Share via

bearer token authentication

Solnar, David 81 Reputation points
Jul 26, 2022, 7:43 AM

Bearer permissions (Rest API)
Currently I am no able to read blobs using Azure Rest API and bearer token
This is the simple script:
def authenticate(): 

proxies = {"http":"//ga2si13:" + urllib.parse.quote("mypassword") + "@pxvip02.intranet.commerzbank.com:8080",  
       "https":"//ga2si13:" + urllib.parse.quote("mypassword") + "@pxvip02.intranet.commerzbank.com:8080"}  
request_payload = {  
    "grant_type": "client_credentials",  
    "client_id": client_id,  
    "client_secret": client_secret,  
    "resource": "https://storage.azure.com/"  
}  
bearer_token = requests.post(url='https://login.microsoftonline.com/' + tenant_id + '/oauth2/token',  
                  data=request_payload, proxies=proxies).json()["access_token"]  
return bearer_token

def readBlob(blob_name):
try:
#blob_name = "resourceId=/SUBSCRIPTIONS/82A234EE-1D2B-484B-A6D1-8E611A6CFB6B/RESOURCEGROUPS/014921-PGATAZURE-GWC-DEV-RG/PROVIDERS/MICROSOFT.DBFORPOSTGRESQL/FLEXIBLESERVERS/014921-PGATAZURE-GWC-DEV-08DV4/y=2022/m=06/d=23/h=17/m=00/PT1H.json"
headers = {
'x-ms-date': request_time,
'x-ms-version': api_version,
'Authorization': ('Bearer ' + authenticate())
}
url = (
'https://' + storage_account_name + '.privatelink.blob.core.windows.net/' + container_name + '/' + blob_name)
r = requests.get(url, headers=headers, verify=False)
except Exception as e:
# print(e)
logger.error(e)

Simple example:
Using this URL I am successful to list containers
https://014921storagwcdev01.privatelink.blob.core.windows.net/?restype=container&comp=list
<?xml version="1.0" encoding="utf-8"?><EnumerationResults ServiceEndpoint="https://014921storagwcdev01.privatelink.blob.core.windows.net/"><Containers><Container><Name>insights-logs-postgresqllogs</Name><Properties><Last-Modified>Tue, 12 Jul 2022 10:48:37 GMT</Last-Modified><Etag>"0x8DA63F4137F84F9"</Etag><LeaseStatus>unlocked</LeaseStatus><LeaseState>available</LeaseState><HasImmutabilityPolicy>false</HasImmutabilityPolicy><HasLegalHold>false</HasLegalHold></Properties></Container><Container><Name>insights-metrics-pt1m</Name><Properties><Last-Modified>Tue, 12 Jul 2022 10:48:52 GMT</Last-Modified><Etag>"0x8DA63F41C641429"</Etag><LeaseStatus>unlocked</LeaseStatus><LeaseState>available</LeaseState><HasImmutabilityPolicy>false</HasImmutabilityPolicy><HasLegalHold>false</HasLegalHold></Properties></Container><Container><Name>test</Name><Properties><Last-Modified>Tue, 12 Jul 2022 13:10:49 GMT</Last-Modified><Etag>"0x8DA6407F0ED0250"</Etag><LeaseStatus>unlocked</LeaseStatus><LeaseState>available</LeaseState><HasImmutabilityPolicy>false</HasImmutabilityPolicy><HasLegalHold>false</HasLegalHold></Properties></Container></Containers><NextMarker /></EnumerationResults>

I need to read blobs from specific container, but getting this error
https://014921storagwcdev01.privatelink.blob.core.windows.net/insights-logs-postgresqllogs?restype=container&comp=list

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.
RequestId:80ecfa3b-d01e-00b0-8012-9ca0a4000000
Time:2022-07-20T08:24:30.6830567Z</Message></Error>

The same url but using access key to storage account I am successful
https://014921storagwcdev01.privatelink.blob.core.windows.net/insights-logs-postgresqllogs?restype=container&comp=list

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
748 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,462 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,138 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,471 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,140 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 47,526 Reputation points Microsoft Employee
    Aug 3, 2022, 6:25 AM

    @Solnar, David Apologies for the delay response! I was able to repo the issue and access the files in blob container and generate the bearer token.

    Just to clarify : After App registration-> have you provided the required roles access to the files-> Reader, Storage Contributor and Storage Data Reader

    227485-image.png

    In my scenario I have used the endpoint URL to get the access to the blob files from the postman, please refer to the below image.

    In the header section mention > Content-Type:application/x-www-form-urlencoded

    227541-image.png

    Open a New Tab in Postman-> Provide Blob file URL -> Header should contain Bearer token and x-ms-version

    227489-image.png

    Please let us know if you have any further queries. I’m happy to assist you further.

    ----------

    Please do not forget to 227527-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.