Service principal access to IoT Central API

BlackUnicorn 26

Hello

I'm trying to use service principal to use IoT Central API.

I registered application that I successfully added as user with Administrator role in IoT Central using https://learn.microsoft.com/en-us/rest/api/iotcentral/users/set#add-or-update-a-service-principal-user

I used CLI to get bearer token using
az login --service-principal --username "{applicationId}" --password "{applicationSecret}" --tenant "{tenatId}"
az account get-access-token --resource https://apps.azureiotcentral.com

I than tried to use the token to call IoTC API, specifically this endpoint: https://learn.microsoft.com/en-us/rest/api/iotcentral/roles/list
I received 403 AccessDenied "You do not have permission to perform this operation." The same request is working ok when I use token that I created using my user credentials.

I'm not sure what I'm missing here. Should I perform some additional actions to allow service principal to accesss the api? I tried adding the application contributor role to the resource group where IoTC is placed but it didn't change anything.

I would appreciate it if someone could point me in the right direction.

Thank you.

QuantumCache 20,031 Reputation points

2020-12-18T23:50:59.797+00:00

Hello @BlackUnicorn Welcome to Microsoft Q&A Platform and thanks for your query.

Have you added the SPN as an Admin user to IOT Central app via REST API , using the Bearer token obtained by your user credentials?

What is the Version of your IoTCentral Application? Refer link.
BlackUnicorn 26 Reputation points

2020-12-19T08:44:32.837+00:00

I registered my service principal via Rest API using my user berer token

{ "type": "ServicePrincipalUser", "tenantId": "{tenantId}", "objectId": "{applicationId}", "roles": [ { "role": "{administratorRoleId}" } ] }

and it's listed in IoTC (I don't know why user type is showing "User" for it, shouldn't that be something like "Application"?)

My IoTC application is in version 3

Accepted answer

Johnson Yang 166 Reputation points Microsoft Employee

2020-12-23T17:30:37.037+00:00

@BlackUnicorn , I checked the API documents it does not describe very clearly that they need the object id not application id when you create service principal user from public API.

You can find your application's object id from Azure Portal -> Azure Active Directory -> Enterprise applications -> your app

so created service principal user like [tenant id]-[object id], another requirement to ensure your application can access the IoT Central public API, you should ensure from Azure Portal -> Azure Active Directory -> App registrations -> your app -> API Permissions, had following permissions added.

After you added permission for Microsoft IoT Central, you should also click
Please sign in to rate this answer.

1 person found this answer helpful.
BlackUnicorn 26 Reputation points

2020-12-23T20:32:22.977+00:00

Thank you very much for detailed answer!
Sign in to comment

1 additional answer

Sander van de Velde 28,786 Reputation points MVP

2020-12-19T15:59:24.807+00:00

It feels like you are mixing two different security patterns.

The IoT Central API makes use of API keys declared inside IoT Central. These keys are related to groups of users in IoT Central.

The keys generated here can be used in the Rest calls, even with C#. See also this blog.

There is an excellent MS Learn module available which explains it all
Please sign in to rate this answer.
BlackUnicorn 26 Reputation points

2020-12-19T18:23:47.263+00:00

(part 1 - sorry, character limit)
In our project we are currently using API token to communicate with IoTCentral. The problem is that they eventually expire and actual user has to create new one.
That's why I created service principal that I added as user with admin rights to IoTC. The goal was that my service will create API token for itself using its bearer token.

BlackUnicorn 26 Reputation points

2020-12-19T18:24:10.717+00:00

(part 2)
In the learninng materials it states: "Every REST API call that's made against an IoT Central application must include an Authorization header. The Authorization header must contain either an API token or a bearer token.". I can successfully make call to IoTC rest api using my user bearer token or API token I created earlier. However when I try to call rest api using bearer token I created for the service principal I get 403 result, no mater if the call is to generate new API token or to use any other endpoint.
So I'm either missing something in assigning appropriate rights to my service principal or service principals are in general not allowed to use IoTC rest api. If the case is the second, it's confusing why there is possibility to add service principal to users of IoTC since there is no point to it.

Sander van de Velde 28,786 Reputation points MVP

2020-12-20T00:09:03.833+00:00

@BlackUnicorn Thanks for the clarification.

I checked the documentation, the part regarding the bearer token is not very extensive...

Did you check the https://learn.microsoft.com/en-us/rest/api/iotcentral/apitokens/set option? Here you can create new apitokens using the rest API. I suppose Admin rights are needed for this one. Still, this could be a workaround to fix the possible 1-year maximum expiration of the API tokens.

BlackUnicorn 26 Reputation points

2020-12-20T17:25:46.623+00:00

@Sander van de Velde
I'm currently using https://learn.microsoft.com/en-us/rest/api/iotcentral/apitokens/set but it requires previously created api token or user bearer token. So, lets say after a year, it requires either manual action done by user of generating new token and than updating it in my services or some form of service/task that will know to do this process using api token before it expires. I also plan to have more than one IoT Central with which common services can connect so it would makes thing much easier if the services have common credentials to all IoTC.
That's why I just want to know if there is possibility to use service principal registered as user with admin rights in IoTC to connect to the rest api.
The api has let me do it (in the way I explained in this comment) but it just seems to not be working.

Sander van de Velde 28,786 Reputation points MVP

2020-12-20T17:59:17.1+00:00

Thanks. I reached out to the team. I Will let you know if there is any progress.

Update: had a short conversation. They will look at this conversation.

Update2: I got a message that If you post any questions on https://github.com/iot-for-all/awesome-iotcentral , it should be answered. (People are on vacation so it might take time).
Sign in to comment