Reputation: 147
Why does System Assigned Managed Identity not have access to Azure management API?
I was attempting to follow the tutorial here - https://medium.com/azure-tutorials/custom-queue-mechanism-for-data-factory-pipelines-a1b0809ec790
But I can't seem to get the correct authentication. When I try the System Assigned Managed Identity I get error:
{"error":{"code":"AuthorizationFailed","message":"The client {client} with object id {object} does not have authorization to perform action 'Microsoft.DataFactory/factories/querypipelineruns/read' over scope '/subscriptions/{subscription}/resourceGroups/{resourcegroup}/providers/Microsoft.DataFactory/factories/{datafactory}' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
I have also tried to do a User Assigned Managed Identity by creating it and adding it to the managed identities settings in my data factory, but I get the same error. When I try to call the api in the Microsoft Tutorial (https://learn.microsoft.com/en-us/rest/api/datafactory/pipeline-runs/query-by-factory?view=rest-datafactory-2018-06-01&tabs=HTTP&tryIt=true&source=docs#code-try-0), everything works fine. Here is my web activity configuration:
Upvotes: 0
Views: 857
Answers (2)
Reputation: 5317
User assigned managed identity doesn't have permission to Api that may be the reason for getting above reason. Add Data factory contributor role to the user assigned managed identity as follows:
Step 1: Go to the IAM of the blob storage account and click on "Add role assignment" as shown below:
Step 2: Search for the Data factory contributor role and select it, as shown below:
Step 3: Select the Managed identity, as shown below:
Select User-assigned managed identity authentication in web activity as below:
The pipeline will run successfully without any error:
Also check this SO answer for reference.
Upvotes: 0
Reputation: 273
It seems you are making API call to different data factory resource. Consider granting
contributorrole for your system assigned managed identity on that data factory and retry running web activity to make API call.
Upvotes: 0
Related Questions
- What is the Azure MSAL Scope for Authenticating Service Principal to Run a Data Factory pipeline?
- The client with object id does not have authorization to perform action 'Microsoft.DataFactory/datafactories/datapipelines/read' over scope
- Execute Azure Data Factory from Power Automate with Service Principal
- Azure data factory API
- Adding CMK(Customer Managed Key) failing for empty Azure data factory
- Azure Data Factory - Azure DevOps - The assigned "user assigned managed identity" for target ADF gets removed when deploying to it, failing deployment
- azure data factory - link a shared integration runtime via az cli
- Newly created Azure Data Factory v2 has no managed identity
- Azure Data Factory : Acquire MI token from MI store V1 failed. Error code 2403
- Azure Data Factory pipeline to start SSIS Integration Runtime authorization error