question

WaqasKayani-8357 avatar image
0 Votes"
WaqasKayani-8357 asked ArunSomasundaramSP-4005 answered

Unauthorized: Not authorized to access Purview account using API requests

We are trying to configure Purview accounts using its REST APIs.
I have create a Purview account (purview-api-demo), and registered an Azure Blob Storage type source with it.
Following the REST APIs documentation here, I have created a service principal (purview-app-registration) and added its trust permissions as following:

119466-deepinscreenshot-select-area-20210730235129.png

Now, upon trying two different GET requests. One of them works, i.e. from tutorial in documentation. Here's the code for it:

 def call_api(atlas_endpoint, access_token):
     url = f"{atlas_endpoint}/api/atlas/v2/types/typedefs"
     payload={}
     headers = {
     'Authorization': f'Bearer {access_token}'
     }
     response = request("GET", url, headers=headers, data=payload)
     print(response.text)

 atlas_endpoint="https://purview-api-demo.catalog.purview.azure.com"
 call_api(atlas_endpoint=atlas_endpoint, access_token=output)

Although, when trying a similar GET requests, to list data sources, as documented here. It gives the following response:

119523-screenshot-from-2021-07-30-23-57-52.png

Here's the code for the second GET request:

 def list_data_sources(access_token, Endpoint, api_version="2018-12-01-preview"):
     url = f"{Endpoint}/datasources?api-version={api_version}"
     payload={}
     headers = {
     'Authorization': f'Bearer {access_token}'
     }
     response = request("GET", url, headers=headers, data=payload)
     print(response.text)
    
 scan_endpoint = "https://purview-api-demo.scan.purview.azure.com"
 list_data_sources(access_token=output, Endpoint=scan_endpoint)

It would be great to have an explanation of why we are able to make one request successfully, while the other request to the same purview account returns unauthorized.
Thanks.


azure-purview
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaurabhSharma-msft avatar image
2 Votes"
SaurabhSharma-msft answered AnkitPancholi-2733 commented

Hi @waqaskayani-8357,
Thanks for using Microsoft Q&A !!

You are getting this error while using the scan endpoint as you have not provided proper permissions to your registered application/service principal of Purview Data Source Administrator as this role can manage the scans. I have tried this with the same and it worked fine with this role.

119545-image.png
Please refer to the documentation for role details -

Please note that the Purview Data Source Administrator role has two supported scenarios. The first scenario is for users who are already Purview Data Readers or Purview Data Curators that also need to be able to create scans. Those users need to be in two roles, at least one of Purview Data Reader or Purview Data Curator as well as being placed in the Purview Data Source Administrator Role.
The other scenario for Purview Data Source Administrator is for programmatic processes, such as service principals, that need to be able to set up and monitor scans but should not have access to any of the catalog's data.

Also, I suggest you to use Azure Purview pre-defined Data plane roles like Purview Data Curator Reader, Purview Data Curator Role etc. instead of giving owner permissions to service principals.

Please let me know if you have any questions.

Thanks
Saurabh


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.




image.png (158.6 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @waqaskayani-8357,
I have not heard back from you. Did my answer solve your issue? If so, please mark as accepted answer. If not, please let me know how I may better assist.

Thanks
Saurabh

0 Votes 0 ·

Hi @SaurabhSharma-msft,

It did solve our problem, thank you! I have up-voted the answer as well.
Thank you again for the explanation of the roles.


@AnkitPancholi-2733 as for your issue.
I believe, that could be caused by the update in access policy for Purview accounts. For the accounts created after 18th August, 2021, the permissions for Purview assets isn't controlled through IAM, rather through the Collection roles. This documentation explains it further.

You will have to go to "Data Map" > "Collections" > "Role Assignments". And then add permissions for each entity as required.

1 Vote 1 ·

Thank you so much. Yes this worked now!

0 Votes 0 ·

Hello Saurabh,

We are facing the same error as mentioned by Waqas. I have followed all the steps mentioned by you above but we are still getting the same 403:Unauthorized error.

![127194-image.png][2]


Below is the snapshot of the access permission I have given to the Service Principal.

127179-rest-api-error-authorization.jpg


[2]: /answers/storage/attachments/127193-image.png

0 Votes 0 ·
ArunSomasundaramSP-4005 avatar image
0 Votes"
ArunSomasundaramSP-4005 answered

Hi @SaurabhSharma-msft and Others,


In Azure functions, I have the code which creates Atlas Entities from the json and finally loads into Azure Purview.

Everytime, I run the code I'm encountering this error "Failure Exception: RequestException: {"error":{"code":"AccountProtectedByPrivateEndpoint","message":"Not authorized to access account"}}"

I have provided the Role access to the Service Principal as mentioned above. Still encountering this error. Could someone help me here ??

Note: My Fucntions app and ( Azure Purview , Service Principal) are in Different RGs. Will this cause any impacts ??

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.