I'm trying to create an azure mobile services .net back end
i download the source sample from azure web site and try to run it on my computer everything works.
when i publish to azure then entity framework is having problem to connect to azure sql. ( I'm using a new database in an existing server)
the error is permission issue.
Somehow in azure the entity framework is trying to log in with a user YAtdHDYMBgLogin that doesn't exists in my database.
I guess the issue is the new connection string azure mobile services is assign to my code.
Is there anyway to change the user who connect to the db. I can remove the MS_TableConnectionString and put it hard coded on the web.config in release mode but i want to know if there is a way to workaround this issue.
You can do the following:
Add a new "ConnectionString" element to the appSettings element in your web.config:
<add key="ConnectionString" value="<your connection string"/>
Pass this to your db context:
public MyContext() : base(WebConfigurationManager.AppSettings["ConnectionString"]) { }
You can override this in the "app settings" section in the Configure tab in the Azure management portal. Just create a new "ConnectionString" variable and give it the value you want.
When you run your app locally, it will use the value in web.config. When you run it on the instance, it will use the value you configured in the portal.
Related
Before I deploy a function app and functions through PowerShell > ARM template I dynamically get a service bus connection string and update the value in the connection binding in the function.json file. Then I deploy the function app and function.
Deployment works, but the function app returns an error message:
Microsoft.Azure.WebJobs.ServiceBus: Microsoft Azure WebJobs SDK ServiceBus connection string 'Endpoint=sb://sbname.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;[Hidden Credential]' is missing or empty.
The question is: Do we really have to create an application setting on the function app with this connection string in it? Is there no other option than using the app setting?
It feels like storing the connection string in another location than on the service bus would just create another vulnerability.
I am aware that I could define "connection": "RootManageSharedAccessKey_SERVICEBUS" in the function.json file and then create an app setting with that same name, but that's not the way forward I want to go.
Please check if my findings help to:
Instead of storing the Service Bus Connection String directly, you can utilize the Azure Key Vault Service or Azure App Configuration Service.
You can store the confidential values like Connection Strings, Key-value pairs, Client Secrets, Certificate Passwords, etc. in Azure Key Vault.
Assume you have stored the ServiceBus connection string in the Key Vault. That you want to retrieve in the Function App through Application Settings but here in the app setting you can define as:
"connection": #Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/RootManageSharedAccessKey_SERVICEBUS/)
This KeyVault URI cannot be accessed by any other user until they are assigned with System or User Assigned Managed Identity Permission.
Azure App Configuration is a central place where you can manage application settings and secure their accesses in one place. Refer here for more information.
I'm creating new azure devops web extension, I've created new service connection of generic type (provided username and password).
Need to access username and password and make rest api call inside java script file of azure devops web extension. How to form authorization header without user interaction?
This is not available for any customized extension so far. Same as a customized task or script.
Because a Service Connection involves data shaped specifically to the
connected service (the Generic Service Connection being the exception
that proves the rule...), you won't be able to make use of strongly
typed properties in your Bash task. Instead, you may want to examine
environment variables and process the service connection data
manually.
More detail info you could kindly take a look at Josh E's reply in this question: How can a script access Service Connections? (Azure Devops Pipelines)
I've been working on this for several days now, and after reading many documentations on this I am absolutely out of ideas.
What I've done so far:
Created three web apps (DEV, UAT, PROD) and switched System Assigned to ON to create a Managed Identity. This also registered the web
applications into the Azure Active Directory.
Registered an application in Azure Active Directory that includes redirect URI to UAT, DEV, Prod, and local URL.
Created Key Vault under the same resource group as the web apps for DEV, UAT, PROD.
Included all four applications in the Access Policy of the Key vault with GET and LIST permissions.
App Service Authentication is set to OFF (app service -> Authentication/Authorization -> OFF). We're using another means of user authentication.
After this setup, the key vault is accessible on localhost but not on the deployed environment. The reason why I believe so is because it's not retrieving the connectionString from the key vault.
I've consumed all sorts of documentation on this including https://learn.microsoft.com/en-us/azure/key-vault/service-to-service-authentication.
Project is .Net Framework 4.7.2
In the code, I have which retrieves my secrets locally but not on deployed:
public static string GetSecret(string SecretName, string vaultURL)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
return keyVaultClient.GetSecretAsync(vaultURL, SecretName).Result.Value;
}
Please let me know what it is that I'm missing that's preventing my web app from accessing the key vault.
Make sure that you have updated any information that is specifically related to the local application. For example, if it was working locally and is not working when published, it's possible that there's a reference in the code or in the portal to the localhost environment, and this needs to be updated to the published environment. Sometimes in the app registration people will leave in a reference to the localhost URL and not add the published web page URL both there and in the code.
Also, please share the error that you are receiving.
After some careful debugging, I found out that my issue was actually a relatively simple one. The Key vault granted my web app using the identities, but it was this particular call that had caused my issues: ConfigurationManager.ConnectionStrings[1].Name. The purpose was to get the name of the connectionStrings to feed into my DBContext. Turns out that this didn't return the value I had expected in the production. After some changes the code, the problem is solved!
I am trying to configure Azure Key Vault and setup Managed Identities for use in CI/CD pipeline for Azure Dev Ops.
I have looked around in MSDN documentation but I only specific links for use with Azure SQL and we are using Azure SQL Managed Instances.
If I did not make any misunderstand, in fact, you want to use Managed Identity work with Azure SQL Managed Instance? If this, unfortunately to say, the Managed Identity could not work with Azure SQL Managed Instance. Please see this doc: Services that support managed identities for Azure resources. It list all of the Azure services name which support work with the Managed identities in great detail.
You can see for SQL database, it only support the integration with Azure SQL instead of Azure SQL Managed Instance. That's why you only see the doc link for the usage with Azure SQL.
Until now, the Azure SQL managed instance only support two authentication method:
SQL Authentication:
This authentication method uses a username and password.
Azure Active Directory Authentication:
This authentication method uses identities managed by Azure Active
Directory and is supported for managed and integrated domains. Use
Active Directory authentication (integrated security) whenever
possible.
You can refer to this thread: Managed Identity with Azure SQL Managed Instance?. In this thread, out engineer provided some work around if you trying to configure the app with Managed Identity.
I have created one Web Api project and add entity framewok 6 in this.
and Create the API App in App service in azure portal and publish Web Api project in this app.
everything is working fine but when I removed the Connection string from Web.config file and set connection string in azure app
following this https://social.msdn.microsoft.com/forums/azure/en-US/62b9fa9d-7a4a-4927-a702-3e1e834d5187/azure-web-sites-connection-string-for-ef-not-being-picked-up
is not working.
I have put this dummay connection sting in my web.config file
Please help me what I am doing wrong or there is another approach for API App in azure portal.
Connection string in web config will have " for escaped quotes. you need to change them to '' before adding to azure app services connection string