Deploy a 1Password Connect server on Azure

I am trying to deploy a connect server on Azure and keep getting the log message

{"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 30s), Wrapped: (failed to FindCredentialsUniqueKey), Wrapped: (failed to loadCredentialsFile), Wrapped: (LoadLocalAuthV2 failed to credentialsDataFromDisk), open /home/opuser/.op/1password-credentials.json: no such file or directory","timestamp":"2021-12-03T16:43:37.100099966Z","level":1}

I have tried using file storage (blob and file) which only works at a directory level and then I get a "this is a directory not a file " error.

I have tried various full paths on the server and nothing seems to work. The error seems to being able to correctly point to the credentials file in the docker-compose.yaml

please help


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Referrer: forum-search:azure

Comments

  • Hey @bretthenning -

    Sorry to hear this is causing trouble for you. Could you elaborate on what you're using for the file storage? Are you talking about mounting Azure Storage as the volume that contains your 1Password-credentials.json file?

    If you don't feel comfortable disclosing this in the forum, you can also reach out to our support team (support@1password.com) and we'll discuss it there

  • bretthenning
    bretthenning
    Community Member

    Hi @David_ag ,

    Here is my docker compose:

    version: "3.4"

    services:
    op-connect-api:
    image: 1password/connect-api:latest
    ports:
    - "8080:8080"
    volumes:
    - "D:/home/site/wwwroot/1password-credentials.json:/home/opuser/.op/1password-credentials.json"
    - "data:/home/opuser/.op/data"
    op-connect-sync:
    image: 1password/connect-sync:latest
    ports:
    - "8081:8080"
    volumes:
    - "D:/home/site/wwwroot/1password-credentials.json:/home/opuser/.op/1password-credentials.json"
    - "data:/home/opuser/.op/data"

    volumes:
    data:

    I can get a heartbeat but when I try running anything with the bearer token I get the following message:
    {
    "status": 500,
    "message": "failed to initiate, review service logs for details"
    }

    The log states:
    {"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 30s), Wrapped: (failed to FindCredentialsUniqueKey), Wrapped: (failed to loadCredentialsFile), Wrapped: (LoadLocalAuthV2 failed to credentialsDataFromDisk), open /home/opuser/.op/1password-credentials.json: no such file or directory","timestamp":"2021-12-04T22:08:26.983980954Z","level":1}

    I see that the file is not being found. I have tried several variations but, as of yet, have had no successful. I have also tried using a storage mount on Azure but this is at a directory level and the returned error state: found directory not file.

    Any advice would be most appreciated.

  • Hi @bretthenning,

    Thank you for the extra info. The docker-compose.yml looks good at first glance.

    Maybe some extra info could help find out what the issue is.

    Running this can tell us whether the file is correctly mounted:

    docker run -v "D:/home/site/wwwroot/1password-credentials.json:/home/opuser/.op/1password-credentials.json" --entrypoint "" 1password/connect-api ls -al /home/opuser/.op/
    

    Could you share the output of that command?

    Also, could you tell me which Azure service you are using to run this on? If it's Azure VM: which OS are you using? This could help me trying to reproduce this issue locally.

  • bretthenning
    bretthenning
    Community Member

    I am running a Web App for Containers.

    System info
    System up time: 2.19:44:13.6900000
    OS version: Unix 5.4.0.1056
    64 bit system: True
    64 bit process: True
    Processor count: 1
    CLR version: 3.1.20

    Unfortunately, I am not sure where to run the command. SSH will not work for me. If you have any insights I would be grateful. Much access is denied behind the Azure services.

    The documentation states that you can use storage containers as a way to mount persistent data into docker instances but this is only allowed at a directory level. I don't seem to be able to make it work.

  • bretthenning
    bretthenning
    Community Member

    Hi,

    I wasn't able to get this working on Azure Web App for Containers and instead use a Linux VM.

    If this is useful to anyone else.

    I used the docker compose and then created a php api that sends curl requests to the localhost:8080 and returns the required data that way.

  • I just did some experimenting with deploying to Azure Web App for Containers. And there are indeed a few caveats.

    These are the steps I followed:
    1. Create a Web App for the following docker-compose.yml (you can change the compose file for an existing app in Deployment Center):

    version: '3.4'
    services:
      op-connect-api:
        image: '1password/connect-api:latest'
        ports:
          - '8080:8080'
        volumes:
          - ${WEBAPP_STORAGE_HOME}/op/1password-credentials.json:/home/opuser/.op/1password-credentials.json
          - 'data:/home/opuser/.op/data'
      op-connect-sync:
        image: '1password/connect-sync:latest'
        ports:
          - '8081:8080'
        volumes:
          - ${WEBAPP_STORAGE_HOME}/op/1password-credentials.json:/home/opuser/.op/1password-credentials.json
          - 'data:/home/opuser/.op/data'
    volumes:
      data:
    
    1. Go to the details of the App Service. This should look something like this:
    2. In Configuration, change WEBSITES_ENABLE_APP_SERVICE_STORAGE to true (or create it if it does not yet exist).
    3. Upload the 1password-credentials.json to the op/ directory by using the credentials displayed in Deployment Center -> FTP Credentials.
    4. Go to Overview and click Restart.
    5. Make a request to the app with a valid token (looking at the original post, it seems like you already got that right).

    For me, this resulted in a working Connect instance. Let me know if it also works for you. Some steps were a somewhat concise, don't hesitate to ask for more details if that helps.

  • bretthenning
    bretthenning
    Community Member

    This worked perfectly! Thank you so much :)

  • ag_ana
    ag_ana
    1Password Alumni

    On behalf of Joris, you are welcome @bretthenning! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • loryans
    loryans
    Community Member

    I've just come across this thread, and I'm unfortunately not a dev but I do have a decent head screwed on. :-)
    @Joris_1P - can you please clarify, did you deploy a "Web App", or "Web App for Containers"? I couldn't tell from your post if your experimenting resulted in you using one or the other.
    Also, the "op" folder - did you create that in the root of the storage of the app?
    I deployed using just the "Web App", and according to the logs its ready to serve, but I can't seem to connect to it.
    I used the docker compose from your example above.

    Thanks

  • Hey @loryans! I have to be honest that I do not specifically remember what steps I followed back then. However, since you're saying that the logs say that Connect is ready, I think you followed the steps just right steps, but it might be that some steps were missing at the end (the original question asker already had some things set up, so I skipped those steps).

    Could you let me know what command you are running to connect to it and what the error is that you're getting? That might point us in the direction of what is going wrong.

  • loryans
    loryans
    Community Member
    edited June 2022

    Thanks @Joris_1P! The command I'm issuing is: https://.azurewebsites.net:8080/v1/vaults
    I'm calling it from Power Automate, this is what the flow looks like (apologies for the lame obfuscation attempt, using the tools I had in the moment)

  • The command I'm issuing is: https://.azurewebsites.net:8080/v1/vaults

    Looking at the screenshot, I am assuming that has your custom domain after https:// and before .azurewbesites?

    1. Does Power Automate return any error? If so, what does it return?
    2. Could you try the URL without :8080?
    3. What happens if you visit the /health route in your web browser? E.g. https://my-connect.azurewebsites.net/health

    PS. I've edited your screenshot to mask it a bit better. Because Connect tokens are JSON, even sharing them partially could be problematic. I recommend revoking the current token.

  • loryans
    loryans
    Community Member

    Correct - that was my custom domain in the URL. And thank you for doing a better job of obfuscating my screenshot. :-)

    I removed the 8080, and at least this time got an invalid bearer token error - so that means I was at least able to speak to the web app, so that's progress!

  • loryans
    loryans
    Community Member

    My own stuff-up with the access token there. Got it working, thank you!!!

  • You are welcome! Good to hear it's working now. Let me know if you run into anything else.

    Joris

  • loryans
    loryans
    Community Member

    So, fun times discovering that using the Connect Server approach is quite manual in terms of giving access to vaults, creating a new access token each time, etc.
    Any chance you've tried putting the CLI into an Azure Web App? :-)

  • We are working on improving the possibilities of using the 1Password CLI in these kinds of environments. As part of this, we are currently testing out a new service accounts feature in a small-scale private beta. If this is something you are interested in testing, you can sign up here.

This discussion has been closed.