I have setup a Web App on Azure in a resource group and it doesn't have any connection with Azure Active Directory.
I have added Azure Key Vault into the same resource group where the web app is placed. The thing is that I cannot find a way to use Azure Key Vault in my web app. All the documentations I have found, are explaining how to use it with the apps in the Active Directory.
Does Azure Key Vault work with seperate web apps? If so how can I use it in my app. I will be setting up Drupal and secure the keys with Azure Key Vault.
It would be great if someone could show me a path to take on.
Quoting the doc:
Applications that use a key vault must authenticate by using a token from Azure Active Directory. To do this, the owner of the application must first register the application in their Azure Active Directory.
Also, Key Vault is not supported today in the PHP SDK. See Keyvault support #898. You'll need to work with it by using REST API.
Related
So I am fairly new to firebase and new to the more advanced concepts of gcloud and i'm setting up firebase with hosting and analytics and in the gcloud console it generated a Server key and a Browser key however they look like identical keys, both unrestricted, and when i copied the code for the fire base analytics google sent me an email warning me about the api key being public (public github repo) is it safe to publish the unrestricted browser key, if so why? If someone could explain how api keys work within google cloud that would be great.
The Google Cloud Platform has a number of API keys. These are generated for Android, iOS and web (Browser) applications and there is also a Server API key. Anyone with an API key can call the REST APIs on resources on the project it was generated for. This can incur major billing charges!
It is advisable to restrict API keys. Only give them access to the APIs they need to use. Android and iOS keys should be restricted to the applications the project support.
The browser key is the one to be careful with as the key is stored in a JavaScript object and easily obtainable. It should be restricted to the domain the web pages are served from. If email address and password authentication is enabled, an unrestricted API key can be used to create and modify users.
So no, it is not safe to publish an unrestricted browser API key.
The examples given in the python SDK to access a cosmosdb account only use the masterkey; is it possible access tables or SQL collections using from msrestazure.azure_active_directory import MSIAuthentication or something similar (which for example allows for MSI token auth into keyvault) for auth into cosmos?
(obviously python could manually implement REST API for token auth, just wondering if SDK support is there)
No, Azure Cosmos doesn't support AAD based auth yet, so none of the SDKs support this. A common pattern I've seen to avoid having it in a config file/env variable is to use Azure KeyVault to store the master key, then use MSI to access that key in-memory and pass it into the client constructor.
This is supported on Cosmos DB now. You can try it across all SDKs now, You can check the samples for different SDKS.
Azure Cosmos DB exposes a built-in role-based access control (RBAC) system
which lets you to Authenticate your data requests with an Azure Active Directory (Azure AD) identity.
I have an Azure Web App hosting an API (ASP.NET MVC project) that interacts with a CosmosDB database and collections to get subscriptions and other information.
The CosmosDB database is accessed R/W by the Web App middle-ware uses through the nuget package "Microsoft.Azure.DocumentDB" SDK v1.19.1.
I am trying to set up the CosmosDB IP Firewall through the Azure Portal. I allowed the Azure Portal to have access to the db and then I needed to also allow the web app (also hosted on Azure) to have access. To do this, I copied the Virtual IP Address of the Web App from the Properties tab in the Azure Portal.
But this was not enough. I waited more than 10 minutes trying my web app but all the calls to the CosmosDB were rejected with error 404, which as the documentation states it is the proper behavior for SDK Calls (security reasons).
Then I added, all the Outbound IP Addresses stated at the same Properties Tab of the Web App. Waited for more than 20 mins and still 404 error.
What are the correct steps to achieve the requested task?
For example in SQL On Azure, the IP Filtering allowed for an option, to allow access from any Azure App/ VM / Service. How can we achieve the equivalent in CosmosDB?
Thanks in advance
Since Azure App Service is PaaS, and following this article, please try adding the IP 0.0.0.0.
On the Azure Portal, this can also be set by switching on Allow access to Azure Services.
I have backend(e.g. https://api.myapp.com) based on the Azure Mobile services(AMS), now I need
1. add one or two apis that doesn't require to be on AMS e.g. an heartbeat controller to check that service is online or not, that doesn't require Zumo Auth
2. an ASP.net MVC page(e.g. https://www.myapp.com) that explains about the application
Can I use the existing AMS to do this, I tried to add plain asp.net web api, but getting error that end point doesn't exist
Are you truly using Azure Mobile Services and not Azure Mobile Apps? You generally cannot have a custom domain on Azure Mobile Services. Since you mention ZUMO Auth 2, I'm assuming you mean App Service Auth and thus Azure Mobile Apps.
I'd recommend taking a look at Azure Functions for any APIs that do not require ZUMO. However, you can just add a custom API to your service. I cover all the options for you in my book - http://aka.ms/zumobook - chapter 4.
As to a service controller for checking heartbeat. If the intent is to ensure that the service is alive, then just create an unauthenticated custom API that tests the database connectivity (maybe does an SQL command to get the count of rows in your main table) and returns success or failure. You can then use Azure Functions, Azure Scheduler or OMS to do a query of that custom API.
I want to use datastore of google in my web app but do not want to host it in google app engine, I want to host it some other machine. So how i can use datastore in such web app ?
will it be more economical ?
You would need to follow the Accessing the Cloud Datastore API from another platform procedure:
This section shows how to activate and access the Cloud Datastore API
from an external application running on a platform outside of Google
Cloud.
Enable the Cloud Datastore API for the project. You can enable the API for an existing project, or create a new project and then enable
the API.
Enable the Cloud Datastore API
To use the Cloud Datastore API, your Cloud project requires an active App Engine application. Open the App Engine dashboard and
confirm your Cloud project has an active App Engine app.
Open the App Engine dashboard
Create an App Engine app if needed. The app must not be disabled.
Go to the Create service account key page.
Click the drop-down box below Service account, then click New service account.
Enter a name for the service account in Name.
Use the default Service account ID or generate a different one.
Select JSON in Key type.
Click Create.
Upon successful creation, your browser will download the private key. The Cloud Platform Console provides a prompt that displays the
private key file name. Note the file name so you can locate it, then
click Close to dismiss the prompt.
Your Service Account is the Email address displayed under the Service Account section.
Your Private Key is the file you just downloaded.
At this point all services and authorizations are configured for your
project and you can start writing code or exploring the API.
You don't actually need to write code for the GAE app and deploy it, see Is an App Engine instance required for accessing Datastore?
As for being more economical or not (I presume compared to running the app on GAE) - it depends a lot on the app's usage/scale, what the app does and how it does it.
Have a look at Cloud Endpoints
https://cloud.google.com/appengine/docs/java/endpoints/