I am struggling with what should be a straightforward thing:
I have a service principal (SP) with Contributor access to a resource group
I have an IoT in that resource group
I want to use the SP's credentials to interact with the IoT Hub Registry.
First, I've created the credentials:
az ad sp create-for-rbac --name 'https://acme.invalid/firmware-ci' \
--role contributor \
--scopes \
"/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}"\
--sdk-auth \
> credentials.json
Then I use that to create the token:
import { Registry } from 'azure-iothub'
import { ClientSecretCredential } from '@azure/identity'
;(async () => {
const credentials = {
clientId: '...',
clientSecret: '...',
subscriptionId: '...',
tenantId: '...',
activeDirectoryEndpointUrl: 'https://login.microsoftonline.com',
resourceManagerEndpointUrl: 'https://management.azure.com/',
activeDirectoryGraphResourceId: 'https://graph.windows.net/',
sqlManagementEndpointUrl: 'https://management.core.windows.net:8443/',
galleryEndpointUrl: 'https://gallery.azure.com/',
managementEndpointUrl: 'https://management.core.windows.net/',
} as const
const { clientId, clientSecret, tenantId } = credentials
const creds = new ClientSecretCredential(tenantId, clientId, clientSecret)
const iotHubRegistry = Registry.fromTokenCredential(
`assettrackerprodIotHub.azure-devices.net`,
creds,
)
try {
const res = await iotHubRegistry
.createQuery(`SELECT * FROM devices WHERE deviceId='435d2106'`)
.nextAsTwin()
console.log(res.result)
} catch (err) {
console.error(err)
}
})()
However, the permission is denied with Principal is not authorized for POST on /devices/query due to no assigned permissions.
What am I doing wrong?

