "GET",
"headers": {
"X-AMZ-Date": "20170718T062915Z",
"Accept": "*/*",
"HeaderAuth1": "headerValue1",
"CloudFront-Viewer-Country": "US",
"CloudFront-Forwarded-Proto": "https",
"CloudFront-Is-Tablet-Viewer": "false",
"CloudFront-Is-Mobile-Viewer": "false",
"User-Agent": "..."
},
"queryStringParameters": {
"QueryString1": "queryValue1"
},
"pathParameters": {},
"stageVariables": {
"StageVar1": "stageValue1"
},
"requestContext": {
"path": "/request",
"accountId": "123456789012",
"resourceId": "05c7jb",
"stage": "test",
"requestId": "...",
"identity": {
"apiKey": "...",
"sourceIp": "...",
"clientCert": {
"clientCertPem": "CERT_CONTENT",
"subjectDN": "www.example.com",
"issuerDN": "Example issuer",
"serialNumber": "a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1:a1",
"validity": {
"notBefore": "May 28 12:30:02 2019 GMT",
"notAfter": "Aug 5 09:36:04 2021 GMT"
}
}
},
"resourcePath": "/request",
"httpMethod": "GET",
"apiId": "abcdef123"
}
}
Then you need to tell API Gateway that it can pass this response through:
{
"principalId": "any-identifier-you-choose-like-uuid",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": "arn:aws:execute-api:eu-west-1:111111111111:abcdef/prod/GET/myresource"
]
}
}
There is also caching policy involved, but this should be enough for you to start.

Azure Devops rest API for create pipeline with source provider bitbucket not working

I am new on Azure and trying to create pipeline through rest api with below URL
https://dev.azure.com/my-org/my_project/_apis/pipelines?api-version=6.1-preview.1
When Source Provider is Azure Git Repo then it working perfectly fine with below request body
{
"folder": "\\",
"name": "Test-Pipeline-1",
"configuration": {
"type": "yaml",
"path":"/azure-pipelines.yml",
"repository":{
"id": "1f13f61c-eade-b36bc515bb5e",
"name": "TestAzure123",
"type":"azureReposGit"
}
}
}
But when Source Provider is Bitbucket Cloud then its not working
{
"folder": "\\",
"name": "Bitbucket-Pipeline",
"configuration": {
"type": "yaml",
"path":"/master-pipeline.yaml",
"repository": {
"id": "sid_07/Bitbucket-repository",
"name": "Bitbucket-repository",
"type": "Bitbucket"
}
}
}
I am getting below exception
{
"$id": "1",
"innerException": null,
"message": "This API does not support creating pipelines with repositories of type Unknown.",
"typeName": "Microsoft.Azure.Pipelines.WebApi.UnsupportedRepositoryTypeException, Microsoft.Azure.Pipelines.WebApi",
"typeKey": "UnsupportedRepositoryTypeException",
"errorCode": 0,
"eventId": 3000
}
Is pipeline creation supported through rest api for bitbucket? or am I missing something? Please help
I have already taken reference from similar issue
https://developercommunity.visualstudio.com/content/problem/1101376/create-pipeline-rest-api-does-not-work.html
Azure Devops rest API for create pipeline with source provider bitbucket not working
I am afraid the REST API Pipelines - Create does not support the creation of a pipeline whose source type is bitbucket at this moment.
When I use the request body below, which I used to create a pipeline for the resource type of github:
{
"folder": "\\",
"name": "Test-Pipeline-2",
"configuration": {
"path": "TestDemo.yml",
"repository": {
"fullName": "xxx/leotest",
"connection": {
"id": "e11d299a-0bfd-4a38-a77c-xxxxxxxx"
},
"type": "bitbucket"
},
"type": "yaml"
}
I got the same error as you:
Then I created that pipeline manually, and use the REST API Pipelines - Get to get the detailed info about this pipeline, I got following info:
"configuration": {
"path": "BitbucketRepo.yml",
"repository": null,
"type": "yaml"
},
"url": "https://dev.azure.com/xxx/xxxxx/_apis/pipelines/146?revision=2",
"id": 146,
"revision": 2,
"name": "BitbucketRepo",
"folder": "\\YAML\\Resources"
We could to know the part of repository: is null.
So, the REST API Pipelines - Create does not support create pipeline with source provider bitbucket at this moment.
For this request, you could add it for this feature on our UserVoice site (https://developercommunity.visualstudio.com/content/idea/post.html?space=21 ), which is our main forum for product suggestions. Thank you for helping us build a better Azure DevOps.

Azure DevOps OAuth organization policies API

is there a way to know via API what is the organization policy for 3rd party OAuth requests?
i want to know if i should ask my user to authenticate with his credentials or generate PAT
is there a way to know via API what is the organization policy for 3rd
party OAuth requests?
You can use this api which I fetched from F12:
Get https://dev.azure.com/{YourOrgName}/_settings/organizationPolicy?__rt=fps&__ver=2
The response would contain the info about Application Connection Policies:
"ms.vss-admin-web.organization-policies-data-provider": {
"policies": {
"applicationConnection": [
{
"policy": {
"name": "Policy.DisallowOAuthAuthentication",
"value": false,
"effectiveValue": true,
"parentPolicy": {
"name": "Policy.DisallowOAuthAuthentication",
"value": false,
"effectiveValue": true,
"isValueUndefined": true
}
},
"learnMoreLink": "https://aka.ms/vstspolicyoauth",
"description": "Third-party application access via OAuth",
"applicableServiceHost": 1
},
{
"policy": {
"name": "Policy.DisallowSecureShell",
"value": false,
"effectiveValue": true,
"isValueUndefined": true,
"parentPolicy": {
"name": "Policy.DisallowSecureShell",
"value": false,
"effectiveValue": true,
"isValueUndefined": true
}
},
"learnMoreLink": "https://aka.ms/vstspolicyssh",
"description": "SSH authentication",
"applicableServiceHost": 1
}
]...
The effectiveValue(not value node) node under corresponding policy node should represent whether you enable/disable the policies above in your pic. E.g: The effectiveValue node under first policy node would be false if the Third-party application access via OAuth is disabled.

POST Image throwing "internal_error"

I'm trying to use VPC Classic POST Image REST API to upload the image to VPC. Getting internal_error
POST https://us-south.iaas.cloud.ibm.com/v1/images?version=
2019-05-31&generation=1
Body:
{
"file": {
"href": "cos://us-south/vnfimages/BIGIP-13.1.3-0.0.6.vhd"
},
"operating_system": {
"name": "ubuntu-16-04-amd64"
},
"format": "vhd"
}
VHD Image is available in COS.
Expected Result:
REST API should pass and the image should be uploaded in vpc.
Actual Result:
{
"errors": [
{
"code": "internal_error",
"message": "An internal error occurred.",
"more_info": "https://cloud.ibm.com/docs/vpc-on-classic?topic=vpc-on-classic-rias-error-messages#internal_error",
"target": {
"name": "",
"type": ""
}
}
],
"trace": "f596852507fcd0c701eb46b63948ca63"
}
Make sure you have created authorization between VPC Infrastructure (source service) > Image Service for VPC (resource type) and Cloud Object Storage (target service).
Also the format field is not a valid field, you might want to drop it.

Error trying to write data on google's fit web aplication via rest api

I'm trying to write data on google's fit via rest api. The idea is to write data on google's rest api, and the goal is to show that information on both google fit's web and app.
The information that i'm trying to write is a session (equals to workout)
Request:
GET https://www.googleapis.com/fitness/v1/users/me/sessions/11xxxx
Body:
{
"id": "11xxxx",
"name": "My example workout",
"description": "A very intense workout",
"startTimeMillis": 1396710000000,
"endTimeMillis": 1396713600000,
"version": 1,
"lastModifiedToken": "exampleToken",
"application": {
"packageName": "com.google.android.apps.fitness",
"version": "web"
},
"activityType": 1
}
Response:
{
"error": {
"code": 403,
"message": "Application package name (com.google.android.apps.fitness) provided by un-trusted source.",
"errors": [
{
"domain": "global",
"message": "Application package name (com.google.android.apps.fitness) provided by un-trusted source.",
"reason": "forbidden"
}
]
}
}