question

mata-nordic avatar image
0 Votes"
mata-nordic asked AshokPeddakotla-MSFT commented

Using role to access IoT Hub Registry

I am struggling with what should be a straightforward thing:

  1. I have a service principal (SP) with Contributor access to a resource group

  2. I have an IoT in that resource group

  3. I want to use the SP's credentials to interact with the IoT Hub Registry.

First, I've created the credentials:

 az ad sp create-for-rbac --name 'https://acme.invalid/firmware-ci' \
    --role contributor \
    --scopes \
       "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}"\
    --sdk-auth \
    > credentials.json

Then I use that to create the token:

 import { Registry } from 'azure-iothub'
 import { ClientSecretCredential } from '@azure/identity'
 ;(async () => {
     const credentials = {
         clientId: '...',
         clientSecret: '...',
         subscriptionId: '...',
         tenantId: '...',
         activeDirectoryEndpointUrl: 'https://login.microsoftonline.com',
         resourceManagerEndpointUrl: 'https://management.azure.com/',
         activeDirectoryGraphResourceId: 'https://graph.windows.net/',
         sqlManagementEndpointUrl: 'https://management.core.windows.net:8443/',
         galleryEndpointUrl: 'https://gallery.azure.com/',
         managementEndpointUrl: 'https://management.core.windows.net/',
     } as const
    
     const { clientId, clientSecret, tenantId } = credentials
     const creds = new ClientSecretCredential(tenantId, clientId, clientSecret)
    
     const iotHubRegistry = Registry.fromTokenCredential(
         `assettrackerprodIotHub.azure-devices.net`,
         creds,
     )
    
     try {
         const res = await iotHubRegistry
             .createQuery(`SELECT * FROM devices WHERE deviceId='435d2106'`)
             .nextAsTwin()
         console.log(res.result)
     } catch (err) {
         console.error(err)
     }
 })()

However, the permission is denied with Principal is not authorized for POST on /devices/query due to no assigned permissions.

What am I doing wrong?

azure-iot-hub
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AshokPeddakotla-MSFT avatar image
1 Vote"
AshokPeddakotla-MSFT answered AshokPeddakotla-MSFT commented

@mata-nordic I understand that you have a Service Principal (SP) with Contributor access to a Resource Group. The error you are getting Principal is not authorized for POST on /devices/query due to no assigned permissions can be resolved by assigning the correct level of Azure RBAC permission to the user. For example, an Owner on the IoT Hub can assign the "IoT Hub Data Owner" role, which gives all permissions. Try this role to resolve the lack of permission issue.

I would suggest you, first check which levels of access is enabled for Azure IoT Hub under Access Control (IAM) -> view my access

To give more context, When an Azure AD security principal requests to access an IoT Hub service API, the principal's identity is first authenticated. This step require the request to contain an OAuth 2.0 access token at runtime. The resource name for requesting the token is https://iothubs.azure.net. If the application runs inside an Azure resource like Azure VM, Azure Function app, or an App Service app, it can be represented as a managed identity.

Once Azure AD principal has been authenticated, the second step is authorization. In this step, IoT Hub checks with Azure AD's role assignment service to see what permissions the principal has. If the principal's permissions match the requested resource or API, IoT Hub authorizes the request. So, this step requires one or more Azure roles to be assigned to the security principal. IoT Hub provides some built-in roles that have common groups of permissions.

IoT Hub provides the following Azure built-in roles for authorizing access to IoT Hub service API using Azure AD and RBAC:

110049-image.png

Please see Control access to IoT Hub for more details. Do let us know if that helps or have further queries. We would be happy to help you.



image.png (13.4 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you!

After assigning the "IoT Hub Data Contributor Role" to the service principal using the UI, the request works as expected.

110287-20210629t150956.png

Now I need to figure out how to do this programmatically, but I should be fine from here on.

0 Votes 0 ·
20210629t150956.png (11.4 KiB)

You're welcome. Glad to hear your issue is resolved.

0 Votes 0 ·