英文:
Powershell access works but AzureCliCredential fails with "Principal X is not authorized"
问题
在VS Code中的Polyglot笔记本中,执行以下代码后:
az login --tenant xyz
我可以执行以下操作:
az iot hub device-twin show --hub-name 'hub1' --device-id 'John' --query 'properties.desired' --output json --subscription 'sub1'
这很棒。
不幸的是,在尝试使用C#获取设备的Twin时,我无法使AzureCredential的任何提供程序正常工作。例如:
var hub = "hub1.azure-devices.net";
var deviceId = "John";
var credential = new AzureCliCredential(new AzureCliCredentialOptions { TenantId = "xyz", });
var rm = RegistryManager.Create(hub, credential);
var twin = await rm.GetTwinAsync(deviceId); // 这会失败
失败并显示以下错误:
错误: Microsoft.Azure.Devices.Common.Exceptions.UnauthorizedException: {"Message":"ErrorCode:IotHubUnauthorized;Principal
@ .com is not authorized for GET on /twins/John due to no assigned permissions","ExceptionMessage":"Tracking ID:abc:0-TimeStamp:06/26/2023 07:44:12"}
当使用InteractiveBrowserCredential时,错误相同。
使用连接字符串可以正常工作:
var rm = RegistryManager.CreateFromConnectionString("HostName=hub1.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=abc=");
var twin = await rm.GetTwinAsync(deviceId); // 这可以正常工作
问:我是否可以使用AzureCliCredential/InteractiveBrowserCredential通过我的个人帐户进行Azure身份验证?
所包含的库是:
#i "nuget:https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet5/nuget/v3/index.json"
#i "nuget:https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json"
#r "nuget:Azure.Identity"
#r "nuget:Microsoft.Extensions.Azure"
#r "nuget:Microsoft.Azure.Devices"
using Azure.Identity;
using Microsoft.Extensions.Azure;
using Microsoft.Azure.Devices;
英文:
In a Polyglot Notebook in VS Code, after
az login --tenant xyz
I can
az iot hub device-twin show --hub-name 'hub1' --device-id 'John' --query 'properties.desired' --output json --subscription 'sub1'
This is great.
Sadly, when trying to get the twin using c# I cannot get any of the AzureCredential`s providers to work. For example:
var hub = "hub1.azure-devices.net";
var deviceId = "John";
var credential = new AzureCliCredential(new AzureCliCredentialOptions { TenantId = "xyz", });
var rm = RegistryManager.Create(hub, credential);
var twin = await rm.GetTwinAsync(deviceId); // This fails
fails with:
> Error: Microsoft.Azure.Devices.Common.Exceptions.UnauthorizedException: {"Message":"ErrorCode:IotHubUnauthorized;Principal <edited>@<edited>.com is not authorized for GET on /twins/John due to no assigned permissions","ExceptionMessage":"Tracking ID:abc:0-TimeStamp:06/26/2023 07:44:12"}
>
The error is the same when trying with InteractiveBrowserCredential.
Using a connection string works:
var rm = RegistryManager.CreateFromConnectionString("HostName=hub1.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=abc=");
var twin = await rm.GetTwinAsync(deviceId); // This works
Q: Can I authenticate to Azure with my personal account using AzureCliCredential/ InteractiveBrowserCredential?
The included libraries are:
#i "nuget:https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet5/nuget/v3/index.json"
#i "nuget:https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json"
#r "nuget:Azure.Identity"
#r "nuget:Microsoft.Extensions.Azure"
#r "nuget:Microsoft.Azure.Devices"
using Azure.Identity;
using Microsoft.Extensions.Azure;
using Microsoft.Azure.Devices;
答案1
得分: 1
>错误:Microsoft.Azure.Devices.Common.Exceptions.UnauthorizedException:{"Message":“ErrorCode:IotHubUnauthorized;Principal <edited>@<edited>.com is not authorized for GET on /twins/John due to no assigned permissions”,“ExceptionMessage”:“Tracking ID:abc:0-TimeStamp:06/26/2023 07:44:12”}
当您没有适当的角色来访问使用凭据的设备 ID 时会发生上述错误。
您需要为您的用户使用 IoT Hub Data Contributor 角色,并且您可以使用 Defaultazurecredential 在 C# 中获取双子。
角色:
使用 Defaultazurecredential 和相同的代码成功执行。
代码:
using Azure.Identity;
using Microsoft.Azure.Devices;
var hub = "<your-hub-name>.azure-devices.net";
var deviceId = "<your-device-name>";
var credential = new DefaultAzureCredential();
var rm = RegistryManager.Create(hub, credential);
var twin = await rm.GetTwinAsync(deviceId);
Console.WriteLine(twin.DeviceScope);
输出:
{
"$metadata": {
"$lastUpdated": "2021-08-11T05:22:12.3717129Z"
},
"$version": 1
}
<details>
<summary>英文:</summary>
>Error:Microsoft.Azure.Devices.Common.Exceptions.UnauthorizedException: {"Message":"ErrorCode:IotHubUnauthorized;Principal <edited>@<edited>.com is not authorized for GET on /twins/John due to no assigned permissions","ExceptionMessage":"Tracking ID:abc:0-TimeStamp:06/26/2023 07:44:12"}
The above error occurs when you don't have the proper role to access the device id using credentials.
You need to use **`IoT Hub Data Contributor`** role for your user and you can use the [Defaultazurecredential](https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?view=azure-dotnet#defaultazurecredential) to fetch the twin using c# .
**Role:**
Used the same code with Defaultazurecredential and it executed successfully.
**Code:**
using Azure.Identity;
using Microsoft.Azure.Devices;
var hub = "<your-hub-name>.azure-devices.net";
var deviceId = "<your-device-name>";
var credential = new DefaultAzureCredential();
var rm = RegistryManager.Create(hub, credential);
var twin = await rm.GetTwinAsync(deviceId);
Console.WriteLine(twin.DeviceScope);
**Output:**
{
"$metadata": {
"$lastUpdated": "2021-08-11T05:22:12.3717129Z"
},
"$version": 1
}
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论