Unable to deploy ARM template with all required Permissions - azure-resource-manager

My requirement is to deploy an arm template using Azure pipelines.
I am referring to this document Deploying ARM Templates using Azure DevOps Pipelines – Thomas Thornton I don't think I have missed anything.
But I got the below error:
Exception Details: (InsufficientPrivilegesForManagedServiceResource) The requested user doesn't have sufficient privileges to perform the operation.
I have enough permissions to perform this but I do not know why I am getting this error
Api permissions
What permissions am I missing? Any suggestions??

The error "Insufficient permissions for deploying ARM template" usually occurs if there is any missing required permissions to perform the action.
Please note that, if you are deploying the ARM template at subscription level then you have to grant permissions for subscription level scope.
Try assigning the permissions at subscription level to resolve the error. You have to be having either Global Admin Role or Owner Role for your subscription.
You can refer this MsDoc to do the same.
You can also enable Access management for Azure resources as below:
Go to Azure Portal -> Azure Active Directory -> Properties -> Access management for Azure resources
You can refer the similar kind of issue solved by me in this SO Thread.

Related

Can firebase "deploy access" be restricted?

We are bringing in a new developer for our Firebase web app project, who will start out by just learning the code in his local environment.
Since the new developer will be running Firebase CLI in the local env., is there a way to set up his initial role on the project such that he is [not able] to run firebase deploy commands?
~~~~~~~~~~~~~~~~~~~~~~~~~
I did find this doc from Google:
https://cloud.google.com/iam/docs/understanding-roles?_ga=2.49153190.-1888993.1468450573#curated_roles
It discusses deploy access in section: App Engine Roles .. not sure if that is for Firebase as well.
If so, are there any additional references for how to go about applying these kinds of roles to a Firebase project?
Anyone who has the "editor" or "owner" role for a project will be able to deploy (and generally make any other changes to the project). If you don't want an account to be able to deploy, don't give either of those roles.

What IAM roles are needed for deploying to Firebase Hosting?

I am trying to give permissions to a third party to make deployments to Firebase Hosting on a project I have set up. I explored the IAM permissions available in the GCP console, and the only half-related role seems to be the Firebase Rules System, however that didn't allow the user to deploy to hosting. While Project Editor would probably work, I don't want to give them that much authority, as they could launch other Firebase products at my expense.
What IAM roles should I add to allow a user to deploy to Firebase Hosting?
Update (2018-11-12): Firebase seems to have added more granular permission settings with their October 28, 2018 release:
The Firebase console now offers predefined Firebase roles. These new roles enable more granular access than the primitive Owner/Editor/Viewer roles. To edit member access for your project, visit the Firebase console Users and permissions page. For more information on roles, see Manage project access with Firebase IAM.
Digging deeper, I found these IAM entries related to hosting: https://firebase.google.com/docs/projects/iam/permissions#hosting
Original answer:
I asked Firebase support and the following was their reply:
To be able to deploy hosting app your developer must be either an
Owner or Editor. So in your case, lowest privilege that you can give
is Editor because currently role-based access restriction for Static
Hosting is unavailable. We're aware that many developers, such as
yourself, would like more extensive and granular control for
permissions. We're exploring potential solutions, but I can't share
any details or timelines at this time.
Keep an eye out on our release notes for any further updates.

How to deploy Profile with .net Core app on AWS

NOTE: This question is for a .net core console application, not ASP.NET Core.
I am confused on the proper use of a Profile on AWS. What I understand is that AWS would prefer that a profile name is used instead of a file containing AWS credentials (aws_access_key_id, aws_secret_access_key) values.
With .net core, how will I know how to navigate to the users home directory where the credentials file should be stored? (According to this reference: http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html#using-a-credentials-file
I am creating a .net Core application to connect to Amazon Kinesis and will be deploying it in a Docker container. I want to be able to deploy and have the application find the credentials on its own using .CreateServiceClient<IAmazonKinesis>(). From what I understand, this approach allows AWSOptions to lookup/find the credentials under the covers by locating the credentials file.
Please help me understand how to approach this.
Is the docker container you will be deploying to hosted in ECS? If so, using the IAM Roles for Tasks feature in ECS will be the simplest solution to your question.
Essentially, you can configure an IAM role that the task/container will run under, and configure it's permissions by assigning an IAM policy to that role. ECS manages the process of providing credentials for that role to the docker container. The SDKs will all pick up the credentials ECS provides by default, unless you explicitly override them by providing credentials while creating a client or change your credential provider chain.
We published a blog post about ECS IAM roles for tasks when we launched the feature:
https://aws.amazon.com/about-aws/whats-new/2016/07/amazon-ec2-container-service-now-supports-iam-roles-for-tasks/

Publishing in Azure

I am publishing my web app in Azure. The following Error appears:
Error 12 Web deployment task failed. (Could not complete an operation with the specified provider ("dbDacFx") when connecting using the Web Management Service. This can occur if the server administrator has not authorized the user for this operation. dbDacFx http://go.microsoft.com/fwlink/?LinkId=178034
I have tried to un-install all Web Deploy folders in my Program Files Folder but even with nothing opened, it is telling me it is in use and that I can't delete the folder. I have since installed the newest version of Web Deployment.
Any ideas would be greatly appreciated!
From the error message it can be several things. But I can suggest at first to check if you are creating or altering Database schema behind the application. If so that can be the issue. For instance the user executing the script has no enough rights to perform the desired task.
Please see Azure SQL docs to grant correct sql rights to the user.

Permissions needed to WebDeploy from TFS

I am using TFS to Build and Deploy using MSBuild Arguments. I have the following arguments
/P:AllowUntrustedCertificate=True
/p:DeployOnBuild=True
/p:DeployTarget=MsDeployPublish
/p:CreatePackageOnPublish=True
/p:MSDeployPublishMethod=WMSVC
/p:MSDeployServiceUrl=https://myserver.com
/p:DeployIisAppPath="Site1"
/p:UserName=domain\username
/p:Password=password
This works fine when I use my domain account (which is an Admin on the Destination Server), but I want to use a Service Account that has the barebones permissions to get this to work.
I have already setup IIS Manager Permissions for the site, gave Full Control to the folder that the application sits in, and created setAcl, createApp, and contentPath and iisApp Delegation rules for the user.
I have granted read rights to the inetsrv/config folder, and full control to the applicationHost.config file.
I am able to publish my site using the Visual Studio publish process with that user, but am unable to get the deployment to occur using a TFS Build. When I run the build, I get the following error.
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v11.0\Web\Microsoft.Web.Publishing.targets (4193): Web deployment task failed. (Connected to the remote computer ("myservercom") using the Web Management Service, but could not authorize. Make sure that you are using the correct user name and password, that the site you are connecting to exists, and that the credentials represent a user who has permissions to access the site. Learn more at: http://go.microsoft.com/fwlink/?LinkId=221672#ERROR_USER_UNAUTHORIZED.)
I have looked online and followed all the steps I have seen, but still have the issue. Please let me know if you have any questions.
Thank you in advance
Try changing your MsDeployServiceUrl to:
https://myserver.com:8172/msdeploy.axd
Failing that, take a look at the Microsoft Web Deploy event log (in Applications and Services Logs)

Resources