I am trying to use FTP to upload specific files (not a full release) to an Azure Web App. Essentially I am using a PowerShell script to FTP files up to the web app in Azure. I can add new files, create files and folders but when I try to overwrite or delete a file, I get a 550 Access is denied.
I tried creating a a new deployment credential and was able to log in but the result was the same when trying to delete anything; 550 Access is Denied.
Is there any way to grant more permissions to this user or is this impossible? Thanks!
Check that you are not using the READ ONL FTP URL.
The publish profile gives two FTP url's the bottom on is ready only and will always give a 550 error.
550 Denied error, it indicates that you have no enough permission to do that.
You could download the Azure publish profile to get ftp user and password.
You also could follow this tutorial to get FTP information.
or
As zahid Faroq mentioned that you could use KUDU tool(https://{yoursite}.scm.azurewebsites.net) to do that easily. For more information about KUDU, please refer to this document
If you still can reproduce the issue, I recommand that you could create a support ticket to get help from Azure team.
You can't overwrite runnig app. Stop the app first, then upload, then start app again. You can stop/start the app from azure portal or using az cli
az webapp stop --name %AZURE_APP% --resource-group %AZURE_RESOURCE_GROUP%
and
az webapp start --name %AZURE_APP% --resource-group %AZURE_RESOURCE_GROUP%
p.s.: Funny thing is that you can delete running app. Then you still can't upload the running app even when it's already deleted.
I restarted the server, then I could delete/alter the app.
Related
My system administrator made a gMSA for me to use with my work with containers. I am able to do the simple things with it (like test that it is working correctly).
But I cannot figure out how to use it for more than hosting and such.
How can I use the gMSA to make a call to a service that does Active Directory integration?
The specifics of my scenario are this:
I have a ProGet server that hosts a Chocolatey feed for me. It is setup to be integrated with Active Directory.
When I run a choco search command using my own machine, it works just fine.
when I run the same choco search command from the container it fails with an error: Not able to contact source 'http://MyLibrary/nuget/Chocolatey/'. Error was Expected an absolute, well formed http URL without a query or fragment.
If i run curl MyLibrary/nuget/Chocolatey I get a valid response, though the page content says access is denied. (So I know I can connect, but cannot authenticate.)
I have added my gMSA user to my proget Chocolatey feed
We're trying to get our first containerized build running in Azure Devops Server.
The build runs fine in the container, but, unfortunately, it needs to access resources on another server. As such, I need this to be running as a domain user (GMSA account will work) so that it can authenticate the network share to access those resources.
I can't seem to find any documentation on running a containerized build as a specific user.
Can anyone point me to how to setup the yml for passing credentials, or gmsa account? That would be great.
Thanks in advance
Alright... so I figured it out.
First you have to create a credential spec
In powershell New-CredentialSpec -AccountName GMSAAccountName
Then add this in the yml file beneath the container declaration:
options: --security-opt "credentialspec=file://Domain_GMSAAccountName.json"
That was it... and now it works.
Have you tried using PAT(Personal Access Token) to run in agent build?
When setup asks for your authentication type, choose PAT. Then paste the PAT token you created into the command prompt window.
https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/v2-windows?view=azure-devops#permissions
I'm current using this sample as my test bed.
IdentityServer3.Samples/source/MembershipReboot/
I've assigned the correct permissions and read several other posts about this problem but I still get access denied.
My IIS app is running under applicationpoolidentity.
I suggest you to use IIS Local instead of Express to have more control with security. I hope you will get success with this following steps:
Install the certificate in the Personal directory of the Current User. (Help)
Assign a dedicated application pool to the IdSrv3 virtual application or website. (Help)
Assign your user as the identity of the dedicated application pool. (Help)
The user that run IIS must have the read rights on the certificates store where you put it. ApplicationPoolIdentity does not have this rights.
Bluemix provides a CF command line for download to manage applications.
We want to use CF (or any other command line tools ) to manage Organization and Space users. This will allow us to programmatically sync the user list.
Specifically I am looking for
cf enroll-user
cf add-user
cf remove-user
cf unenroll-use
the cf command already lists the users for a given ORG and SPACE.
The simple answer is to read the docs. See "Creating and Managing Users with the cf CLI." It documents commands like create-user, set-org-role, and set-space-role.
For example: Use cf create-user USERNAME PASSWORD to create a new user. The problem is, when you try to do this in Bluemix, you get an error:
>cf create-user jdoe password
Creating user jdoe as bwoolf...
FAILED
Error creating user jdoe.
Server error, status code: 403, error code: access_denied, message: Invalid token does not contain resource id (scim)
You get a similar error when you try to run set-org-role or set-space-role:
FAILED
Server error, status code: 403: Access is denied. You do not have privileges to execute this command.
Why did you get this error? Like #RandalAnders explained, Bluemix currently blocks users from using these user administration commands in the CF CLI. For the time being, you'll need to perform these actions using the Bluemix Dashboard.
Currently, it is not possible within Bluemix to use the CF CLI for certain management commands, as they require administrative privileges. We are exploring expanding the scope of the commands used in the CLI and would be interested in hearing any other use cases you may have.
you can not create a user on bluemix using cf cli since it needs admin privileges. To add a user, you will need to use bluemix cli 'bluemix iam account-user-invite' to invite a user to your account with a org/space role assigned. There are other account/org/space/role management commands under 'bluemix iam'.
Download bluemix CLI here: http://clis.ng.bluemix.net
When executin the follow command:
gsutil notifyconfig watchbucket -i myapp-channel -t myapp-token https://myapp.appspot.com/gcsnotify gs://mybucket
I receive the follow answer, but I used the same command before in another buckets and it worked:
Watching bucket gs://mybucket/ with application URL https://myapp.appspot.com/gcsnotify...
Failure: <HttpError 401 when requesting https://www.googleapis.com/storage/v1beta2/b/mybucket/o/watch?alt=json returned "Unauthorized WebHook callback channel: https://myapp.appspot.com/gcsnotify">.
I used gsutil config to set permissions and tried with gsutil config -e also.
I already tried to set the permissions, made myself owner of the project, but is not working, any help?
I was getting the same error. You must configure gsutil to use a service account before you can watch a bucket.
An additional security requirement was recently added for Object Change Notification. You must add your endpoint domain as a trusted domain on your cloud project. To do that, the domain first has to be whitelisted with the Google Webmaster Tools.
See instructions here:
https://developers.google.com/storage/docs/object-change-notification#_Authorization
I also determined that I needed to:
Whitelist my appspot domain
Create a service account before I can watch a bucket.
At first I was using the google cloud shell and I figured it should just be authenticated. gsutil ls listed the objects in my bucket so I assumed I was authenticated. However that is not the case.
You need to instal gsutil or google cloud sdk, log in, get the .p12 file from the service account, and auth it as Wind Up Toy described. After that it will work.