Azure managed identity error - Could not find identity for access token

0
votes

I am trying to get managed identity object of Azure data factory programmatically (using Python).

To do so, I am following the below steps:

  1. Register an App in Azure Active Directory to get client ID, add client secret, tenant id, scope.
  2. Followed the steps in below link to get an access token for the registered app in #1: https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/dev/sample/confidential_client_secret_sample.py
  3. Add the registered app to the data factory subscription with role as 'Owner'
  4. Use the below code:
head = {"Authorization": "Bearer {}".format(request_token)} 
#request_token is the access token from #2   
requests.get('https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataFactory/factories/{factoryName}?api-version=2018-06-01', headers = head)

as provided in link : https://docs.microsoft.com/en-us/azure/data-factory/data-factory-service-identity

After following these steps, the response from #5 is error="invalid_token", error_description="Could not find identity for access token."

The app registration does not have an identity section to check for managed identity.

Am I missing any step here?

Please find below the code. Thanks for your time!

import sys  
import json
import logging

import requests
import msal



input_client_id = <client_id>
input_authority = "https://login.microsoftonline.com/<tenant_id>"
input_secret = <client_Secret>
input_scope = ["https://graph.microsoft.com/.default"]
input_endpoint = "https://graph.microsoft.com/v1.0/applications"

app = msal.ConfidentialClientApplication(
    input_client_id, authority=input_authority,
    client_credential=input_secret,
    # token_cache=...  # Default cache is in memory only.
                       # You can learn how to use SerializableTokenCache from
                       # https://msal-python.rtfd.io/en/latest/#msal.SerializableTokenCache
    )


result = app.acquire_token_for_client(scopes=input_scope)

print('Access Token', result['access_token'])
request_token = result['access_token']
head = {"Authorization": "Bearer {}".format(request_token)}
response = requests.get('{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataFactory/factories/{factoryName}?api-version=2018-06-01', headers=head)

Part of the error response:

{'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Content-Type': 'application/json; charset=utf-8', 'Expires': '-1', 'WWW-Authenticate': 'Bearer authorization_uri="https://login.windows.net/<tenant_id>", error="invalid_token", error_description="Could not find identity for access token."'
1
azureazure-active-directoryazure-managed-identity

1 Answers

0
votes

Try to replace the scope https://graph.microsoft.com/.default with https://management.azure.com/.default.

When you request the azure management Rest API, you need this scope.