How to give API read / write permission for an added application in Azure

0
votes

When calling an API https://docs.microsoft.com/en-us/rest/api/virtualnetwork/publicipaddresses/list to get List IP Addresses through a postman I'm getting the following error :

{"error":{"code":"AuthorizationFailed","message":"The client 'acc04996-6ca3-4a2f-ba94-xxxx' with object id 'acc04996-6ca3-4a2f-ba94-xxxx' does not have authorization to perform action 'Microsoft.Network/publicIPAddresses/read' over scope '/subscriptions/a530d6ae-6e7f-4c74-89fb-97273a63f8cd/resourceGroups/nag_resource_group/providers/Microsoft.Network' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

Please let me know how to grant permission so that I can call all the API's through Postman. Thanks

1
azureazure-active-directory
How are you getting the authorization token? - Gaurav Mantri
I'm generating the token in Postman. By using the following URL login.microsoftonline.com{{tenent-id}}/oauth2/token - Sheik Sena Reddy
Without digging into documentation, I'm not in front of a computer, I believe I've done this with a service principal - Patrick Goode

1 Answers

0
votes

The error means your client app does not have the permission to do the Microsoft.Network/publicIPAddresses/read action.

To fix the issue, just navigate to the subscription or the resource group nag_resource_group in the portal -> Access control (IAM) -> Add -> Add role assignment -> search for your client app name and add it as a role e.g. Contributor, Virtual Machine Contributor.

enter image description here

If you don't want the built-in roles, you can also create a custom RBAC role, just include the Microsoft.Network/publicIPAddresses/read action in its Actions. If you are not familar with Azure RBAC roles, please refer to this link.