How to get valid access token to call Azure REST API from Postman

Question

I want to be able to call the Azure rest APIs for creating/reading resources like Container instances, Container registries and storage accounts.

In my Azure AD, I registered an app for my application and got clientID, secret, and tenantId.

I have called the following API to get the token:

https://login.microsoftonline.com/{{tenantId}}/oauth2/token

with

resource, client_id, client_secret and grant_type

as body parameters in the POST request

The token I receive from here is not working fine. I am getting the following error:

{
    "error": {
        "code": "AuthorizationFailed",
        "message": "The client 'ff70fcft-21ub-4a7f-8h20-3f405c5d17e0' with object id 'ff70fcff-22bb-4a7f-9f20-3f405c1e17e0' does not have authorization to perform action 'Microsoft.ContainerInstance/containerGroups/read' over scope '/subscriptions/afb6001a-XXXX-4c39-XXXX-9706012c30ba/resourceGroups/app2/providers/Microsoft.ContainerInstance/containerGroups/app2' or the scope is invalid. If access was recently granted, please refresh your credentials."
    }
}

However, When I copy the access token from Browser's Network tab, it works fine.

I believe that something is not right with app-registration because it feel app and my resources are currently disconnected.

Can anyone please help me out in this?

Update:

@TonyJu I was trying to hit this one: GET management.azure.com/subscriptions{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerInstance/containerGroups/{containerGroupName}?api-version=2018-10-01 — ash007, Oct 21 '19 at 09:44

Tony Ju · Accepted Answer · 2019-10-21T09:54:33.290

1

It seems that you didn't grant Azure subscription access permission to your registered application.

Here are the steps:

1.All services->Subscriptions->choose your subscription-> click Access controll

2.Click Add to add role assignment to your registered application

3.Get the access token to access the api again, it will work.

Reference: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#overview-of-access-control-iam

Update:

Please choose the correct subscription.

edited Oct 21 '19 at 09:54

answered Oct 21 '19 at 09:43

Tony Ju

14,891
3
17
31

what I am not getting is, when I type something in Select* textfield, I can't find my resource, and is shows "No container instance managed identities found in this subscription". I have already reached the step you suggested, but couldn't go beyond that – ash007 Oct 21 '19 at 09:48
@AyushOjha In step2, you should assign access to your registered application. Can you check if you created the container instance in the same subscription? – Tony Ju Oct 21 '19 at 09:51
@AyushOjha See the updates in the answer, maybe you have more than one subscription. – Tony Ju Oct 21 '19 at 09:55
Yes it is in the same subscription. – ash007 Oct 21 '19 at 10:31
@AyushOjha Let's analyze the issue. You can call the api by click 'try it' here https://learn.microsoft.com/en-us/rest/api/container-instances/containergroups/get, right? If so, did you add role assignment under the same subscription? If yes, it doesn't make sense that you got that error. – Tony Ju Oct 22 '19 at 01:14
when i try the API on doc reference page, it works because it uses my access token from my login credentials, but when I try on postman, the token i get is not correct is much shorter than the one that is working, seems it doesn't have enough permissions. I have a role assignment of owner and contributor in the subscription. – ash007 Oct 22 '19 at 01:23
@AyushOjha That's why I ask you to assign role assignment to the application you registered(step2). You have a client_id, you should search by the client name and select the application. – Tony Ju Oct 22 '19 at 01:31
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/201240/discussion-between-ayush-ojha-and-tony-ju). – ash007 Oct 22 '19 at 05:07

How to get valid access token to call Azure REST API from Postman

1 Answers1