I’m trying to add an Azure account on my Octopus Infrastructure tab, however, and I save and test I have the following error: Inner Exception: The remote server returned an error: (403) Forbidden.
I already checked the Subscription and Tenant ID. Is there anything I have to do on the Octopus server before try to connect on Azure?
Have you setup an Application Registration (Application ID) under your Azure subscriptions Azure Active Directory?
I use the app registration for both my Azure login to Octopus and Azure Account definition in Octopus.
The app reg needs to have “ID Tokens” checked under Authentication.
You will also need to add a Client Secret under the “Certificates & Secrets” page and add that to the details in Octopus.
So in summary:
- Subscription ID => Your Azure subscription ID
- Auth Method => Use a Service Principal
- Tenant ID => Your Azure subscription tenant ID
- Application ID => An Application Registration defined in your Azure AD (see the Overview page)
- Application Password/Key => The secret you generated on your Application Registration
I hope that helps.
Thank you for your reply Tony,
I double checked all the steps you sent. Everything was done. Is there any other configuration that I have to do on Octopus server?
PS - I dont know if this error has something related to my Azure error. But I am trying to use an API Key that I created for my profile to use the Chain Deployment Step on another problem… And I got the same error: (Octopus web request (GET: http://OCTOPUSSERVER:80/api/) failed & will be retried in 30 seconds:
March 18th 2020 12:21:44Warning
The remote server returned an error: (403) Forbidden.
Do you think is something missing on my Octopus server?
I don’t think it would be your octopus server.
It will be to do with the Azure application registration and the permissions it has.
The octopus server only requires the correct azure connection parameters.
So it is most likely an Azure configuration issue.
Also I assume the api key you are using come from the http://octopusserver server under your account details on that server
If not; then that would make it fail with a 403.
Ok I think I better understand your problem.
Your Azure settings maybe 100% correct.
But do you have permission in Octopus to be adding Azure Accounts?
ie. Are you an Octopus System Admin?
Yes Tony. I am Octopus System Admin. I don’t understand why I am getting access denied
Even for a local project, using a local account API Key I get this error.
This is the error that I get from Octopus when I try to test the Azure account.
I don’t think that URL is vaild with an * in it.
Also is your octopus server on a private network?
Does it have Internet access?
Is it in Azure (on a vm) or on premise?
Normally “Access control configuration” is related to the permissions on a Application Registration.
For example my own app registrations under the “Api permissions” page; have the Microsoft.Graph User.Read permission.
Thanks for getting in touch, and thanks @tony.thompson for your input! The access denied error screenshot you provided looks to be coming from Squid web proxy, so perhaps it’s a configuration issue with Squid? Are you using this Squid proxy successfully for other services? Do you see anything in the Squid logs that point to a possible cause?
I configured the proxy on the Proxy settings tab on Octopus. Still, I am getting this error. Unfortunately I don’t have access to Squid logs. However, I can access the Azure portal on Octopus server if I set the same proxy I set on Octopus.
Do you guys think that the proxy settings on Octopus is not working?