Share via

Getting 403, when i try generate SAS using Microsoft Entra ID

Aarush 0 Reputation points
2024-05-28T06:55:24.2133333+00:00

When i try to generate SAS using Microsoft Entra ID, i am getting this error
Exception in thread "main" com.azure.core.exception.HttpResponseException: Status code 403, "<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.

here is the code i am using to generate,

public class GenerateSASToken {
    public static void main(String[] args) {
        // Define your Azure AD credentials
        String tenantId = "************************";
        String clientId = "************************";
        String clientSecret = "***********************";
        String accountName = "*************************";
        String containerName = "*************************";

        // Create a ClientSecretCredential object
        ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
                .tenantId(tenantId)
                .clientId(clientId)
                .clientSecret(clientSecret)
                .build();

        // Create a BlobServiceClient object
        BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
                .endpoint(String.format("https://%s.blob.core.windows.net/%s", accountName, containerName))
                .credential(clientSecretCredential)
                .buildClient();

        // Get a BlobContainerClient object
        BlobContainerClient containerClient = blobServiceClient.getBlobContainerClient(containerName);

        // Define the SAS token permissions and expiry time
        BlobSasPermission blobSasPermission = new BlobSasPermission()
                .setReadPermission(true)
                .setWritePermission(true)
                .setListPermission(true);

        OffsetDateTime expiryTime = OffsetDateTime.now().plus(1, ChronoUnit.HOURS);

        // Get user delegation key
        OffsetDateTime keyStart = OffsetDateTime.now();
        OffsetDateTime keyExpiry = OffsetDateTime.now().plusDays(7);
        UserDelegationKey userDelegationKey = blobServiceClient.getUserDelegationKey(keyStart, keyExpiry);

        BlobServiceSasSignatureValues sasValues = new BlobServiceSasSignatureValues(expiryTime, blobSasPermission);
        // BlobServiceSasSignatureValues sasValues = new BlobServiceSasSignatureValues(expiryTime, blobSasPermission).setKey(userDelegationKey);

        String sasToken = containerClient.generateUserDelegationSas(sasValues, userDelegationKey);

        System.out.println("SAS Token: " + sasToken);
    }
}

Can you please let me know, what do i need to do generate SAS using Microsoft Entra ID, or anything wrong in my code.

Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,529 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,192 questions
Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Abiola Akinbade 29,405 Reputation points Volunteer Moderator
    2024-05-28T07:46:27.4633333+00:00

    Hello Aarush,

    Thanks for your message.

    Based on the error message provided, it looks like the identity performing this operation does not have the prerequisite access needed. To resolve, I will recommend the below:

    Also please ensure that the network of that storage account doesn't have any firewall/VNet/private endpoint and is open.

    Please let me know if you have further questions**

    You can mark it 'Accept Answer' if this helped.

    0 comments
  2. Nehruji R 8,181 Reputation points Microsoft External Staff Moderator
    2024-05-29T09:07:29.92+00:00

    Hello Aarush,

    Greetings! Welcome to Microsoft Q&A Platform.

    The 403 error you encountered indicates that you don’t have the necessary permissions.

    Please ensure that you are able to access the Extension Microsoft_AAD_IAM blade if not, it could mean that the admin of the tenant has not given the permission to access the "Admin Portal" with a non-administrator account. This can happen even if you are an Owner of the subscription since the IAM policy of the Entra ID/Azure AD tenant will still block you in this scenario.

    If this is the case, the admin needs to either set "restrict access to Microsoft Entra ID administration center" to "No" or grant you an admin role.

    User's image

    Also consider the following to troubleshoot the issue,

    1. Sometimes this issue occurs if there is something blocking the network connection. If this is the case, this issue can often be resolved by whitelisting the required endpoints as mentioned in our Microsoft documentation: https://learn.microsoft.com/en-us/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud#azure-portal-framework
    2. Also do check if you have all the required RBAC roles
      To request the user delegation key, you must assign to a security principal the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. The following built-in RBAC roles include the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action, either explicitly or as part of a wildcard definition: Contributor, Storage Account Contributor, Storage Blob Data Contributor, Storage Blob Data Owner, Storage Blob Data Reader, Storage Blob Delegator. reference document: https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#assign-permissions-with-rbac
    3. Please try updating the browser to the latest version and check using the Chrome browser instead of Edge to see if you get the same results.
    4. Please try to load the "Entra ID" blade from the Search bar by searching for "Microsoft Entra ID" and confirm if you get the same results that way.

    Additional information: When using Azure Storage account shared key auth, HTTP requests sent by this library will generate a string to sign based on subset of HTTP headers and finally sign with account key. Modifying headers after the signing will lead to auth errors.

    Authorize requests to Azure Storage : https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-requests-to-azure-storage

    403 is seen when authorizing with a shared key because "All authorized requests must include the Coordinated Universal Time (UTC) timestamp for the request." Information about this can be found in Authorize with Shared Key and also you can try using storage explorer to generate SAS with the same configuration and see if it works.

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.