I need to access public API https://management.azure.com/subscriptions/xxx/resourceGroups/xxxx/providers/Microsoft.ContainerInstance/containerGroups/xxx from the Azure Container Instance. It appears that this API needs a Bearer Token. How can we generate the bearer token for this API from the ACI container.

Hi, The access token is the Bearer token. For example, in your previous question I showed how to retrieve access token via IMDS. Once you have this access token, you can add it in the Authorization header in the request to management.azure.com REST API. GET https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.ContainerInstance/containerGroups?api-version=2023-05-01 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbm Curl command would be similar to below: curl -v -s -H "Authorization: Bearer ${access_token}" -H "Content-Type: application/json" https://management.azure.com/subscriptions/${subscription_id}/providers/Microsoft.ContainerInstance/containerGroups?api-version=2023-05-01 Please click Accept Answer and upvote if the above was helpful. Thanks. -TP

How to generate a bearer token on Azure container instance to access https://management.azure.com/subscriptions/xxx/resourceGroups/xxxx/providers/Microsoft.ContainerInstance/containerGroups/xxx

Accepted answer

TP 94,306 Reputation points

2023-10-05T07:28:40.57+00:00
Hi,

The access token is the Bearer token. For example, in your previous question I showed how to retrieve access token via IMDS. Once you have this access token, you can add it in the Authorization header in the request to management.azure.com REST API.

GET https://management.azure.com/subscriptions/<subscriptionId>/providers/Microsoft.ContainerInstance/containerGroups?api-version=2023-05-01 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL21hbm

Curl command would be similar to below:

curl -v -s -H "Authorization: Bearer ${access_token}" -H "Content-Type: application/json" https://management.azure.com/subscriptions/${subscription_id}/providers/Microsoft.ContainerInstance/containerGroups?api-version=2023-05-01

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP
Please sign in to rate this answer.
NS 40 Reputation points

2023-10-05T11:00:53.65+00:00

Thanks for a prompt response.
I tried using the access token but the API request is failing.

I have used the below commands

response=$(curl -v -s -H Metadata:true http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.azure.com) token=$(echo $response | jq ".access_token" -r)

SandboxHost-638313891529306681:/# curl -X GET -H "Authorization: Bearer $token" https://management.azure.com/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerInstance/containerGroups/xxx?api-version=2023-05-01 {"error":{"code":"AuthorizationFailed","message":"The client '7358f022-c74f-4429-97cb-f46b288fee05' with object id '7358f022-c74f-4429-97cb-f46b288fee05' does not have authorization to perform action 'Microsoft.ContainerInstance/containerGroups/read' over scope '/subscriptions/0ce750b7-7d0e-40a5-815f-db2919ff2ed4/resourceGroups/myResourceGroup/providers/Microsoft.ContainerInstance/containerGroups/mycontainer' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

Attached file with verbose output.log.txt

Can you please let me know if I am missing something.

Thanks.

TP 94,306 Reputation points

2023-10-05T11:11:44.7466667+00:00

Did you give the managed identity permission? Based on the error you received it seems the identity doesn't have necessary permission to call the API.

For example, you could navigate to the resource group in the portal -- Access control (IAM) blade, Add role assignment, select Reader role, Next, choose select Managed identity option, click Select members, select the manage identity for your container, Review + assign, etc.

TP 94,306 Reputation points

2023-10-06T10:07:07.6666667+00:00

@NS Any update?

NS 40 Reputation points

2023-10-06T12:02:46.0266667+00:00

Adding managed identity permission worked. I can access the API now.
Thank you for quick resolution.

USER01 20 Reputation points

2023-12-12T06:29:17.5766667+00:00

Hi
Is there a change in configuration on ACI.
I am getting the same error now inspite of enabling managed identity and adding Reader role

SandboxHost-638313891529306681:/# curl -X GET -H "Authorization: Bearer $token" https://management.azure.com/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.ContainerInstance/containerGroups/xxx?api-version=2023-05-01 {"error":{"code":"AuthorizationFailed","message":"The client '7358f022-c74f-4429-97cb-f46b288fee05' with object id '7358f022-c74f-4429-97cb-f46b288fee05' does not have authorization to perform action 'Microsoft.ContainerInstance/containerGroups/read' over scope '/subscriptions/xxx/resourceGroups/myResourceGroup/providers/Microsoft.ContainerInstance/containerGroups/mycontainer' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

TP 94,306 Reputation points

2023-12-13T03:37:41.6533333+00:00

@USER01 I've not noticed any issues. Please test again when you get this and reply back with results. If you are still seeing the error I will see if I can reproduce it.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to generate a bearer token on Azure container instance to access https://management.azure.com/subscriptions/xxx/resourceGroups/xxxx/providers/Microsoft.ContainerInstance/containerGroups/xxx

0 additional answers

Your answer