GeralexGR

Posted on September 19, 2022September 19, 2022 by geralexgr — Leave a comment

Connect Azure Web app container to Keyvault using Managed identity

Following the article on which I described how you can connect to Azure resources through Managed Identity, I will showcase how one can connect through a container running on an App Service (web app) to a keyvault in order to gather secrets from it.

Connect to Azure resources with Managed Identity – Azure Web app container example

The main two components that are required for this demo will be an app service and a keyvault.

First things first we will need some secrets in order to gather through the hosted application. The dbpassword that is shown below will be retrieved and used from the web app running on the container.

As examined in the article mentioned above, we should construct the appropriate URL in order to retrieve the access_token.

$kati = Invoke-WebRequest -Uri $env:MSI_ENDPOINT"?resource=https://vault.azure.net&api-version=2017-09-01" -Headers @{Secret=$env:MSI_SECRET} -UseBasicParsing | ConvertFrom-Json

Store the access_token on a separate variable (as it sometimes is not parsed correctly from powershell)

and perform an API call on your keyvault using as Authorization the token that we retrieved earlier.

Invoke-WebRequest -Uri "https://spfykey.vault.azure.net/secrets/dbpassword/4f371b23cf244717a585e12af9846dec?api-version=7.3" -Headers @{Authorization = "Bearer $metavliti"} -UseBasicParsing

As a result we sucessfully retrieved the password for the secret which is 123456 by performing a rest api call through the web app using the Managed Identity of the app service.

References:

https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults

Posted on September 19, 2022September 19, 2022 by geralexgr — 2 Comments

Connect to Azure resources with Managed Identity – Azure Web app container example

Managed identity is the recommended way to go when you need to access resources on Azure as they eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.

An administrator can locate the managed identity of the resource usually under Settings tab.

When you enable the system assigned identity an object (principal ID) will be created. This is the entity that Azure uses in order to reference this resource when you assign permissions through IAM.

We will examine now how we can use the managed identity in order to get an access_token that can be used to authenticate with Azure resources. In my scenario I have created a simple container that runs powershell (mcr.microsoft.com/powershell) in order to interact with rest-api calls with the azure apis. In order to do so, I got a console on the container running on the app service through the Development tools section under advanced tools

Using the below UI you can get a console of the container.

All resources that support Azure AD authentication, and thus work with managed identity use oauth access tokens for authorization. This means we first need to get a token before we can access resources.

When managed identity is enabled on a app service a local http endpoint that can provide access tokens will be available on the app service. This local http endpoint can only be reached from code running on the app service.

You can locate the http endpoint along with the secret needed by displaying environmental variables. As I used powershell image I had a command line so I pressed

set

The variables that we need are MSI_ENDPOINT which is the same as IDENTITY_ENDPOINT and MSI_SECRET. Using those two variables we can get an access_token and use this token in order to authenticate to azure resources.

In order to interact with the API I used curl. The request URL that should be created is a concatenation of MSI_ENDPOINT and the specific resource category that you want to use (see appendix at the bottom of the article). You should also use the secret inside App service as a header.

Example

curl MSI_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-1 -H "Secret: MSI_SECRET" -v

Using curl we can Identify that the requested has a 200 response code and has been performed correctly.

In order to get the output of the curl command you can use -o argument.

By saving the file as kati.txt we can verify that the access_token is saved on the file under a JSON structure.

Lets now examine how we can perform the same request using powershell. First of all we should navigate in the folder on which powershell is located and execute powershell.exe.

cd windows\system32\windowspowershell\v1.0
powershell.exe

Then we can use Invoke-WebRequest to perform an HTTP call on the same url that we described above.

$kati = Invoke-WebRequest -Uri $env:MSI_ENDPOINT"?resource=https://management.azure.com&api-version=2017-09-01" -Headers @{Secret=$env:MSI_SECRET} -UseBasicParsing | ConvertFrom-Json

You can then use the $kati.access_token in order to Authenticate your Azure API calls.

Azure Resource Manager

https://management.azure.com/
Use this when you want to manage resources. I.e. create, delete, update Azure resources. This is when you would do stuff programmatically that you would otherwise do using Azure CLI or in the portal.

Resources supporting managed identity

If you want to interact with one of the APIs for a specific type of service use the following URIs for the resource parameter.
Keyvault: https://vault.azure.net
Datalake: https://datalake.azure.net/
Azure SQL: https://database.windows.net/
Eventhub: https://eventhubs.azure.net
Service Bus: https://servicebus.azure.net
Storage blobs and queues: https://storage.azure.com/

Links:

Azure Services with managed identities support – Azure AD – Microsoft Entra | Microsoft Docs

References:

Co authored with Giannis Anastasiou @ Vivawallet

Posted on September 13, 2022September 13, 2022 by geralexgr — Leave a comment

##[error]Script failed with error: Error: Unable to locate executable file: ‘pwsh’.

In AzureCLI@2 you may choose from a variety of options when it comes on how this task will be executed on the agent machine. I usually choose powershell for windows machines and powershell core for Unix based machines (pwsh).

Recently I got an error on a Windows machine when using Powershell core. The latest version of powershell which is currently on 7.* version can be used as pscore in the AzureCLI@2 task.

      - task: AzureCLI@2
        displayName: az cli task
        inputs:
          azureSubscription: 'SERVICE-CONNECTION'
          scriptType: 'pscore'
          scriptLocation: 'inlineScript'
          inlineScript: |
           script

Error message:

##[error]Script failed with error: Error: Unable to locate executable file: ‘pwsh’. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.

Solution:

In order to bypass this problem you should make sure that the latest version of powershell which is multiplatform should be installed on your system. At the time of this article this version is 7.*

After installing powershell you should make a restart also on the machine in order for the environmental variables to be added on PATH. Then you can execute your pwsh tasks on your agent machines.

Posted on September 12, 2022September 12, 2022 by geralexgr — 1 Comment

Parameters and variables – GitHub workflows

Variables and parameters can be used on GitHub workflows in order to provide input and store temporary values that should be passed on tasks. When you need to ask for user input one should use the parameters and when that is not necessary variables is the preferred way to go.

We will now examine how we can use both in a github workflow.

You can define an input parameter using the inputs keyword. Using the code below you can run a workflow manually. The input that is requested is a string and the description is the message that will be shown to the user.

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
    inputs:
      username:
        description: "give me your username"
        default: "geralexgr"
        type: "string"

Then later in the workflow you can use the value of the input using inputs.username

The below job will show the input of the user:

  job1:
    runs-on: ubuntu-latest
    steps:
      - name: task inside job1
        run: |
          echo The username is ${{ inputs.username }}

Variables on the other hand can be used during runtime. Similar to using default environment variables, you can use custom environment variables in your workflow actions. To create a custom variable, you need to define it in your workflow file using the env context.

      - name: print variable
        env:
          NAME: "Gerasimos"
        run: |
          echo Variable name is: $NAME

During workflow run the variable will be printed on the output.

Youtube tutorial: