HubSpot (HS) to Azure Data Factory (ADF) Linked Service connection issue code 403

Question

Thank you in advance for your help & suggestions.

I figured that I would provide a verbose explanation in case it helps to identify incorrect steps, etc. :)

[My guess at what the issue is - just to save you time from having to read the verbose sections below]

I created and activated a HubSpot (HS) Public App by using the Install URL (OAuth) and using a "regular" HS account. My guess is that the ADF is not using the same "regular" HS account in its request (via the HS Linked Service) and that is why the connection is failing. If Access/Refresh tokens are tied to a specific HS account - then I have no idea how to activate/install using ADF in order to get the Code and subsequent Access and Refresh Tokens... The tokens that I used were from Chrome and a POST via POSTMAN.

[Background info]:

We had an existing HubSpot (HS) linked service that enabled our ADF to ingest Contacts info from HS and store into our data factory. The service used an account on HS and worked great until.... the HS account was disabled after the employee left our company. Yes, we didn't know that the user was tied to the automated job... and hence the nightly job subsequently failed from the user account not being found. I was then tasked to help solve the issue (zero knowledge of what had been done previously to set up the service).

[First attempt]:

To restore our nightly service, we had HS create an account that we could use for the ADF linked service. We then attempted to create an App but soon realized (or at least thought) that the App was considered "Private" and thus did not provide the required Client Secret token, etc. Public Apps seemed to have the requisite token info... so the presumed next step was to have HS create a developer-level account.

[Second, current attempt]:

With the new developer-level account (the non-Dev account still exists) I created a Public App with "crm.objects.contacts.read" as its Scope and proceeded to "activate" using an Install URL (OAuth). When I used the URL (in Chrome) I was presented with (2) activate/install options - a radio button for the HS Dev-level account and a radio button for the original "regular" HS account. The first time I selected the Dev account I received an error of "The account you selected XXXXX is a developer account. This app can't be installed on a developer account.". I then selected the regular account and received the Code (in the URL).

I then used POSTMAN to create the necessary POST and received the Access and Refresh tokens. I then created a new HubSpot linked service in ADF and added the Client ID, Client secret, Access Token and Refresh token. Also - the "connect via integration runtime" drop-down is set to "AutoResolveIntegrationRuntime (Managed Virtual Network)".

When I test the connection, I receive the error:

ERROR [HY000] [Microsoft][Hubspot] (60) API Connection Failed (Unauthorized Access). Check credentials. HTTP Response code: 403

The Monitoring section of the HS App has a logged Request of: (I removed some data in case it is sensitive)

{
  "CDN-Loop": [
    "cloudflare; subreqs=1"
  ],
  "Accept-Encoding": [
    "gzip"
  ],
  "CF-Connecting-IP": [
    [REMOVED]
  ],
  "True-Client-IP": [
    [REMOVED]
  ],
  "X-HubSpot-Trace": [
    [REMOVED]
  ],
  "Authorization": [
    "Bearer CPn-p9******"
  ],
  "X-HubSpot-Correlation-Id": [
    [REMOVED]
  ],
  "x-envoy-external-address": [
    [REMOVED]
  ],
  "X-HS-Internal-Request": [
    "1"
  ],
  "X-Real-IP": [
    [REMOVED]
  ],
  "x-request-id": [
    [REMOVED]
  ],
  "cf-worker": [
    "hubspot.com"
  ],
  "CF-Ray": [
    [REMOVED]
  ],
  "Accept": [
    "application/json"
  ],
  "CF-IPCountry": [
    "US"
  ],
  "X-Forwarded-Proto": [
    "https"
  ],
  "Connection": [
    "close"
  ],
  "X-Request-Start": [
    [REMOVED]
  ],
  "X-HS-Internal-User-Request": [
    "0"
  ],
  "Host": [
    "api.hubspot.com"
  ],
  "CF-Visitor": [
    "{\"scheme\":\"https\"}"
  ],
  "X-HS-User-Request": [
    "0"
  ],
  "CF-EW-Via": [
    "15"
  ],
  "X-Forwarded-Port": [
    "443"
  ],
  "X-Amzn-Trace-Id": [
    [REMOVED]
  ],
  "X-Forwarded-For": [
    [REMOVED]
  ],
  "x-envoy-expected-rq-timeout-ms": [
    "60000"
  ],
  "X-Scheme": [
    "https"
  ]
}

...and a logged response of: (in the BODY section)

{"status":"error","message":"This oauth-token (CPn-p96) does not have proper permissions! (requires any of [companies-read])","correlationId":"5bde46ae-3c01-4e58-89be-3e7bc5cea7de"}

Thank you again for any advice/thoughts on how to resolve this issue.

Answer 1

Hi@DT @ BX
Welcome to Microsoft Q&A platform and thanks for posting your question here.

The error message indicates that the OAuth token being used does not have the required permissions to access the HubSpot API. Specifically, the error message states that the token requires the "companies-read" permission.

To resolve this issue, you will need to ensure that the OAuth token being used has the necessary permissions. You can do this by checking the scope of the OAuth token and ensuring that it includes the "companies-read" permission.

If the OAuth token does not have the necessary permissions, you will need to generate a new token with the required permissions. You can do this by following the steps to create a new OAuth token with the appropriate scope in the HubSpot developer portal. Once you have generated a new token, you can use it to authenticate your API requests and access the required resources.

After adding the companies-read permission, you should be able to use the updated oauth-token to connect to the HubSpot API via the Azure Data Factory Linked Service.

https://developers.hubspot.com/docs/api/working-with-oauth

https://learn.microsoft.com/en-us/azure/data-factory/connector-hubspot?tabs=data-factory#connector-configuration-details

I hope this information helps you resolve the issue. Let me know if you have any further questions or concerns.