Home > Blockchain >  Microsoft Azure OAuth Client Credentials Token gets "AuthorizationFailed" response
Microsoft Azure OAuth Client Credentials Token gets "AuthorizationFailed" response

Time:08-21

I want create APIM subscriptions through rest api, And was able to do it successfully by following this Microsoft doc, https://docs.microsoft.com/en-us/rest/api/apimanagement/current-ga/subscription.

And for Authentication I am generating a bearer token using ROPC grant type(My UserName & Password). Everything works fine with this flow.

But i dont want to configure my username & password in a application to get a bearer token, instead i followed Client-Credentials grant type(get token by client id & secret), i am able to generate token, but when i use that token to create subscription in APIM, i am getting a exception The client '0--e' with object id '0--e' does not have authorization to perform action 'Microsoft.ApiManagement/service/subscriptions/write'

Is it possible to add a AAD application inside APIM AccessControl(IAM) to grant permission. Or is this any other way to do this? or ROPC is the only way?

Can someone please help.

CodePudding user response:

Yes, you can grant permission to AAD application (service principal) in APIM Access Control (IAM) by assigning it API Management Service Contributor role.

I tried to reproduce the same in my environment and got the below results:

I have generated one access token using Client-Credentials grant type like below:

enter image description here

When I used the above token to create APIM subscription with below query, I got the same error:

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01

{
  "properties": {
    "ownerId": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/users/xxxxxxxxxxx",
    "scope": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/products/xxxxxxxxxxx",
    "displayName": "testsub"
  }
}

Response:

enter image description here

To resolve the error, you need to grant API Management Service Contributor role for that application like below:

Go to Azure Portal -> APIM Services -> Your APIM -> Access control (IAM) -> Add role assignment

enter image description here

After granting the above role, I generated the access token again and ran the same query as below:

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01

Response:

enter image description here

When I checked the Portal, APIM subscription got created successfully like below:

enter image description here

Reference:

How to use Role-Based Access Control in Azure API Management | Microsoft Docs

Page link:https//www.codepudding.com/Blockchain/517791.html

Prev:Combining Tuples into a List
Next:How to monitor distribution of requests on an Azure Application Gateway
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding