Tag Archives: Role-Based Access Control

Standard

Posted by

Posted on

February 19, 2025

Posted under

Azure Datafactory

Comments

Leave a comment

Azure Data Factory Series: Invoke ADF Pipeline from App Service with User-Assigned Managed Identity

Watch the step by step implementation as a You tube Video.

Step 1: Create an Azure App Service (Web App)

  1. Go to Azure Portal → Search for “App Services” → Click “Create”.
  2. Choose Subscription and Resource Group (or create a new one).
  3. Set the following values:
    • Name: my-adf-web-app
    • Publish: Code
    • Runtime Stack: .NET 8 (or any preferred language)
    • Operating System: Windows or Linux
    • Region: Choose a region close to your resources.
    • Plan: Choose a basic plan (B1) for testing.
  4. Click Review + Create → Click Create.

Step 2: Enable Managed Identity for Web App

  1. In Azure Portal, go to App Services → Select my-adf-web-app.
  2. Click on Identity under Settings.
  3. Under User Assigned, toggle the switch to On.
  4. Click Save, and copy the Client ID (you’ll need it later).

Step 3: Grant Permissions to Managed Identity on ADF

  1. Go to Azure Data Factory in the Azure Portal.
  2. Click on Access Control (IAM) → Click Add Role Assignment.
  3. Select:
    • Role: Data Factory Contributor (or Data Factory Operator for limited access).
    • Assign Access To: Managed Identity.
    • Select Members: Choose your Web App (my-adf-web-app).
  4. Click Save.

Step 4: Write Code in Azure App Service to Call ADF Pipeline

Use the following C# code inside your Web App to invoke the ADF pipeline using Managed Identity.

C# Code (ASP.NET Core)

using Microsoft.AspNetCore.Mvc;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.DataFactory;
using System.Threading.Tasks;
using System.Collections.Generic;
using System;

[Route("JB/[controller]")]
[ApiController]
public class ADFController : ControllerBase
{
    private readonly ArmClient _armClient;
    private readonly string _subscriptionId = "xxxx-xxxxx-xxxxx-xxxxx";
    private readonly string _resourceGroupName = "jbadf";
    private readonly string _dataFactoryName = "jbadfapp";
    private readonly string _pipelineName = "jb_Copydata";

    public ADFController()
    {
        // Set the Client ID of the User-Assigned Managed Identity (UMI)
        var userAssignedClientId = "xxxx-xxxxx-xxxxx-xxxxx"; // Replace this with actual Client ID

        var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
        {
            ManagedIdentityClientId = userAssignedClientId
        });

        _armClient = new ArmClient(credential);
    }

    [HttpGet("CuriousBoy")]
    public async Task<IActionResult> TriggerPipeline()
    {
        try
        {
            // Construct the pipeline resource ID
            var pipelineResourceId = DataFactoryPipelineResource.CreateResourceIdentifier(
                _subscriptionId, _resourceGroupName, _dataFactoryName, _pipelineName);

            // Get the pipeline resource
            var pipelineResource = _armClient.GetDataFactoryPipelineResource(pipelineResourceId);

            // Define pipeline parameters (if required)
            var parameters = new Dictionary<string, BinaryData>
            {
                // Example: If your pipeline requires parameters, add them here.
                // { "param1", BinaryData.FromString("value1") },
                // { "param2", BinaryData.FromString("value2") }
            };

            // Trigger the pipeline run
            var runResponse = await pipelineResource.CreateRunAsync(parameters);

            return Ok($"ADF Pipeline triggered successfully on {DateTime.UtcNow}");
        }
        catch (Exception ex)
        {
            return StatusCode(500, $"Error triggering ADF pipeline: {ex.Message}");
        }
    }
}

Step 5: Deploy the Code to Azure App Service

  1. In Visual Studio, create an ASP.NET Core Web API project.
  2. Copy the above C# code into your Controller or Service.
  3. Deploy your code to Azure App Service using:
    • Right-click on the projectPublishAzure App Service.

Step 6: Test the Web App

  1. Navigate to https://my-adf-web-app.azurewebsites.net.
  2. Trigger the endpoint that executes the above code.
  3. Your ADF pipeline should now run successfully!

This is the simplest way to invoke an ADF pipeline from Azure App Services using Managed Identity.

Possible Errors Expected,

Error triggering ADF pipeline: DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot

  • EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
  • WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
  • ManagedIdentityCredential authentication unavailable. No response received from the managed identity endpoint.
  • VisualStudioCredential authentication failed: Visual Studio Token provider can’t be accessed at D:DWASFilesSitesJBAPPLocalAppData.IdentityServiceAzureServiceAuthtokenprovider.json
  • AzureCliCredential authentication failed: Azure CLI not installed
  • AzurePowerShellCredential authentication failed: Az.Accounts module >= 2.2.0 is not installed.
  • AzureDeveloperCliCredential authentication failed: Azure Developer CLI could not be found.

Error triggering ADF pipeline: The client ’66a2225c-f1b5-439b-b375-78ae2b744f2f’ with object id ’66a2225c-f1b5-439b-b375-78ae2b744f2f’ does not have authorization to perform action ‘Microsoft.DataFactory/factories/pipelines/createRun/action’ over scope ‘/subscriptions/xxxx-xxxx-xxxx/resourceGroups/jbadf/providers/Microsoft.DataFactory/factories/jbadfapp/pipelines/jb_Copydata’ or the scope is invalid. If access was recently granted, please refresh your credentials.
Status: 403 (Forbidden)
ErrorCode: AuthorizationFailed

Content:
{“error”:{“code”:”AuthorizationFailed”,”message”:”The client ’66a2225c-f1b5-439b-b375-78ae2b744f2f’ with object id ’66a2225c-f1b5-439b-b375-78ae2b744f2f’ does not have authorization to perform action ‘Microsoft.DataFactory/factories/pipelines/createRun/action’ over scope ‘/subscriptions/xxxx-xxxx-xxxx/resourceGroups/jbadf/providers/Microsoft.DataFactory/factories/jbadfapp/pipelines/jb_Copydata’ or the scope is invalid. If access was recently granted, please refresh your credentials.”}}

Headers:
Cache-Control: no-cache
Pragma: no-cache
x-ms-failure-cause: REDACTED
x-ms-request-id: 896c9766-5ee3-4dbb-b3b6-71800e2ee564
x-ms-correlation-request-id: REDACTED
x-ms-routing-request-id: REDACTED
Strict-Transport-Security: REDACTED
X-Content-Type-Options: REDACTED
X-Cache: REDACTED
X-MSEdge-Ref: REDACTED
Date: Tue, 18 Feb 2025 08:23:20 GMT
Content-Length: 512
Content-Type: application/json; charset=utf-8
Expires: -1

Thank You,
Vivek Janakiraman

Disclaimer:
The views expressed on this blog are mine alone and do not reflect the views of my company or anyone else. All postings on this blog are provided “AS IS” with no warranties, and confers no rights.



Standard

Posted by

Posted on

February 18, 2025

Posted under

Azure Datafactory

Comments

Leave a comment

Azure Data Factory Series: Invoking ADF Pipelines Securely with Managed Identity

Watch the step by step implementation as a You tube Video.

Step 1: Create an Azure App Service (Web App)

  1. Go to Azure Portal → Search for “App Services” → Click “Create”.
  2. Choose Subscription and Resource Group (or create a new one).
  3. Set the following values:
    • Name: my-adf-web-app
    • Publish: Code
    • Runtime Stack: .NET 8 (or any preferred language)
    • Operating System: Windows or Linux
    • Region: Choose a region close to your resources.
    • Plan: Choose a basic plan (B1) for testing.
  4. Click Review + Create → Click Create.

Step 2: Enable Managed Identity for Web App

  1. In Azure Portal, go to App Services → Select my-adf-web-app.
  2. Click on Identity under Settings.
  3. Under System Assigned, toggle the switch to On.
  4. Click Save, and copy the Object ID (you’ll need it later).

Step 3: Grant Permissions to Managed Identity on ADF

  1. Go to Azure Data Factory in the Azure Portal.
  2. Click on Access Control (IAM) → Click Add Role Assignment.
  3. Select:
    • Role: Data Factory Contributor (or Data Factory Operator for limited access).
    • Assign Access To: Managed Identity.
    • Select Members: Choose your Web App (my-adf-web-app).
  4. Click Save.

Step 4: Write Code in Azure App Service to Call ADF Pipeline

Use the following C# code inside your Web App to invoke the ADF pipeline using Managed Identity.

C# Code (ASP.NET Core)

using Microsoft.AspNetCore.Mvc;
using Azure.Identity;
using System.Net.Http;
using System.Threading.Tasks;
using Azure.Core;

[Route("api/[controller]")]
[ApiController]
public class ADFController : ControllerBase
{
    private readonly HttpClient _httpClient;
    private readonly string _adfPipelineUrl = "https://management.azure.com/subscriptions/xxxx-xxxx-xxx-xxx/resourceGroups/jbadf/providers/Microsoft.DataFactory/factories/jbadfapp/pipelines/jb_Copydata/createRun?api-version=2018-06-01";

    public ADFController()
    {
        _httpClient = new HttpClient();
    }

    [HttpGet("trigger")]
    public async Task<IActionResult> TriggerPipeline()
    {
        var credential = new DefaultAzureCredential();
        var token = await credential.GetTokenAsync(new TokenRequestContext(new[] { "https://management.azure.com/.default" }));

        _httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {token.Token}");

        var response = await _httpClient.PostAsync(_adfPipelineUrl, null);

        if (response.IsSuccessStatusCode)
        {
            return Ok("ADF Pipeline triggered successfully.");
        }
        return StatusCode((int)response.StatusCode, "Failed to trigger pipeline.");
    }
}

Step 5: Deploy the Code to Azure App Service

  1. In Visual Studio, create an ASP.NET Core Web API project.
  2. Copy the above C# code into your Controller or Service.
  3. Deploy your code to Azure App Service using:
    • Right-click on the projectPublishAzure App Service.

Step 6: Test the Web App

  1. Navigate to https://my-adf-web-app.azurewebsites.net.
  2. Trigger the endpoint that executes the above code.
  3. Your ADF pipeline should now run successfully!

This is the simplest way to invoke an ADF pipeline from Azure App Services using Managed Identity.

Possible Errors Expected,

Error triggering ADF pipeline: DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot

  • EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
  • WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
  • ManagedIdentityCredential authentication unavailable. No response received from the managed identity endpoint.
  • VisualStudioCredential authentication failed: Visual Studio Token provider can’t be accessed at D:DWASFilesSitesJBAPPLocalAppData.IdentityServiceAzureServiceAuthtokenprovider.json
  • AzureCliCredential authentication failed: Azure CLI not installed
  • AzurePowerShellCredential authentication failed: Az.Accounts module >= 2.2.0 is not installed.
  • AzureDeveloperCliCredential authentication failed: Azure Developer CLI could not be found.

Error triggering ADF pipeline: The client ’66a2225c-f1b5-439b-b375-78ae2b744f2f’ with object id ’66a2225c-f1b5-439b-b375-78ae2b744f2f’ does not have authorization to perform action ‘Microsoft.DataFactory/factories/pipelines/createRun/action’ over scope ‘/subscriptions/xxxx-xxxx-xxxx/resourceGroups/jbadf/providers/Microsoft.DataFactory/factories/jbadfapp/pipelines/jb_Copydata’ or the scope is invalid. If access was recently granted, please refresh your credentials.
Status: 403 (Forbidden)
ErrorCode: AuthorizationFailed

Content:
{“error”:{“code”:”AuthorizationFailed”,”message”:”The client ’66a2225c-f1b5-439b-b375-78ae2b744f2f’ with object id ’66a2225c-f1b5-439b-b375-78ae2b744f2f’ does not have authorization to perform action ‘Microsoft.DataFactory/factories/pipelines/createRun/action’ over scope ‘/subscriptions/xxxx-xxxx-xxxx/resourceGroups/jbadf/providers/Microsoft.DataFactory/factories/jbadfapp/pipelines/jb_Copydata’ or the scope is invalid. If access was recently granted, please refresh your credentials.”}}

Headers:
Cache-Control: no-cache
Pragma: no-cache
x-ms-failure-cause: REDACTED
x-ms-request-id: 896c9766-5ee3-4dbb-b3b6-71800e2ee564
x-ms-correlation-request-id: REDACTED
x-ms-routing-request-id: REDACTED
Strict-Transport-Security: REDACTED
X-Content-Type-Options: REDACTED
X-Cache: REDACTED
X-MSEdge-Ref: REDACTED
Date: Tue, 18 Feb 2025 08:23:20 GMT
Content-Length: 512
Content-Type: application/json; charset=utf-8
Expires: -1

Thank You,
Vivek Janakiraman

Disclaimer:
The views expressed on this blog are mine alone and do not reflect the views of my company or anyone else. All postings on this blog are provided “AS IS” with no warranties, and confers no rights.



Standard

Posted by

Posted on

August 19, 2024

Posted under

Azure, Azure Managed Instance, Azure SQL Database, Azure Synapse Analytics

Comments

Leave a comment

Azure Series: Resolving RBAC Errors When Creating Keys in Azure Key Vault

Resolving the RBAC Error When Creating a Key in Azure Key Vault

Azure Key Vault is a powerful service for securely managing keys, secrets, and certificates. However, you might occasionally encounter errors while performing operations, such as creating a key. One common issue is the error message: “The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.”

Error information

CODE
Forbidden

MESSAGE
The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.

RAW ERROR
Caller is not authorized to perform action on resource. If role assignments, deny assignments or role definitions were changed recently, please observe propagation time. Caller: appid=3686488a-04fc-4d8a-b967-61f98ec41efe;oid=59347bed-6be5-4c44-be30-7cf210e473f7;iss=https://sts.windows.net/16b3c013-d300-468d-ac64-7eda0820b6d3/ Action: ‘Microsoft.KeyVault/vaults/keys/create/action’ Resource: ‘/subscriptions/ea72f050-0699-4b00-a43c-aba6cd2743df/resourcegroups/jbmysql/providers/microsoft.keyvault/vaults/jbmysqlkeyvault/keys/jbmysqlkey’ Assignment: (not found) DenyAssignmentId: null DecisionReason: null Vault: jbmysqlkeyvault;location=eastus

This blog will walk you through understanding this error and provide a step-by-step guide to resolve it.

Understanding the Error

The error message indicates that the operation you’re trying to perform (in this case, creating a key) is not permitted due to Role-Based Access Control (RBAC) settings. This issue typically arises because of one or more of the following reasons:

  • Insufficient Permissions: The user or service principal doesn’t have the required permissions to perform the operation.
  • Recent Role Assignments: Recent changes to role assignments might not have been propagated yet.
  • Incorrect Role or Scope: The assigned role might not have the necessary permissions, or it might be scoped incorrectly.

Scenario Demonstration

To illustrate the issue, let’s attempt to create a key in Azure Key Vault and reproduce the error:

Open Azure CLI or PowerShell.

Run the following command to create a key in your Key Vault:

    az keyvault key create --vault-name <YourKeyVaultName> --name <YourKeyName> --protection software

    Observe the Error Message:

    The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.

    Steps to Resolve the Error

    1. Verify Role Assignments

    Objective: Ensure that the correct roles are assigned to the user or service principal.

    Azure Portal:

    1. Navigate to the Azure Portal.
    2. Go to your Key Vault.
    3. Select Access control (IAM).
    4. Review the role assignments to ensure that the user or service principal has the Key Vault Contributor or Key Vault Administrator role.

    Azure CLI:

    az role assignment list --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name> --output table

    Azure PowerShell:

    Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>

    2. Update Role Assignments

    Objective: Add or update the necessary role assignments.

    Azure Portal:

    1. Go to your Key Vault in the Azure Portal.
    2. Navigate to Access control (IAM).
    3. Click Add role assignment.
    4. Assign the Key Vault Contributor role to the user or service principal.

    Azure CLI:

    az role assignment create --role "Key Vault Contributor" --assignee <UserOrServicePrincipal> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>

    Azure PowerShell:

    New-AzRoleAssignment -RoleDefinitionName "Key Vault Contributor" -ServicePrincipalName <UserOrServicePrincipal> -Scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>

    3. Wait for Propagation

    Objective: Allow time for role assignment changes to propagate.

    • Wait Time: Changes in role assignments can take a few minutes to become effective. Be patient and wait for a few minutes before retrying the key creation operation.

    4. Retry Key Creation

    Objective: Attempt to create the key again after ensuring correct role assignments.

    • Azure CLI:
    az keyvault key create --vault-name <YourKeyVaultName> --name <YourKeyName> --protection software

    Additional Troubleshooting Tips

    • Check Subscription or Resource Group Issues: Ensure there are no broader issues with your subscription or resource group that might affect permissions.
    • Consult Azure Documentation: Refer to Azure’s official documentation for more detailed information on RBAC and Key Vault operations.
    • Contact Azure Support: If the issue persists, consider reaching out to Azure Support for further assistance.

    Business Use Case

    Consider a scenario where your company needs to manage sensitive keys for encryption and decryption operations. You recently migrated your key management to Azure Key Vault and assigned roles to various team members. After a role assignment change, you encounter the RBAC error while trying to create new keys.

    By following the steps outlined above, you ensure that all team members have the necessary permissions and can manage keys without interruptions. Properly handling RBAC settings ensures secure and efficient key management, crucial for maintaining the integrity of your company’s encryption practices.

    Conclusion

    Encountering RBAC errors when creating keys in Azure Key Vault can be frustrating, but understanding the root cause and following the resolution steps can help you overcome these issues. By verifying and updating role assignments, waiting for propagation, and retrying the operation, you can ensure smooth key management in Azure Key Vault.

    If you have any questions or need further assistance, feel free to leave a comment below or check out additional resources on Azure Key Vault and RBAC.

    For more tutorials and tips on SQL Server, including performance tuning and database management, be sure to check out our JBSWiki YouTube channel.

    Thank You,
    Vivek Janakiraman

    Disclaimer:
    The views expressed on this blog are mine alone and do not reflect the views of my company or anyone else. All postings on this blog are provided “AS IS” with no warranties, and confers no rights.