Azure: The access token has been obtained from wrong audience or resource

python azure azure-resource-manager
Anup Singh picture Anup Singh · Dec 20, 2015 · Viewed 7.7k times · Source

Trying to create a simple task to list all resources in Azure portal. I followed the direction in the given URL and successfully received token.

http://azure-sdk-for-python.readthedocs.org/en/latest/resourcemanagement.html#authentication

However using the combination of token and superscription_id, I am getting the following error.

ERROR: 

azure.common.AzureHttpError: {"error"{"code":"AuthenticationFailed","message":"The access token has been obtained from wrong audience or resource '00000002-0000-0000-c000-000000000000'. It should exactly match (including forward slash) with one of the allowed audiences 'https://management.core.windows.net/','https://management.azure.com/'."}}

I have created an application in Active directory and assigned all permission to windows active directory

Following is the code to get token: 

def get_token_from_client_credentials(endpoint, client_id, client_secret):
    payload = {
        'grant_type': 'client_credentials',
        'client_id': client_id,
        'client_secret': client_secret
        # 'resource': 'https://management.core.windows.net/',
    }
    response = requests.post(endpoint, data=payload).json()
    return response['access_token']

auth_token = get_token_from_client_credentials(endpoint='https://login.microsoftonline.com/11111111111-1111-11111-1111-111111111111/oauth2/token',
             client_id='22222222-2222-2222-2222-222222222222',
             client_secret='test/one/year/secret/key',

Trying to consume this token in the following code : 

def get_list_resource_groups(access_token, subscription_id):
    cred = SubscriptionCloudCredentials(subscription_id, access_token)
    resource_client = ResourceManagementClient(cred)
    resource_group_list = resource_client.resource_groups.list(None)
    rglist = resource_group_list.resource_groups
    return rglist

Answer

user5701745 picture user5701745 · Dec 21, 2015

That is not impacting (its an optional parameter)

Actually, the resource parameter is required in Service to Service Calls Using Client Credentials flow for access token, this parameter tells your application where to get token. As you need to authenticate ARM requests, you need set 'resource': 'https://management.core.windows.net/' in get_token_from_client_credentials()

And we can also get the information from your error message:

The access token has been obtained from wrong audience or resource '00000002-0000-0000-c000-000000000000'. It should exactly match (including forward slash) with one of the allowed audiences 'https://management.core.windows.net/','https://management.azure.com/'

Any concern, please feel free to let me know.

Related questions

Azure Blob - Read using Python

Can someone tell me if it is possible to read a csv file directly from Azure blob storage as a stream and process it using Python? I know it can be done using C#.Net (shown below) but wanted to …

Read More
pymssql and Adaptive Server connection failed

When I try to connect into Azure database by Pymssql in python I face this error: pymssql.OperationalError: (20002, 'DB-Lib error message 20002, severity 9:\nAdaptive Server connection failed (iprice-bi.database.windows.net:1433)\n') I connect to the database by tsql command: tsql …

Read More
How to convert string into float value in the dataframe

We are facing an error when we have a column which have datatype as string and the value like col1 col2 1 .89 So, when we are using def azureml_main(dataframe1 = None, dataframe2 = None): # Execution logic goes here print('Input pandas.…

Read More