Azure Management API with service principal: The subscription '[...]' could not be found - azure-management-api

I have created a subscription with Azure Germany, and now I am attempting to deploy my application topology there using the Azure Management API and a service principal.
Deployment works fine towards the "regular" Azure cloud, however when I attempt to deploy towards my subscription in Azure Germany, I get the following error message: The subscription '[...]' could not be found.
I am able to successfully acquire an authentication token using AuthenticationContext.AcquireTokenAsync(), and I am using "https://login.microsoftonline.de/[directoryId]" as authority and "https://management.core.cloudapi.de/" as resource. Additionally, I am using "Germany Northeast" as location/region.
The error occurs as soon as I attempt to perform a typical management task, such as creating a resource group.
I have checked the following things:
App registration settings
App permissions (Windows Azure Active
Directory + Windows Azure Service Management API)
Correctness of
subscription id, app id, and app secret/key
I am at a loss at what could be wrong. What could be causing this error message?

you should point your app to correct subscription first.
Try setting subscription using this link.
Add Microsoft Graph permissions to your Azure AD app.

Related

com.google.cloud.datastore.DatastoreException: Unauthenticated

I have a GKE cluster where my application is running. My application is built using springboot. And I have google Datastore database which is running in a separate GCP Project.
It throws the error "DatastoreException: Unauthenticated" when it tries to connect to datastore database during application start-up.
The connection happens through "Service account" permissions, application service account having necessary(Datastore user) permission to the datastore database. But it still fails.
Below two are the similar scenarios where it works:
1.
With similar set-up in a lower environment, it works.
2.
I have another application running inside same GKE cluster which is using the same service account but connecting to another datastore database with similar role to the service account, it works fine here.

Google App Engine from project A cannot use Firebase Cloud Messaging from project B

We are running 2 separate Google Cloud Projects, Project A and Project B.
Project A is currently running an App Engine (AE) based API.
The API on project A needs to access the Firebase features on project B.
✅ I have setup cross projects access between the two projects using IAM and most functions are working fine.
App Engine on project A is able to access the Firebase real time db (RTDB) and Firebase Auth functions on Project B.
But we are unable to connect to Firebase Cloud Messaging on Project B
As far as I can see tracing through the Firebase admin SDK calls, we are able to obtain access tokens, and they're all valid as we can use some of the services (i.e. RTDB, Auth)
However, when we try using Firebase Cloud messaging we receive the following error: An error occurred when trying to authenticate to the FCM servers. Make sure the credential used to authenticate this SDK has the proper permissions.
Which seems to originate from a 401 unauthorized response to this service https://iid.googleapis.com/iid/v1:batchAdd
It doesn't seem to matter what amount of Roles on Project B I throw at the Project A service account.
If I use a separate Firebase service account that originated from Project B and use that json file as a credential then the issue go away, but I don't want to distribute credential files around, and everything else work fine without, except FCM.
FWIW this is how i initialise the firebase admin sdk
const firebaseAdmin = require('firebase-admin');
firebaseAdmin.initializeApp({
credential: firebaseAdmin.credential.applicationDefault(),
projectId:'project-b',
databaseURL: "https://project-b.firebaseio.com",
});
I've also tried setting the serviceAccountId option to the project B service account email that works when manually loaded, but that doesn't change anything (also added Service Account Token Creator role)
The services account has also been given all the permissions listed here https://firebase.google.com/docs/projects/iam/permissions#messaging
Feels like there's a simple connection missing (either a role, or API setting) but I've ran out of idea.
Has anyone done this before and can provide some guidance?
EDIT [CORRECTED IN EDIT 3] I've also tried to manually create a service account on Project B with the same working roles as the Firebase service account that works and i'm getting the same issue (even though it was created on Project B). So sounds like maybe it's not a role issue, nor a cross-project issue?
EDIT 2 I'm on Node Js with latest firebase admin sdk
EDIT 3 Ignore the first edit, i hadn't configured the custom service account correctly, works fine with a service account created from scratch in Project B. So back to cross-project issue then I guess..
So in the case of Real time database, you only need to give Firebase Realtime Database Admin role to the Project A's App Engine service account on Project B.
In Firebase Cloud Messaging you can give Firebase Cloud Messaging Admin role on Project B AND the cloudmessaging.messages.create permission to the service account on Project A.
This will go around the initial 401 unauthorised response from messaging calls.
However, this will still result in an error, this time NOT FOUND, which indicates that the subscription token was not found.
It seems that calls to FCM don't use the projectId setting in firebase admin initialisation and always execute against the project the service account was created in (Project A in this case).
I haven't been able to find a way for FCM calls to executed in the specified projectId scope from another project.

Azure CosmosDB Firewall for Azure Web Apps

I have an Azure Web App hosting an API (ASP.NET MVC project) that interacts with a CosmosDB database and collections to get subscriptions and other information.
The CosmosDB database is accessed R/W by the Web App middle-ware uses through the nuget package "Microsoft.Azure.DocumentDB" SDK v1.19.1.
I am trying to set up the CosmosDB IP Firewall through the Azure Portal. I allowed the Azure Portal to have access to the db and then I needed to also allow the web app (also hosted on Azure) to have access. To do this, I copied the Virtual IP Address of the Web App from the Properties tab in the Azure Portal.
But this was not enough. I waited more than 10 minutes trying my web app but all the calls to the CosmosDB were rejected with error 404, which as the documentation states it is the proper behavior for SDK Calls (security reasons).
Then I added, all the Outbound IP Addresses stated at the same Properties Tab of the Web App. Waited for more than 20 mins and still 404 error.
What are the correct steps to achieve the requested task?
For example in SQL On Azure, the IP Filtering allowed for an option, to allow access from any Azure App/ VM / Service. How can we achieve the equivalent in CosmosDB?
Thanks in advance
Since Azure App Service is PaaS, and following this article, please try adding the IP 0.0.0.0.
On the Azure Portal, this can also be set by switching on Allow access to Azure Services.

SignalR Azure Cloud Service with Service Bus

I have built a simple Chat application using SignalR followed the tutorial there, which works great.
Then I followed the tutorial of SignalR Scaleout with Azure Service Bus, also from Microsoft.
So I have completed all the following steps:
Created a new Cloud Service on Azure Portal
Created a new Service Bus namespace on Azure Portal
Created a Windows Azure Cloud Service with a SignalR ASP.NET Web Role
Setup the SignalR Web Role running on 2 instances (VM Size: Small)
Deployed the Cloud Service to the Azure Cloud Service.
But I can't get the SignalR Chat application to work. Can't start the hub.
I noticed it tried to use longPolling and shows status Cancelled/Abort in the browser's debugging tool (Chrome) with the following error in the console:
WebSocket connection to 'ws://example.cloudapp.net/signalr/connect?transport=webSockets&clientProtocol=1.5&connectionToken=KOlz9psd6yCqvYjmCbI3ch5mrXcP%2BAAl3JVMFaP24p2Cv%2FyRb94D5uE27SO9Bz%2B5Itba4vADtv3%2Btv2FMF9LJI6Zxr026UJYxDPNQMVpFTw2hiHd&connectionData=%5B%7B%22name%22%3A%22schathub%22%7D%5D&tid=10' failed: Error during WebSocket handshake: Unexpected response code: 400
and this is the log in the Network:
Do I need to do anything extra besides all the steps listed in the tutorial to make this work?
Based on the current Pricing, you need to set the Service bus to at least Standard tier to support Topics.
In this case, I did create my service bus choosing Standard tier, although it shows Standard on it's Overview page under the "Pricing tier" section, I have to specifically go to the settings and scaled it up from Basic to Standard. Which has solved the problem.

Azure SQL: The operation is not supported for your subscription offer type

I have an Azure ASP.NET web application with an Azure SQL Database for authentication. I copied the connection string to my web.config, and it works on my local machine if I debug.
But if I publish it to Azure and open the site from web, when I try to use the DB (for example I try to login), I get the following error:
The operation is not supported for your subscription offer type.
If I try to connect to the DB via Visual Studio Server Explorer, when I try to login to the server I get the same error.
My Azure subscription is a DreamSpark subscription, so it's not a pay-as-you go, but a totally free one (for students). I've searched for this error message and some results were associated with different subscription types (that's why I guess that my problem is in connection with the DreamSpark subscription type) but honestly I couldn't figure out any possible solution.
Thanks for any help!
For Microsoft Azure for DreamSpark subscription, you will initially only be able to
access Azure services that are available with a free tier of service
use.
Your account will start with a zero dollar Spending Limit, which means that you will only be able to consume Azure services within the free tier of the service offer.
You can choose to upgrade to Azure Free Trial, if you have not already created an Azure Free Trial and consume Azure services beyond the free tier.
If you have already created an Azure Free Trial then you have the option to upgrade to a Pay-As-You-Go subscription.
For more details, see:
DreamSpark Azure Offer

Resources