InvalidTokenAuthenticationAudience when trying to call Azure Synapse Analytics data plane API from python

Question

I have a Synapse workspace and a service principal scoped to the resource group containing that Synapse workspace. When I call a data plane API to list the linked services from python code, I get the below error:

response.text: {"code":"InvalidTokenAuthenticationAudience","message":"Token Authentication failed with SecurityTokenInvalidAudienceException - IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'."}

The code is as follows:

import json
import requests
import adal

TENANT_ID = "XXX"
CLIENT_ID = "XXX"
CLIENT_SECRET = "XXX"
AUTHORITY = f"https://login.microsoftonline.com/{TENANT_ID}"
context = adal.AuthenticationContext(AUTHORITY)
token = context.acquire_token_with_client_credentials(CLIENT_ID, CLIENT_ID, CLIENT_SECRET)
endpoint="https://XXX.dev.azuresynapse.net/linkedservices?api-version=2020-12-01"
http_headers = {
        'Authorization': 'Bearer ' + token['accessToken'],
        'Accept': 'application/json', 
        'Content-Type': 'application/json'
}
response = requests.get(url=endpoint, headers=http_headers)
print("response.text:", response.text)

Does anyone know how I can get this working?

Answer 1

ok, after significant web surfing, I got it working:

1. edit above line as follows:

   token = context.acquire_token_with_client_credentials(resource="https://dev.azuresynapse.net/", client_id=CLIENT_ID, client_secret=CLIENT_SECRET)

2. Ensure that the service principal has at least Microsoft.Synapse/workspaces/read access on the Synapse workspace. For now, I did this by opening the Synapse Studio, clicking manage --> access control, and adding the service principal as a synapse administrator.