I am using below python authentication script to connect to ADLS using service principal details but it keeps throwing exception:azure.core.exceptions.HttpResponseError: (AuthorizationPermissionMismatch) This request is not authorized to perform this operation using this permission.
The role assigned to me is "Storage blob data owner" and not sure what is missing?
Python Code:
from azure.storage.filedatalake import DataLakeServiceClient
from azure.identity import ClientSecretCredential
TENANT_ID = 'XXXXXXXXXX'
CLIENT_ID = 'XXXXXXXXXX'
CLIENT_SECRET = 'XXXXXXXXXX'
STORAGE_ACCOUNT_NAME = 'XXXXXXXXXX'
credential = ClientSecretCredential(TENANT_ID, CLIENT_ID, CLIENT_SECRET)
service_client = DataLakeServiceClient(account_url="{}://{}.dfs.core.windows.net".format(
"https", STORAGE_ACCOUNT_NAME), credential=credential)
print(service_client.primary_endpoint) # Can see the primary endpoint.
file_system_client = service_client.get_file_system_client("my-container")
file_system_client.create_directory("test-dir") #Throwing the (AuthorizationPermissionMismatch) error.
print("test directory created.")
Complete Trace:
Traceback (most recent call last):
File "/home//lib/python3.5/site-packages/azure/storage/filedatalake/_path_client.py", line 200, in _create
return self._client.path.create(**options)
File "/home/lib/python3.5/site-packages/azure/storage/filedatalake/_generated/operations/_path_operations.py", line 248, in create
raise HttpResponseError(response=response, model=error)
azure.core.exceptions.HttpResponseError: (AuthorizationPermissionMismatch) This request is not authorized to perform this operation using this permission.
RequestId:80605399-e01f-0038-2cd2-0a4210000000
Time:2021-02-24T17:25:49.0969802Z
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "adls_client.py", line 30, in <module>
file_system_client.create_directory("test-dir")
File "/home/lib/python3.5/site-packages/azure/storage/filedatalake/_file_system_client.py", line 540, in create_directory
directory_client.create_directory(metadata=metadata, **kwargs)
File "/home/lib/python3.5/site-packages/azure/storage/filedatalake/_data_lake_directory_client.py", line 160, in create_directory
return self._create('directory', metadata=metadata, **kwargs)
File "/home/lib/python3.5/site-packages/azure/storage/filedatalake/_path_client.py", line 202, in _create
process_storage_error(error)
File "/home/lib/python3.5/site-packages/azure/storage/filedatalake/_deserialize.py", line 150, in process_storage_error
raise error
azure.core.exceptions.HttpResponseError: (AuthorizationPermissionMismatch) This request is not authorized to perform this operation using this permission.
I can reproduce your error:
I am pretty sure your code is no problem, and, Storage blob data owner is the right RBAC role of your AD app. I think maybe the problem comes from the RBAC role does not take effect immediately, you need to wait a while. And then it should work.
Related
I'm trying to interface Firebase with the official Admin SDK for Python (https://firebase.google.com/docs/database/admin/start).
However, I'm doing something wrong, as I'm not authorized somehow
This is my code:
import firebase_admin
from firebase_admin import credentials
from firebase_admin import db
# Fetch the service account key JSON file contents
cred = credentials.Certificate('./ServiceAccountKey.json')
# Initialize the app with a None auth variable, limiting the server's access
firebase_admin.initialize_app(cred, {
'databaseURL': 'https://*[database name]*.firebaseio.com',
'databaseAuthVariableOverride': None
})
# The app only has access to public data as defined in the Security Rules
ref = db.reference('/public_resource')
print(ref.get())
This is the error I get:
python3 firebase_test.py
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/firebase_admin/db.py", line 943, in request
return super(_Client, self).request(method, url, **kwargs)
File "/usr/local/lib/python3.6/site-packages/firebase_admin/_http_client.py", line 117, in request
resp.raise_for_status()
File "/usr/local/lib/python3.6/site-packages/requests/models.py", line 941, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://*[database name]*.firebaseio.com/public_resource.json?auth_variable_override=null
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "firebase_test.py", line 16, in <module>
print(ref.get())
File "/usr/local/lib/python3.6/site-packages/firebase_admin/db.py", line 222, in get
return self._client.body('get', self._add_suffix(), params=params)
File "/usr/local/lib/python3.6/site-packages/firebase_admin/_http_client.py", line 129, in body
resp = self.request(method, url, **kwargs)
File "/usr/local/lib/python3.6/site-packages/firebase_admin/db.py", line 945, in request
raise _Client.handle_rtdb_error(error)
firebase_admin.exceptions.UnauthenticatedError: Unauthorized request.
I'm using a Raspberry Pi 4 B with installed Python 3.6.
Can somebody point me into the right direction of why this happens and how to fix it?
Found it out!
Under database, go to rules and change it to:
{
/* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
"rules": {
".read": true,
".write": true
}
}
It was automatically set to false after I've waited for a too long period since my last access.
I am trying to get client of Azure DevOps by using python script.
Here is the code that I am using for this purpose:
from azure.devops.connection import Connection
git_client = p_context.connection.clients.get_git_client()
p_context is access token of my Azure DevOps organization.
Following is the error that I am facing:
Traceback (most recent call last):
File "/home/vsts/work/1/s/IdentifyGitBuildCommitItems.py", line 95, in <module>
t = get_commit_changes_for_build(context ,azdevops_projectid ,azdevops_build_id ,azdevops_build_number ,bld_commit.id ,azdevops_repository_name)
File "/home/vsts/work/1/s/IdentifyGitBuildCommitItems.py", line 51, in get_commit_changes_for_build
comt = git_client.get_changes(p_commit_id ,repository_id=p_repository_name ,project=p_project_id)
File "/opt/hostedtoolcache/Python/3.6.10/x64/lib/python3.6/site-packages/azure/devops/released/git/git_client_base.py", line 250, in get_changes
query_parameters=query_parameters)
File "/opt/hostedtoolcache/Python/3.6.10/x64/lib/python3.6/site-packages/azure/devops/client.py", line 104, in _send
response = self._send_request(request=request, headers=headers, content=content, media_type=media_type)
File "/opt/hostedtoolcache/Python/3.6.10/x64/lib/python3.6/site-packages/azure/devops/client.py", line 68, in _send_request
self._handle_error(request, response)
File "/opt/hostedtoolcache/Python/3.6.10/x64/lib/python3.6/site-packages/azure/devops/client.py", line 295, in _handle_error
status_code=response.status_code))
azure.devops.exceptions.AzureDevOpsClientRequestError: Page not found. Operation returned a 404 status code.
##[error]/opt/hostedtoolcache/Python/3.6.10/x64/bin/python failed with return code: 1
This is the full GitHub example that I am following for my use case: https://github.com/venkatra/dbt_hacks/blob/PERSISTENT_TABLE_MATERIALIZATION/IdentifyGitBuildCommitItems.py
You could check the Azure DevOps Python API and try the following code:
from azure.devops.connection import Connection
from msrest.authentication import BasicAuthentication
import pprint
# Fill in with your personal access token and org URL
personal_access_token = 'YOURPAT'
organization_url = 'https://dev.azure.com/YOURORG'
# Create a connection to the org
credentials = BasicAuthentication('', personal_access_token)
connection = Connection(base_url=organization_url, creds=credentials)
# Get a client
git_client = connection.clients.get_git_client()
I have figured out the issue and resolve the error.
Error was prompting due to my source code was present in my personal GitHub account not in the Azure Git repository. When I moved source code from personal Git to Azure Git repository error got resolved.
I would like to use python kubernetes-client to connect to my AKS cluster api.
To do that I try to use the example give by kubernetes:
config.load_kube_config()
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)
for i in ret.items:
print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))
It is supposed to load my local kubeconfig and get a pods list but I get the following error:
Traceback (most recent call last): File "test.py", line 4, in
config.load_kube_config() File "/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/kubernetes/config/kube_config.py",
line 661, in load_kube_config
loader.load_and_set(config) File "/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/kubernetes/config/kube_config.py",
line 469, in load_and_set
self._load_authentication() File "/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/kubernetes/config/kube_config.py",
line 203, in _load_authentication
if self._load_auth_provider_token(): File "/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/kubernetes/config/kube_config.py",
line 221, in _load_auth_provider_token
return self._load_azure_token(provider) File "/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/kubernetes/config/kube_config.py",
line 233, in _load_azure_token
self._refresh_azure_token(provider['config']) File "/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/kubernetes/config/kube_config.py",
line 253, in _refresh_azure_token
refresh_token, client_id, '00000002-0000-0000-c000-000000000000') File
"/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/adal/authentication_context.py",
line 236, in acquire_token_with_refresh_token
return self._acquire_token(token_func) File "/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/adal/authentication_context.py",
line 128, in _acquire_token
return token_func(self) File "/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/adal/authentication_context.py",
line 234, in token_func
return token_request.get_token_with_refresh_token(refresh_token, client_secret) File
"/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/adal/token_request.py",
line 343, in get_token_with_refresh_token
return self._get_token_with_refresh_token(refresh_token, None, client_secret) File
"/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/adal/token_request.py",
line 340, in _get_token_with_refresh_token
return self._oauth_get_token(oauth_parameters) File "/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/adal/token_request.py",
line 112, in _oauth_get_token
return client.get_token(oauth_parameters) File "/Users//works/test-kube-api-python/env/lib/python2.7/site-packages/adal/oauth2_client.py",
line 291, in get_token
raise AdalError(return_error_string, error_response) adal.adal_error.AdalError: Get Token request returned http error: 400
and server response:
{"error":"invalid_grant","error_description":"AADSTS65001: The user or
administrator has not consented to use the application with ID
'' named 'Kubernetes AD Client
'. Send an interactive authorization request for this user and
resource.\r\nTrace ID:
\r\nCorrelation ID:
\r\nTimestamp: 2019-10-14
12:32:35Z","error_codes":[65001],"timestamp":"2019-10-14
12:32:35Z","trace_id":"","correlation_id":"","suberror":"consent_required"}
I really don't understand why it doesn't work.
When I use kubectl, all work fine.
I read some docs but I'm not sure to understand the adal error.
Thanks for your help
Login as a tenant admin to https://portal.azure.com
Open the registration for your app in the
Go to Settings then Required Permissions
Press the Grant Permissions button
If you are not a tenant admin, you cannot give admin consent
From https://github.com/Azure-Samples/active-directory-angularjs-singlepageapp-dotnet-webapi/issues/19
This is good post where you can find snippet to authenticate to AKS:
from azure.identity import AzureCliCredential
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.containerservice import ContainerServiceClient
from azure.mgmt.containerservice.models import (ManagedClusterAgentPoolProfile,
ManagedCluster)
credential = AzureCliCredential()
subscription_id = "XXXXX"
resource_group= 'MY-RG'
resouce_client=ResourceManagementClient(credential,subscription_id)
container_client=ContainerServiceClient(credential,subscription_id)
resouce_list=resouce_client.resources.list_by_resource_group(resource_group)
Note: You need to install respective Az Python SKD libraries.
I am trying to use Google speech-to-text service, according to https://googleapis.github.io/google-cloud-python/latest/speech/index.html
I have created project, uploaded audio to gs: cloud, added permissions, downloaded json file named My First Project-7bb85a480131.json. https://console.cloud.google.com/storage/browser/mybucket?project=my-project
that is my file:
import os
os.environ["GOOGLE_APPLICATION_CREDENTIALS"]="/home/joo/Документы/LocalRepository/robotze/My First Project-7bb85a480131.json"
from google.cloud import speech
client = speech.SpeechClient()
audio = speech.types.RecognitionAudio(
uri='gs://zaudio/audio.mp3')
config = speech.types.RecognitionConfig(
encoding=speech.enums.RecognitionConfig.AudioEncoding.LINEAR16,
language_code='ru-RU',
sample_rate_hertz=44100)
operation = client.long_running_recognize(config=config, audio=audio)
op_result = operation.result()
for result in op_result.results:
for alternative in result.alternatives:
print('=' * 20)
print(alternative.transcript)
print(alternative.confidence)
Issue: i got
google.api_core.exceptions.PermissionDenied: 403 my-service-account#my-project.iam.gserviceaccount.com does not have storage.objects.get access to mybucket/audio.mp3.
Full traceback
/home/joo/anaconda3/bin/python /home/joo/Документы/LocalRepository/robotze/speech-to-text-googlecloud.py
Traceback (most recent call last):
File "/home/joo/anaconda3/lib/python3.6/site-packages/google/api_core/grpc_helpers.py", line 57, in error_remapped_callable
return callable_(*args, **kwargs)
File "/home/joo/anaconda3/lib/python3.6/site-packages/grpc/_channel.py", line 565, in __call__
return _end_unary_response_blocking(state, call, False, None)
File "/home/joo/anaconda3/lib/python3.6/site-packages/grpc/_channel.py", line 467, in _end_unary_response_blocking
raise _Rendezvous(state, None, None, deadline)
grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with:
status = StatusCode.PERMISSION_DENIED
details = "my-service-account#my-project.iam.gserviceaccount.com does not have storage.objects.get access to mybucket/audio.mp3."
debug_error_string = "{"created":"#1565253582.126380437","description":"Error received from peer ipv4:74.125.131.95:443","file":"src/core/lib/surface/call.cc","file_line":1052,"grpc_message":"my-service-account#my-project.iam.gserviceaccount.com does not have storage.objects.get access to mybucket/audio.mp3.","grpc_status":7}"
>
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/home/joo/Документы/LocalRepository/robotze/speech-to-text-googlecloud.py", line 46, in <module>
operation = client.long_running_recognize(config=config, audio=audio)
File "/home/joo/anaconda3/lib/python3.6/site-packages/google/cloud/speech_v1/gapic/speech_client.py", line 341, in long_running_recognize
request, retry=retry, timeout=timeout, metadata=metadata
File "/home/joo/anaconda3/lib/python3.6/site-packages/google/api_core/gapic_v1/method.py", line 143, in __call__
return wrapped_func(*args, **kwargs)
File "/home/joo/anaconda3/lib/python3.6/site-packages/google/api_core/retry.py", line 273, in retry_wrapped_func
on_error=on_error,
File "/home/joo/anaconda3/lib/python3.6/site-packages/google/api_core/retry.py", line 182, in retry_target
return target()
File "/home/joo/anaconda3/lib/python3.6/site-packages/google/api_core/timeout.py", line 214, in func_with_timeout
return func(*args, **kwargs)
File "/home/joo/anaconda3/lib/python3.6/site-packages/google/api_core/grpc_helpers.py", line 59, in error_remapped_callable
six.raise_from(exceptions.from_grpc_error(exc), exc)
File "<string>", line 3, in raise_from
google.api_core.exceptions.PermissionDenied: 403 my-service-account#my-project.iam.gserviceaccount.com does not have storage.objects.get access to mybucket/audio.mp3.
Process finished with exit code 1
What i tried: gcloud auth application-default login - login in browser works, but still 403 error
From what i can see on your logs, you are able to authenticate your service account inside your code (you are currently authenticating with: starting-account-*******-239919.iam.gserviceaccount.com), however, that service account doesn't have "storage.objects.get" permission over the object "zaudio/audio.mp3".
So you can either:
A.- Give the proper permissions to that service account (may be the role "storage.objectViewer" inside that bucket would be enough, but you could also set it with the role "storage.admin" so it can have more control over that bucket and others).
B.- Authenticate using other service account that have the proper permissions.
I resolved the following issue:
“google.api_core.exceptions.PermissionDenied: 403 my-service-account#my-project.iam.gserviceaccount.com does not have storage.objects.get access to mybucket/audio.mp3.”
To resolve this issue: go to your bucket, click that three dots, choose “Edit permissions”, Entity set “User”, Name set your email (in this case, my-service-account#my-project.iam.gserviceaccount.com), Access: “Reader”. Save and try again. This should resolve this issue. Regardless whether you have created the bucket, whatnot, you have to do this step to explicitly set permission. Hopefully this is useful.
When I run this simple code from Spotify's Docs:
import spotipy
birdy_uri = 'spotify:artist:2WX2uTcsvV5OnS0inACecP'
spotify = spotipy.Spotify()
results = spotify.artist_albums(birdy_uri, album_type='album')
albums = results['items']
while results['next']:
results = spotify.next(results)
albums.extend(results['items'])
for album in albums:
print(album['name'])
I got this exception:
Traceback (most recent call last):
File "/Users/haodong/Documents/Projects/python-workspace/env3/lib/python3.4/site-packages/spotipy/client.py", line 119, in _internal_call
r.raise_for_status()
File "/Users/haodong/Documents/Projects/python-workspace/env3/lib/python3.4/site-packages/requests/models.py", line 844, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://api.spotify.com/v1/search?q=artist%3ARadiohead&offset=0&type=artist&limit=10
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "test.py", line 19, in <module>
results = spotify.search(q='artist:' + name, type='artist')
File "/Users/haodong/Documents/Projects/python-workspace/env3/lib/python3.4/site-packages/spotipy/client.py", line 339, in search
return self._get('search', q=q, limit=limit, offset=offset, type=type, market=market)
File "/Users/haodong/Documents/Projects/python-workspace/env3/lib/python3.4/site-packages/spotipy/client.py", line 146, in _get
return self._internal_call('GET', url, payload, kwargs)
File "/Users/haodong/Documents/Projects/python-workspace/env3/lib/python3.4/site-packages/spotipy/client.py", line 124, in _internal_call
headers=r.headers)
spotipy.client.SpotifyException: http status: 401, code:-1 - https://api.spotify.com/v1/search?q=artist%3ARadiohead&offset=0&type=artist&limit=10:
No token provided
You need to use your Spotify app credentials (Client ID and Client Secret) from www.developer.spotify.com, assign it to a variable and use that as your object.
import spotipy
from spotipy.oauth2 import SpotifyClientCredentials
cid ="Your-client-ID"
secret = "Your-client-secret"
client_credentials_manager = SpotifyClientCredentials(client_id=cid, client_secret=secret)
sp = spotipy.Spotify(client_credentials_manager=client_credentials_manager)
#Then run your query
results = sp.artist_albums(birdy_uri, album_type='album'))
#### ETC ######
More info here: Client Credential Flow
It seems that Spotify Web API has been updated recently and requires authorization for all kinds of requests.
Use authorized requests would solve this problem.