I have mutifactor authentication setup for web console logins (using google authenticator).
But I can still open VS with the AWS toolkit, it automatically pulls my creds, and I have access to all my AWS services. It also doesn't seem to time out.
I want VS to prompt me for a google authenticator code before it can connect to AWS.
Is this possible?
I'd hate to have MFA for web console logins totally subverted by VS (which may become the tool of choice).
For IAM users, MFA only affects console login. It does not affect the IAM access keys used for that user.
Since Visual Studio uses access keys, it will not prompt you for the MFA device code.
Related
I work in a team that uses Azure Service Fabric and I want to connect to an Azure SQL database using my Azure AD account instead of using a SQL username/password when running locally.
Service Fabric runs locally on a cluster and runs as the NT Authority\Network Service user. I believe that it's possible to change the user that it runs under, but when I tried it seemed to remove the ability to use Visual Studio to debug the app. It also required having the password in the config which is not ideal.
I'm trying to login to Azure AD with the AzureCli and the az login command and can do this easily with my local user azuread\chester.
A comment on github suggests that I should be able to run a powershell prompt as the network service and use az login to login with my account. When I tried this it failed with a generic error:
Does anyone know if it's possible to login to AzureAD with the NT Authority\Network Service user?
I know it's possible to use an Azure App Registration as a principal, but this method still involves a password and i'm trying to avoid passwords.
It is perfectly possible but, since it's a non-interactive account, the optimal choice is to login as an application. This, however, implies high level permissions so careful attention must be paid when consenting them. Also, it's possible to login as a user using the ROPC flow, however this one is not recommended due security and technical limitations.
Regarding az cli take a look at Sign in with a service principal.
I know how to publish a serverless application using aws visual studio toolkit.
It's just you login into aws explorer with user's access key & Secret access key. and then right click on the solution and publish to AWS lambda. It's so simple.
But what about if i have my user has a different assume role that further has access to all the AWS resources and can publish.
So i know how to publish it using assume role via aws CLI by creating a profile let's say "powerdevrole" and whenever we type any command deploy then we use "--profile powerdevrole" in the end with MFA access enabled.
So my question is how to publish the same using aws toolkit if we have an assume role and MFA enabled on that??
Also i have tried to get the cached keys and then used that into aws explorer to publish my project but it's not working for me.
Please help me out.
Thanks,
Vinod Bhatt
We've enabled multi-factor authentication for our Azure subscription and it seems to work fine when logging on to the portal, but when I try to deploy a web service from Visual Studio it just goes ahead and does it without so much as confirming my password.
This is completely unacceptable for us, it must absolutely require prompting for both a password and an SMS code in order to able to deploy. Deploying something incorrectly, accidentally or without sufficient authorization has the potential to severely compromise the integrity of our service.
When you configure Visual Studio on the developer machine to connect to Azure subscription, did you uncheck "Remember Password" for login screen and "Trust this computer"?
Secondly, you can provide the developer only Read permission on the underlying artifact (i.e. Web App or Cloud Service) using the Role-Based Access Control (RBAC). To deploy, they would have to use deployment credentials.
I'm working on deployment of multiple VMs' on Azure platform. I'm having problem authenticating without web interactive Login. I'm going through authentication using service-principal. However as soon as i try to run a 'azure vm list' for instance, I get a message: The server failed to authenticate.
P.S. I could create VM using interactive login. However this way does not work for the automated deployment. I'm the owner, admin of the Trial azure subscription.
I am guessing, you are using ASM instead of ARM. Unfortunately, for Azure CLI, service principal only work for ARM. See this issue in GitHub.
Luckily, there is an alternative for this. you can use azure account download or click https://manage.windowsazure.com/publishsettings to download a publish settings profile. And then, use azure account import <the file name> to login.
Notice that similar to service principal, publish settings profile only work for ASM. Microsoft Azure encourages you to use ARM instead of ASM, hence I suggest you to switch to ARM. Service Principal is Role-Based Access Control. That provides extra security. And, ASM is retiring, which means new service will only available in ARM.
I followed the steps as per
https://github.com/OfficeDev/O365-WebApp-MultiTenant and added the connected service. However this does not register the app under Windows Azure Active Directory Applications. I have properly linked my office 365 account into Azure. However when I add the connected service it is still empty. Is this a known issue and what is the work around?
No, this isn't a known issue. The "Add Connected Service" wizard is not generating a client ID and secret in your web.config?
As a workaround you could login to the Azure Management Portal and register the app manually, then put the client ID and secret into your web.config.
I just had the same issue and spend some hours on it. Finally it turns out that I had used a user account to log in in visual studio that was assigned to a different MS Azure account.
In my case I was using the user of production environment instead of my own developer account to log in.