What should be the required API permissions for ClientSecretCredential to obtain arm access token for Video Indexer
harikanagidi opened this issue · 4 comments
I'm currently working on integrating Video Indexer into my application using Azure services. I'm using the ClientSecretCredential method for authentication, and I'm encountering some difficulties in determining the required API permissions for the application to obtain a token for Video Indexer.
Below is the code that am trying to get arm access token
def get_arm_access_token(consts:Consts) -> str:
'''
Get an access token for the Azure Resource Manager
Make sure you're logged in with az first
:param consts: Consts object
:return: Access token for the Azure Resource Manager
'''
credential = ClientSecretCredential(tenant_id, client_id, client_secret)
scope = f"{consts.AzureResourceManager}/.default"
token = credential.get_token(scope)
return token.token
I am getting below error with above token
The client 'xxxx' with object id 'xxxxx' does not have authorization to perform action 'Microsoft.VideoIndexer/accounts/generateAccessToken/action' over scope '/subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxx/resourceGroups/xxxx/providers/Microsoft.VideoIndexer/accounts/XXXXVideoIndexer' or the scope is invalid.
What are the API Permissions that are required for my App to connect to Azure Video Indexer?
Could someone please guide me on the specific API permissions that need to be assigned to the Azure AD App Registration associated with my application in order to successfully obtain a token for Video Indexer using ClientSecretCredential?
Any insights or documentation pointers regarding the necessary permissions would be greatly appreciated.
This worked for me when the app is given owner role on the subscription. Please suggest if there is any specific role that can work in authenticating the app to Azure AI Video Indexer
I am encountering the exact same issue. I've created a trial account, subscribed to services including storage and video indexers, and assigned owner permissions. However, I'm still receiving a 401 error. Could anyone guide us on what mistake we might be making
The documentation to get the access token is confusing, i also tried different methods to get the access token and none is working
For client credentials, you need to add VI Account Contributor role to application registration. This can be done via PSH.
$appregName= "app reg name"
$spnObjId = (Get-AzADServicePrincipal -DisplayName $appregName).Id
$subscription = "subscription ID"
$resourceGroup = "resource group name"
$indexerName = "indexername"
$scope = "/subscriptions/$subscription/resourcegroups/$resourceGroup/providers/Microsoft.VideoIndexer/accounts/$indexerName"
New-AzRoleAssignment -ObjectId $spnObjId -RoleDefinitionName "Contributor"
-Scope $scope
Show the role assignment
get-AzRoleAssignment -scope $scope | Where-Object {$_.ObjectId -like $spnObjId}