1

I have troubles acquiring an azure video indexer (ARM based) token as a deamon app. (I am able to upload a video using the portal generated token ). So I started by creating a registered App with with a client_secret I will use to request a token on the video indexer /generateAccessToken enpoint.

This registered app has the scope 'https://management.azure.com/user_impersonation' image description and added the registered app as Contributor on the video indexer RBAC (don't think it's necessary, but I did it to be sure)

When I get the token from '*https://login.microsoftonline.com/fbe3354f-$$$$-404a-8d93-da9b01b57c28/oauth2/v2.0/token*' an use it to request a video indexer token on '*https://management.azure.com/subscriptions/665eef5b-$$$$-43ad-9ec5-4afc5cd0a0e5/resourceGroups/ween-global/providers/Microsoft.VideoIndexer/accounts/ween-video-indexer/generateAccessToken?api-version=2022-04-13-preview*' I get this response :

{
"error": {
    "code": "ResourcePostActionFailed",
    "message": "ResourcePostActionFailed: Access Denied"
}

Does any one have an idea on how to proceed ?! Don't even know if what I did do far is right or not... : (

What Id did step by step

First round :

  • Created an ARM Video Indexer account through the portal,
  • I created a User managed identity for the Video Indexer to connect to Media Services (system managed identities were having issues)
  • Added this managed identity as a contributor for Media services.
  • Generated a "Contributor/Account" Video Indexer token using the portal
  • I uploaded a video using this token. Round successful !

Round 2 :

I need now a way to generate this "portal generated" video indexer token, because it lasts for 1h. In order to do that as a deamon app :

{
"error": {
    "code": "ResourcePostActionFailed",
    "message": "ResourcePostActionFailed: Access Denied"
}

}

It's like the Registered app is not allowed to access the video indexer api. Don't know why, because what I understood is that the access to the video indexer is now managed by RBAC policies and I added the registered app as a contributor of the video indexer resource. I must have done something wrong, or missed somehting important...

✔️ Resolution

I was sending an additionnal header 'Ocp-Apim-Subscription-Key' that was not expected and this was causing the this error response. Removing this additional header permit me to retrieve the video indexer token ! : )

General Grievance
  • 4,555
  • 31
  • 31
  • 45
Leonardo
  • 13
  • 4
  • Does this answer your question? [Azure Video Analyzer for Media - ARM\_ACCOUNT\_MUST\_BE\_MANAGED\_BY\_ARM](https://stackoverflow.com/questions/71402826/azure-video-analyzer-for-media-arm-account-must-be-managed-by-arm) – Ecstasy Jun 27 '22 at 05:15
  • [Daemon app that calls web APIs - acquire a token](https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-acquire-token?tabs=dotnet) – Ecstasy Jun 27 '22 at 05:16
  • Thanks you for your answer @DeepDave. I already got through this documentation, I have done all that. I gone through every step of the example and did the same using rest and nodejs. I got the basic azure credential token with the scope https://management.azure.com, but when I use it to generate the video indexer token, instead of having the token generated I have this "Access denied" error. I don't understant why and no one seems to have this issue, whitch is usually a good sign because this certainly means the problem is very simple... ^^ – Leonardo Jun 27 '22 at 08:02
  • did you succeeded generating an access token using the Azure portal? Under the Management API? Can you explain again where and how are you failing to generate the ARM token? Itai Product Manager @Azure Video Indexer – Itai Norman Jun 27 '22 at 16:40
  • Hi @Itai, I updated my question with a step by step description of what I did so far : ) – Leonardo Jun 27 '22 at 17:58
  • I found the issue, and it was purely on my fault. and has expected its was a really stupid issue. I wa sending an additional header 'Ocp-Apim-Subscription-Key' that is not expected and this was causing the "ResourcePostActionFailed" error response ! – Leonardo Jun 27 '22 at 18:08

1 Answers1

2

After 2 days of suffering and long tailed email exchange with Microsoft support I got the sequence which will work. At least to this current date 7 July 2022.

  • You'd have to do a generic HTTP call to fetch an access token. You can test this call in the browser via this link: https://learn.microsoft.com/en-gb/rest/api/videoindexer/generate/access-token#code-try-0, but it uses your login and password in order to pass Authentication bearer in the header
  • So, if you are doing it in logic app or a function you need to have an identity to pass which is AD OAuth token
  • You can either generate it for system-assigned managed identity or in which case it would your own App registrations identity, below you can see an example of form details who they are in Logic apps https://i.stack.imgur.com/EyUqJ.png
  • If you decide to go with your own App registrations identity you would need to give it Contributor permissions on Video Indexer and associated Media Service, but mainly you'd have to create and assign a custom role that will have Microsoft.VideoIndexer/accounts/generateAccessToken/action permission

Once you have the access token you then can upload and index a video file without any issues.

Il1723
  • 21
  • 2