I'm trying to call the inbuilt azure API by bearer token generation. The bearer token is generated using "https://login.microsoftonline.com/{tenantID}/oauth2/token,"; and using this token, I'm trying to access the get device API from IoT Hub. The headers i am providing for the REST API call are content-type and Authorization(with the bearer token). But it is returning an error message as below:
Message;:;ErrorCode:IotHubUnauthorized;3cc43d2f-def7-4a3e-a2ue-eb367467ab90 is not valid;
Can anyone please help me in solving this?
To connect to your IoT Hub's Service API, you need a shared access token, not an oauth2 token. You can generate the token you need to set in your header through the az cli
az iot hub generate-sas-token -n {iothub_name}
If you like a more visual approach, you can use the Device Explorer. You can simply enter your IoT Hub connection string with service connect or iothubowner right and generate the token.
You can then use the service endpoints of your IoT Hub, here's an example curl request:
curl --request GET \
https://<hub-name>.azure-devices.net/devices?api-version=2018-06-30 \
--header "Authorization: SharedAccessSignature sr=<hub-name>.azure-devices.net&sig=KSobATNRdkFtd999999990v7NYU4hitkTA3ts%3D&se=1626508840&skn=iothubowner"
Related
I am trying to investigate file uploads to see if they are matched by File Scan policies in Microsoft Defender for Cloud Apps (aka MCAS). I can see them fine at the portal but I need to automate the process via API.
As per documentation, I did create Azure AD application and provided the permissions. This is needed to get access token which is needed to make api calls.
I am getting Insufficient role based permissions error when I call https://aspnet4you2.us3.portal.cloudappsecurity.com/api/v1/files/.
I get same error if I use https://portal.cloudappsecurity.com/cas/api/v1/files/
Any idea how to solve this Insufficient permission issue?
I tried to reproduce the same in my environment and got below results
I registered one Azure AD application and granted API permissions as below:
Now I generated access token via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:client_credentials
client_secret:secret
scope:05a65629-4c1b-48c1-a78b-804c4abdd4af/.default
Response:
When I used the above token to get files with both URLs, I got same error as below:
GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Bearer <token>
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Bearer <token>
With the same token, I'm able to call all other APIs like alerts, activities etc. like below:
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/alerts/
Authorization: Bearer <token>
Note that, calling file APIs is not available in application
context.
Alternatively, you can make use of Legacy Method by generating one API token like below:
Go to Defender for Cloud Apps portal -> Settings -> Security extensions -> API tokens -> Add a token
Now, enter Token name and select Generate as below:
API token will be generated successfully and copy the token to use in Postman:
When I used the above API token to call files API with both URLs, I got response successfully as below:
GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Token <token>
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Token <token>
You can try the same in your environment by generating API token instead of Bearer token to call Files API.
Reference:
Defender for Cloud Apps file API “Insufficient role based permissions” by Sangho Cho
I want to connect Superset to a Databricks for querying the tables. Superset uses SQLAlchemy to connect to databases which requires a PAT (Personal Access Token) to access.
It is possible to connect and run queries when I use the PAT I generated on my account through Databricks web UI? But I do not want to use my personal token in a production env. Even so, I was not able to find how to generate a PAT like token for a Service Principal.
The working SQLAlchemy URI is looks like this:
databricks+pyhive://token:XXXXXXXXXX#aaa-111111111111.1.azuredatabricks.net:443/default?http_path=sql%2Fprotocolv1%qqq%wwwwwwwwwww1%eeeeeeee-1111111-foobar00
After checking the Azure docs, there are two ways on how to run queries between Databricks and another service:
Create a PAT for a Service Principal to be associated with Superset.
Create a user AD account for Superset.
For the first and preferred method, I was able to advance, but I was not able to generate the Service Principal's PAT:
I was able to register an app on Azure's AD.
So I got the tenant ID, client ID and create a secret for the registered app.
With this info, I was able to curl Azure and receive a JWT token for that app.
But all the tokens referred in the docs are JTW's OAUTH2 tokens, which does not seems to work with SQLAlchemy URI.
I know it's possible to generate a PAT for a Service Principal since there is a mention on how to read, update and delete a Service Principal's PAT on the documentation. But it has no information on how to create a PAT for a Service Principal.
I prefer to avoid using the second method (creating an AD user for Superset) since I am not allowed to create/manage users for the AD.
In summary, I have a working SQLAlchemy URI, but I want to use a generated token, associated with a Service Principal, instead of using my PAT. But I can't find how to generate that token (I only found documentation on how to generate OAUTH2 tokens).
You can create PAT for service principal as following (examples are taken from docs, do export DATABRICKS_HOST="https://hostname" before executing):
Add service principal into the Databricks workspace using SCIM API (doc):
curl -X POST '$DATABRICKS_HOST/api/2.0/preview/scim/v2/ServicePrincipals' \
--header 'Content-Type: application/scim+json' \
--header 'Authorization: Bearer <personal-access-token>' \
--data-raw '{
"schemas":[
"urn:ietf:params:scim:schemas:core:2.0:ServicePrincipal"
],
"applicationId":"<application-id>",
"displayName": "test-sp",
"entitlements":[
{
"value":"allow-cluster-create"
}
]
}'
Get AAD Token for service principal (doc, another option is to use az-cli):
export DATABRICKS_TOKEN=$(curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&client_id=<client-id>&resource=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d&client_secret=<application-secret>' \
https://login.microsoftonline.com/<tenant-id>/oauth2/token|jq -r .accessToken)
Generate token using the AAD Token (doc):
curl -s -n -X POST "$DATABRICKS_HOST/api/2.0/token/create" --data-raw '{
"lifetime_seconds": 100,
"comment": "token for superset"
}' -H "Authorization: Bearer $DATABRICKS_TOKEN"
What is the format of the url needed to delete an already registered device in azure IoT hub using device provisioning service...
I read this article but it throws me 404
https://learn.microsoft.com/en-us/rest/api/iot-dps/deletedeviceregistrationstate/deletedeviceregistrationstate
In the request header I added If-Match tag but do I need to add Authorization tag with the SaS token and if I need the SaS token will be the one which I used for registering device using Device Provisioning Service
if I need the SaS token will be the one which I used for registering
device using Device Provisioning Service
There are some steps that you need to follow to generate the access_token that will be used in the Authorization header of the request.
Prerequisites:
Install Python 2.7+
Install Azure CLI 2.0+
Login to CLI
Below are the steps:
Login with Azure CLI
az login
Set Active Subscription
az account set --subscription "your subscription name or id"
Create Service Principal
az ad sp create-for-rbac -n "your service principal name. Can be like 'jongpostman7'"
The output of above command will be something like below image.
Copy this output to a temp location, you will need the values in a minute.
Coming to the Postman request now. You need to first call the AAD Token request whose response will provide you with the access_token. This access token you can use in the DPS delete device request. The AAD request will be like below:-
POST https://login.microsoftonline.com/{{tenantId}}/oauth2/token
Refer image below for the request body.
grant_type is client_credentials
client_id is the appId received in above command output
client_secret is the password received in above command output
tenant_id is the tenant received in above command output
resource is https://management.azure.com/
The response of above request will be like below:-
Now, you have the access_token that can be used in the DPS delete device REST API.
The Authorization header be like below:
Authorization: Bearer <access_token_received_above>
Reference link here.
Hello i am trying to fetch devices present/registered at IOTHUB via RESTAPI. But i am confused how to fetch all devices.
I have read the documentation here : IoT Hub Service - Get Devices
But When i send a request i am getting an error
"Message": "ErrorCode:IotHubUnauthorizedAccess;Unauthorized",
"ExceptionMessage": "Tracking ID:a795ee1f7ae04adfa600333e45e9aa09-G:5-TimeStamp:06/29/2020 14:32:56"
Is there any auth token to provide in order to get devices?
So for a quick start on this we can use Postman with Azure IoT Hub Query language..+ SAS token for authorization.
Step 1: Generate the SAS token as said by Matthijs, Also we can quickly make use of Device Explorer tool Or Use this link to find the SetupDeviceExplorer.msi. Copy the generated SAS token fully.
Step 2: Construct the Query body.
the POST query looks like this sample. See Registry Manager - Query Iot Hub
POST
https://IOTHUB.azure-devices.net/devices/query?api-version=2020-03-13
{
"query": "SELECT deviceId FROM devices"
}
Step 3: Authorization use SAS token, and send the request to test it out.
A similar thread answered by RomanKiss can be read from Get all devices from IoT Azure Hub.
Please let us know if you know further help!
You can call the rest API using the Shared Access Signature. To get a valid token, you can use the Azure CLI like so:
az iot hub generate-sas-token -n <IoT hub name> --policy registryRead
This will produce an output like:
{
"sas": "SharedAccessSignature sr=iothubname.azure-devices.net&sig=kPszxZZZZZZZZZZZZZZZZZAhLTILsVpT0tp5sRSWiDZ0%3D&se=1593446477&skn=registryRead"
}
Then you need to use the value of "sas" as your Authorization header when you do your GET request. Curl example:
curl --location --request GET 'https://iothubname.azure-devices.net/devices?api-version=2019-07-01-preview' \
--header 'Authorization: SharedAccessSignature sr=iothubname.azure-devices.net&sig=kPszxZZZZZZZZZZZZZZZZZAhLTILsVpT0tp5sRSWiDZ0%3D&se=1593446477&skn=registryRead'
I have created a resource for Azure API for FHIR Server. I am able to get see the metadata information using the URL like https://fhir-server-url/metadata. As mentioned in the documentation https://learn.microsoft.com/en-us/azure/healthcare-apis/access-fhir-postman-tutorial to access other URLs like https://fhir-server-url/Patient, we need to get the Authorization token first. To get the authorization token we need ClientID which we can get by creating an application in Azure Active Directory. But I don't have access to it.
Is there any way I could access this URL without requiring the authorization token? By making some setup in Azure Portal.
If you are using the first party audience (e.g. https://azurehealthcareapis), which is the default when deploying the Azure API for FHIR, you can actually use a first party client application such as the Azure CLI to get a token. Check https://learn.microsoft.com/azure/healthcare-apis/get-healthcare-apis-access-token-cli for details.
First log in with the Azure CLI (https://learn.microsoft.com/cli/azure/?view=azure-cli-latest) :
az login
Get a token and store it
token=$(az account get-access-token --resource=https://azurehealthcareapis.com | jq -r .accessToken)
Use the token:
curl -X GET --header "Authorization: Bearer $token" https://<FHIR ACCOUNT NAME>.azurehealthcareapis.com/Patient
It looks like from the FHIR Server Doc you can turn this on or off based on the FhirServer:Security:Enabled config setting see https://github.com/microsoft/fhir-server/blob/master/docs/Authentication.md
"FhirServer" : {
"Security": {
"Enabled": true,
"Authentication": {
"Audience": "fhir-api",
"Authority": "https://localhost:44348"
}
}}
One way is to get your app registration in Azure Active Directory(AAD).
You would need two app registrations in AAD to get client Id & client secret for authorization token retrieval.