0

I am trying to use the following git repo in order to connect to azure ams, upload a video and stream it: https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/StreamFilesSample/index.ts

For some reason I am keep getting the following error:

The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write' over scope '/subscriptions/XXX/resourceGroups/TEST-APP/providers/Microsoft.Media/mediaServices/TESTAMP/transforms/ContentAwareEncoding' or the scope is invalid. If access was recently granted, please refresh your credentials

The AD user is owner but I understand it is a permission issue. I searched all over the web for hours what permission do I need to grant and where but could not find any solution

The error get thrown here:

    let encodingTransform = await mediaServicesClient.transforms.createOrUpdate(resourceGroup, accountName, encodingTransformName, {
  name: encodingTransformName,
  outputs: [
    {
      preset: adaptiveStreamingTransform
    }
  ]
});

of course, I have updated the .env file to the correct data of my azure account. Can anyone point out what am I missing and how to grant this permission?

Thanks!

Ozure
  • 115
  • 2
  • 8

1 Answers1

1

The error message is referring to your Service Principal that is being used to authenticate against the AMS SDK.

Double check that you entered the GUID values for the service principal ID and Key, and make sure you did not use the friendly name in there.

AADCLIENTID="00000000-0000-0000-0000-000000000000" AADSECRET="00000000-0000-0000-0000-000000000000"

Also, double check in IAM Access control in the portal that the service principal exists under the Role Assignments for your Media Services account and has Contributor or Owner permission Role first.

If you are in an Enterprise that locks down AAD access - you may need to work with your AAD owner/admin to make these changes and grant the service principal the right roles for your account. That's a bit outside of Media Services, and is just general Azure AAD application creation rights, and role assignments. If you are still hitting issues, I would file a support ticket and also ask your AAD administrator to assign the role permisssion to your service principal.

As an aside, we are also working on updated Node.js SDK samples for the upcoming (soon!) release of the 10.0.0 Javascript SDK. See the beta samples here - https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/10.0.0-beta.1

johndeu
  • 2,494
  • 1
  • 11
  • 10
  • Hi, Thank you very much, apparently the AD user was not connected to the AMS so the auth was not successful, I fixed it and it works now. Another question though, I see that we can upload and stream an HTTP URL file or a local system file, what about file from form data? for example a user uploads a video via a web app and sends it to the server with form data, how can we upload this file? Thanks! – Ozure Dec 14 '21 at 08:35
  • You need to build some form of mid-tier to accept the file upload and write it to Azure Blob storage first. Look at Azure Functions for an example possibly. Once the file is in storage, you can then use the Media Services SDK to work with the SAS URL to the file, or move it around and create an Asset. – johndeu Dec 14 '21 at 19:24
  • Writing directly into AMS from the browser would be a BAD idea - from a security perspective. You should try to isolate that file upload in a separate API that then protects the backend usage of AMS and any write access storage SAS URLS that might leak to the browser. – johndeu Dec 14 '21 at 19:26