2

I am trying to connect to Azure Resource Manager API using java sdk. I have an AD application which has "Windows Service Management API" permissions enabled. When running the test samples, I am hitting the following error when performing get call on a specific resource group.

Exception in thread "main" com.microsoft.windowsazure.exception.ServiceException: AuthorizationFailed: The client '1111-5a7b-4384-9fee-3a593a8c6875' with object id '1111115-5a7b-4384-9fee-3a593a8c6875' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/zzzzzzzzzzzz-ae67-ed0926abfe0d/resourcegroups/Group'.
at com.microsoft.windowsazure.exception.ServiceException.createFromJson

How to assign read write permissions to the application in an AD which is used to connect to resource management API?

Will Shao - MSFT
  • 1,189
  • 7
  • 14
Dat
  • 73
  • 5

2 Answers2

3

As @Gaurav Mantri said, the easiest way for assigning reader role for your ad app is using Azure Preview Portal if runing the sample ServicePrincipalExample at https://github.com/Azure/azure-sdk-for-java/blob/master/azure-mgmt-samples/src/main/java/com/microsoft/azure/samples/authentication/ServicePrincipalExample.java.

For complete details to do it, please see below.

enter image description here

According to the picture above, the steps as follow:

  1. Click the Resource groups.
  2. Input the resource group name in the filter items field, and click the selected resource group.
  3. Click the settingsbutton.
  4. Click the Usersbutton.
  5. Click the Add button. enter image description here
  6. Click the Select a role and select the Reader role. enter image description here
  7. Click the Add users botton, input the ad app name in the search field and select the ad app to click the select button.
  8. Click the OK button in the Add access tab page.

Now, you can run the sample again that return the correct result without errors.

Beside Azure PowerShell, you can also use the Azure CLI to do it.

  1. Login the azure cli with your username & password, run azure login
  2. Switch the arm mode, run azure config mode arm
  3. Role assignment, run azure role assignment create --objectId <objectId> -o Reader -c /subscriptions/<subscriptionId>/>.

Note: For the object Id, you can run azure ad sp show --search <ad-app-name> to show it.

Then, run the sample again without errors.

Peter Pan
  • 23,476
  • 4
  • 25
  • 43
  • Thanks @Peter Pan. I am able to update roles using powershell. The portal example that you have shown above is updating roles on a specific resource group and not on the AD app correct? What does this mean? We are updating access permissions only this specific resource group.. Which is not same as updating access on an API app. Please correct me if I am wrong. Its very confusing.. :( – Dat Nov 30 '15 at 09:53
  • @Sam It's assigning `Reader` role permission for the resource group. Then the resource management API can read the meta data within the AD application Id related to the resource group. I think you should review @Gaurav Mantri 's reference link and https://msdn.microsoft.com/en-us/library/azure/dn906885.aspx. In API app, the gateway host control the access permission that no comparability with this one. – Peter Pan Nov 30 '15 at 11:31
0

What you would need to do is assign your application Reader role in your Azure Subscription. This you could do programmatically using ARM API or you could use Azure PowerShell to do that.

However the easiest for you would be to assign role using Azure Preview Portal. You may find this link useful for assigning roles using Preview Portal: https://azure.microsoft.com/en-in/documentation/articles/role-based-access-control-configure/.

Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241
  • Thanks @Gaurav Mantri. I am able to assign roles using powershell. And able to use the azure maven java sdks to perform calls on resources. One more hickup here... I am trying to list os images with this call. VirtualMachineImageResourceList l = cmc.getVirtualMachineImagesOperations().list(null); – Dat Nov 30 '15 at 09:43
  • But it is throwing an exception saying Exception in thread "main" com.microsoft.windowsazure.exception.ServiceException: BadRequest: The request URL is not valid. at com.microsoft.windowsazure.exception.ServiceException.createFromJson(ServiceException.java:292) at com.microsoft.azure.management.compute.VirtualMachineImageOperationsImpl.list(VirtualMachineImageOperationsImpl.java:441) – Dat Nov 30 '15 at 09:44
  • What am I missing here? – Dat Nov 30 '15 at 09:45
  • IMHO, you may want to post this issue as a separate question. – Gaurav Mantri Nov 30 '15 at 09:46