Here is a short story about trying to get the Azure Video Analyzer for Media API to work. At all. Long story short: I cannot do it.
Trial Account
Basically, I started here at the aptly named “Tutorial: Use the Video Analyzer for Media API” page:
https://learn.microsoft.com/en-us/azure/azure-video-analyzer/video-analyzer-for-media-docs/video-indexer-use-apis#obtain-access-token-using-the-authorization-api
I was eventually able to get a subscription to the Analyzer API created and get my keys and do the first call with this Ruby code:
apiUrl = "https://api.videoindexer.ai"
apiKey = "<my api key>"
accountId = "<my account id>"
location = "eastus"
accessTokenUrl = "#{apiUrl}/auth/#{location}/Accounts/#{accountId}/AccessToken?allowEdit=true"
request = {}
request["Ocp-Apim-Subscription-Key"] = apiKey
ap response = HTTPX.get(accessTokenUrl, headers: request)
ap response.body.to_s
Whew. There were some hiccups, but right now I don’t care, I eventually got it to work.
However, now my user that was created for this has a limit of 600 minutes, it’s a trial account. OK, so I should just be able to put in a credit card and start paying for usage right? Nope-edy-nope-nope.
Trial to “Unlimited” User
Luckily there is a big “+ Create Unlimited Account” button there and you can click on it and looks pretty easy:
OK, so I re-sign into the same account I was just in and land in the Azure portal, directly on the page to create the Video Analyzer service. Awesome.
OK, now I need to know what a “Resource Group”, “Media Account” (new or existing classic), “Resource Name”, “Media Services Account” (apparently different from Media account), and “Managed Identity” is. Some of these allow dashes, some do not. Some fields need it to be globally unique name but don’t tell you that until after you try to create it, which is awesome. But whatever, eventually I created names for all of these things that it was happy with and I got my Video Analyzer for Media resource deployed (and all of these other things too).
Whew. OK. Just want the one API, but whatever.
So now I look at my new resource and there is a link to explore it in the Portal. Back to the portal we go!
Except back at the portal, nothing has changed. Still says “Trial”. Still prompts me to create an unlimited account.
So I click on “Create Unlimited Account” again, but I get a slightly different popup. I think it’s because it sees me as being logged in again.
Side note. I have had to log into MS like 400 times at this point. It keeps asking me to do it. Also have to choose each time between an AAD Account or Personal account, or, weirdly, Google, like I know what the difference is. Also AAD and Personal work for the same account, which we’ll get to later.
OK, so I see this screen
Now, if I click on “Create account in the Azure Portal” it takes me to the same screen to create a new resource. I assumed that it would somehow see that this is the same user using the VAfM portal and the Azure portal and like link the accounts (ARM or something?) but it does not.
But! Never fear, there is a “Classic” account I can make and I can do it by switching to manual configuration. No problem, we’ll do it manually.
OMFG. What is any of this?
Don’t worry, I’m a seasoned veteran of computing and APIs and I can probably figure this out. A bunch of these say “Media Service” and I can find what I think fits in these fields under the “Media Service” resource that was created for me.
One fun thing here is the Azure Active Directory tenant, which is not listed anywhere under any of the resources, but is almost under the Settings tab (it’s only partially shown and also referred to as “Domain” rather than “tenant”, but why should consistent terminology matter?) So I just searched for “active” and there are several (AD Priv Identity Management, Azure Active Directory, B2C Tenants (which does use the word “tenant”), etc).
Luckily, “Azure Active Directory” has my “tenant”. But of course it’s called “Primary Domain”.
OK, now I’m left with this fun puzzle:
Now what could an “Application” be? That’s incredibly vague. I’ve just created at least 5 “resources” (Managed Identity, VA4M, Media Service, Storage Account and Streaming Endpoint), plus a resource group. VA4M seems like an application but I can’t find anything like an ID and key there.
So I went back to Media Services and found a sidebar entry (below the fold) called “API Access”. I want API access to VA4M, but maybe that’s under Media Services?
OK, now we need to decide if it’s “User Authentication” Or “Service Principal Authentication” that we want. I guess it’s SPA because I guess we’re “middle-tier”.
But also, we have something that looks like an App and Secret! Huzzah! It didn’t exist, but there is a “Create New” button, so I think we can make it exist. Also, I have no idea what AAD is, but one of the A’s probably stands for “App” and we need an App ID.
We click on “Create New” and choose a name and it creates the App. Then we click “Create New” under Secret and create a new Secret. (Also of note, this is all a guess, because the Form, as you will remember, asks us for “Application ID” and “Application Key”, where this has none of those terms).
OK, created. I take my new AAD app name (supposing that it’s the ID) and the Secret and use it as the Application ID and Key.
Wah Wah. Does not work. Do you know why? Because the “AAD app” that I created actually creates a Client ID in the background but does not show it to you. Awesome.
To see the actual client id you need to use in the form, you have to click on “Select” next to the AAD app you just created and then click on “All Applications” to see the Client ID next to the Name of the new application you just made. Also remember, “ClientId” here maps to “Application ID” in the VA4M Portal form, and “Secret” is the “Application Key”.
OK, now putting all that into the portal form will connect our “Classic account” to our VA4M portal account under the “Manual” way. Boom!
No more limit. But wait, there is still a “Trial” account associated here. Oh well, probably no big deal. I’m sure we can just use the new Account ID and a new Primary Key to access the account without limits, right?
❯ ruby az_analyze_video.rb
#<Response:70272846589760 HTTP/1.1 @status=401 @headers={"transfer-encoding"=>["chunked"], "content-type"=>["application/json"], "x-ms-request-id"=>["bf541fe9-4944-42c8-af37-f5fb843460ef"], "x-content-type-options"=>["nosniff"], "strict-transport-security"=>["max-age=31536000"], "access-control-allow-credentials"=>["true"], "date"=>["Sun, 23 Jan 2022 20:03:36 GMT"], "connection"=>["close"]} @body=129>
"{\"ErrorType\":\"USER_NOT_REGISTERED\",\"Message\":\"User is not registered to APIM. Trace id: 'f87e923b-e266-4a71-add2-adc85c875a1f'.\"}"
Nope. The user key I have is linked to the “Trial” account. But it created a new account with the same email address, so if you try to go back to the Products tab to get a new service key by subscribing to the Authorization API, it gives me:
LOL
OK, now I have two mirrored accounts that conflict with each other in a way that I cannot fix. I can’t get a new Primary/Secondary key for the AAD user because it conflicts with my Personal User because it created it off the Personal user.
But luckily there is a way to fix it. It says right here “if you have two users with the same email, you can delete your Developer Portal account and register again”. Great solution. Ok, let’s do that.
Great. So 3 months from now that pending delete will go through and I will maybe be free to log in with my other AAD account and generate an access key and use the API?