Cannot get Azure subscriptions using `msal` and requests in python through REST API
I can get subsriptions using token captured from browser:
Then I switch to Python and msal.
I use the following code:
import msal
import requests
import sys
import json
data = json.load(open("parameters.json"))
config = {
"authority": f"https://login.microsoftonline.com/{data['tenant']}",
"client_id": data["client_id"],
"client_secret": data["client_secret"],
"scopes": [
"https://management.azure.com/.default",
]
}
app = msal.ConfidentialClientApplication(
data["client_id"],
authority=f"https://login.microsoftonline.com/{data['tenant']}",
client_credential=data["client_secret"],
)
result = app.acquire_token_for_client(scopes=[
"https://management.azure.com/.default",
])
if "access_token" in result:
print("success")
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id"))
sys.exit(-1)
headers = {
"Authorization": f"Bearer {result['access_token']}"
}
response = requests.get(
headers=headers, url="https://management.azure.com/subscriptions?api-version=2019-08-01")
if response.status_code == 200:
print(response.content)
else:
print(response.status_code)
However, I cannot get desired result:
success
b'{"value":[],"count":{"type":"Total","value":0}}'
The permissions are already granted:
I tried to add "https://management.azure.com//user_impersonation" to scope, but it fails with error:
AADSTS1002012: The provided value for scope https://management.azure.com//user_impersonation is not valid. Client credential flows must have a scope value with /.default suffixed to the resource identifier (application ID URI).
I reads about the "OBO" flow, but my app isn't supposed to need user interactions.
Ask: Does I miss something in the auth flow or permissions?
Solution
You need to assign at least Reader role to the service principal before generating access token to call Azure Management API.
In my case, I registered one Microsoft Entra ID application and created one secret in it as below:
Now, I assigned Reader role to the service principal under the management group as below:
When I ran your code after assigning role to service principal, I got the response successfully like this:
import msal
import requests
import sys
import json
data = json.load(open("parameters.json"))
config = {
"authority": f"https://login.microsoftonline.com/{data['tenant']}",
"client_id": data["client_id"],
"client_secret": data["client_secret"],
"scopes": [
"https://management.azure.com/.default",
]
}
app = msal.ConfidentialClientApplication(
data["client_id"],
authority=f"https://login.microsoftonline.com/{data['tenant']}",
client_credential=data["client_secret"],
)
result = app.acquire_token_for_client(scopes=[
"https://management.azure.com/.default",
])
if "access_token" in result:
print("success")
else:
print(result.get("error"))
print(result.get("error_description"))
print(result.get("correlation_id"))
sys.exit(-1)
headers = {
"Authorization": f"Bearer {result['access_token']}"
}
response = requests.get(
headers=headers, url="https://management.azure.com/subscriptions?api-version=2019-08-01")
if response.status_code == 200:
print(response.content)
else:
print(response.status_code)
Response:
- Create a new column of dictionaries where keys are in another column of lists, and values are found by looking up the keys in another column
- When I create an array of Numpy floats, I get an array of Python floats
- Download an image from image url
- Regarding good coding practices, what is meant by "Useless return at end of function and method"?
- Can the * (unpacking) operator be typed in Python? Or any other variadic args function such that all variadic types are in the result type?
- Why does using the GPU cause a slowdown when performing svd on a double-precision array?
- Python convert mm/dd/yyyy to yyyymmdd using date_format
- Python Webscraping: grequests vs. mult-threaded requests?
- With python sh module, how to preserve combined stdout and stderr?
- How to suppress py.test internal deprecation warnings
- Python: check for data type in list
- Why does inspect identify decorated methods as functions instead of methods in Python?
- Pycharm stopped displaying import errors
- Strange session behaviour with a Flask app on Heroku
- NameError: name 'Frame' is not defined (Python)
- Is there difference between _function and function?
- Does Python have an ordered set?
- Create JSON from CSV and add some header lines with Pandas
- How can I get the date from weeknr and year using strptime
- Python error with request post : 'Connection aborted, timeout('The write operation timed out')
- Why is this monkeypatch in pytest not working?
- Find common characters between two strings
- SSL: CERTIFICATE_VERIFY_FAILED certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
- python equivalent to clojure's partition-all?
- python equivalent of java OutputStream?
- Python TimedRotatingFileHandler overwrites logs
- python 2.7 equivalent of built-in method int.from_bytes
- Getting all combinations of key/value pairs in a Python dict
- how to run a django python file from command line
- Why do I get this DBeaver error when importing data from a CSV file?