[Bug Report] Owner and Contributor roles fail with 'is not authorized for GET on /twins/device_id', "IoT Hub Data Reader" is explicitely required

Question

[Bug Report] Owner and Contributor roles fail with 'is not authorized for GET on /twins/device_id', "IoT Hub Data Reader" is explicitely required

tymtam2 opened this issue 2 years ago · 1 comments

Setup IoT Hub and give yourself Owner and/or Contributor roles
Create a device called in IoT Hub
✅ This works:

az login --tenant xyz
az iot hub device-twin show --hub-name 'hub1' --device-id 'John' --query 'properties.desired' --output json --subscription 'sub1'

❌ This doesn't work:

var hub = "rbtestiothub-leia.azure-devices.net";
var deviceId = "John";

var credential = new AzureCliCredential();  
var ar rm = RegistryManager.Create(hub, credential);
var twin = await rm.GetTwinAsync(deviceId); // IotHubUnauthorized;Principal <edited>@<edited>.com is not authorized for GET on /twins/John

Error:

Error: Microsoft.Azure.Devices.Common.Exceptions.UnauthorizedException: {"Message":"ErrorCode:IotHubUnauthorized;Principal @.com is not authorized for GET on /twins/John due to no assigned permissions","ExceptionMessage":"Tracking ID:abc:0-TimeStamp:06/26/2023 07:44:12"}

Assign "IoT Hub Data Reader" role to the user
✅

var twin = await rm.GetTwinAsync(deviceId); // Success

Usings:

#i "nuget:https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet5/nuget/v3/index.json" 
#i "nuget:https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json" 

#r "nuget:Azure.Identity"
#r "nuget:Microsoft.Extensions.Azure"
#r "nuget:Microsoft.Azure.Devices"

using Azure.Identity;
using Microsoft.Extensions.Azure;
using Microsoft.Azure.Devices;