Share via

permissions or AZ CLI

Omar Navarro 331 Reputation points
2023-01-03T19:28:43.673+00:00 
az iot edge set-modules --hub-name "$IOT_HUB_NAME" --device-id "$DEVICE_ID" --content "$MANIFEST_FILE_PATH" --resource-group $ResourceGroup --only-show-error -o table

When executing the command on an Ubuntu device the following error occurs. The Service Principal currently has the Owner role but it seems to need another permission. 275707-not-authorized.png

Azure IoT Edge
Azure IoT Edge
An Azure service that is used to deploy cloud workloads to run on internet of things (IoT) edge devices via standard containers.
595 questions
Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,251 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Matthijs van der Veer 4,376 Reputation points MVP
    2023-01-03T19:38:29.437+00:00

    With the owner role, you gain full control of the Azure resource. For instance, it can delete the IoT Hub.

    What you're trying to do is manipulate the data in the IoT Hub. For that, the SP needs access to the data plane. Try assigning one of these:

    • IoT Hub Data Contributor Allows full access to IoT Hub data plane operations.
    • IoT Hub Registry Contributor Allows full access to the IoT Hub device registry.
    • IoT Hub Twin Contributor Allows read and write access to all IoT Hub devices and module twins.

    Here is a list of all the data plane roles.

  2. AshokPeddakotla-MSFT 35,941 Reputation points
    2023-03-09T17:37:35.3233333+00:00

    Omar Navarro We haven't heard back from you for a long time. Did you resolve the issue?

    If you are still blocked, please see below information.

    The error message "IoTHub Unauthorized and Principal is not authorized" indicates that the service principal you're using to run the az iot edge set-modules command doesn't have the necessary permissions to access your IoT hub.

    To resolve this issue, you need to assign the appropriate role to the service principal. With Azure AD and RBAC, IoT Hub requires the principal requesting the API to have the appropriate level of permission for authorization. To give the principal the permission, give it a role assignment.

    To ensure least privilege, always assign the appropriate role at the lowest possible resource scope, which is probably the IoT Hub scope.

    IoT Hub provides the following Azure built-in roles for authorizing access to IoT Hub service APIs by using Azure AD and RBAC:
    IoT Hub Data Contributor Allows full access to IoT Hub data plane operations.
    IoT Hub Data Reader Allows full read access to IoT Hub data plane properties.
    IoT Hub Registry Contributor Allows full access to the IoT Hub device registry.
    IoT Hub Twin Contributor Allows read and write access to all IoT Hub device and module twins.

    You can also define custom roles to use with IoT Hub by combining the permissions that you need. For more information, see Create custom roles for Azure role-based access control.

    After you've assigned the role, try running the az iot edge set-modules command again.

    If you're still encountering issues, you can try checking the Azure IoT Hub troubleshooting guide for more information. Please see Understand and resolve Azure IoT Hub errors.

    If you need further help in this matter, please comment in the below section and we are happy to discuss!

    If this answers your query, do click Accept Answer and Yes for this answer as helpful. And, if you have any further query do let us know by commenting in the below section.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.