The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write'

Question

I am trying to use the following git repo in order to connect to azure ams, upload a video and stream it: https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/StreamFilesSample/index.ts

For some reason I am keep getting the following error:

The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write' over scope '/subscriptions/XXX/resourceGroups/TEST-APP/providers/Microsoft.Media/mediaServices/TESTAMP/transforms/ContentAwareEncoding' or the scope is invalid. If access was recently granted, please refresh your credentials

The AD user is owner but I understand it is a permission issue. I searched all over the web for hours what permission do I need to grant and where but could not find any solution

The error get thrown here:

    let encodingTransform = await mediaServicesClient.transforms.createOrUpdate(resourceGroup, accountName, encodingTransformName, {
  name: encodingTransformName,
  outputs: [
    {
      preset: adaptiveStreamingTransform
    }
  ]
});

of course, I have updated the .env file to the correct data of my azure account. Can anyone point out what am I missing and how to grant this permission?

Thanks!

Answer 1

The error message is referring to your Service Principal that is being used to authenticate against the AMS SDK.

Double check that you entered the GUID values for the service principal ID and Key, and make sure you did not use the friendly name in there.

AADCLIENTID="00000000-0000-0000-0000-000000000000" AADSECRET="00000000-0000-0000-0000-000000000000"

Also, double check in IAM Access control in the portal that the service principal exists under the Role Assignments for your Media Services account and has Contributor or Owner permission Role first.

If you are in an Enterprise that locks down AAD access - you may need to work with your AAD owner/admin to make these changes and grant the service principal the right roles for your account. That's a bit outside of Media Services, and is just general Azure AAD application creation rights, and role assignments. If you are still hitting issues, I would file a support ticket and also ask your AAD administrator to assign the role permisssion to your service principal.

As an aside, we are also working on updated Node.js SDK samples for the upcoming (soon!) release of the 10.0.0 Javascript SDK. See the beta samples here - https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/10.0.0-beta.1