Share via

Request storage account user delegation key from Managed Application VM error "This request is denied to perform this operation using this permission."

Vadym Chaban 20 Reputation points
2023-03-03T09:43:27.7433333+00:00

Hello,

I have a managed application with next resources, VM, storage account and user assigned managed identity.

Managed identity has next roles in the storage:

  • Reader
  • Storage Blob Data Contributor

Later during my investigation, I also added Owner role too, but this doesn't help and I'm not planning to have this role in production.

From the VM I can successfully request managed identity token and access storage blob, which indicates for me that managed identity setup correctly and works.

But when I try to request user delegation token so I can use it to generate SAS token for the blob I have next error:

Exception has occurred: CLR/Azure.RequestFailedException
An unhandled exception of type 'Azure.RequestFailedException' occurred in System.Private.CoreLib.dll: 'This request is denied to perform this operation using this permission.
RequestId:86d20118-a01e-0061-7cb2-4d6f38000000
Time:2023-03-03T09:31:20.5581960Z
Status: 403 (This request is denied to perform this operation using this permission.)
ErrorCode: AuthorizationPermissionDenied

Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionDenied</Code><Message>This request is denied to perform this operation using this permission.
RequestId:86d20118-a01e-0061-7cb2-4d6f38000000
Time:2023-03-03T09:31:20.5581960Z</Message></Error>

Headers:
Server: Windows-Azure-Blob/1.0,Microsoft-HTTPAPI/2.0
x-ms-request-id: 86d20118-a01e-0061-7cb2-4d6f38000000
x-ms-client-request-id: 04b4a8eb-5997-46fe-9dc8-53aefe346ab6
x-ms-version: 2021-08-06
x-ms-error-code: AuthorizationPermissionDenied
Date: Fri, 03 Mar 2023 09:31:19 GMT
Content-Length: 269
Content-Type: application/xml'
   at Azure.Storage.Blobs.ServiceRestClient.GetUserDelegationKey(KeyInfo keyInfo, Nullable`1 timeout, CancellationToken cancellationToken)
   at Azure.Storage.Blobs.BlobServiceClient.<GetUserDelegationKeyInternal>d__54.MoveNext()
   at Azure.Storage.Blobs.BlobServiceClient.GetUserDelegationKey(Nullable`1 startsOn, DateTimeOffset expiresOn, CancellationToken cancellationToken)
   at Program.<Main>$(String[] args) in /home/ravadmin/sandbox/testing/Program.cs:line 24

I guess it is might be related to the cross-tenant scenario, but I'm unable to find an information that can help solve this issue.

Any ideas how can I fix this?

Thanks.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,955 questions
Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
128 questions
Accepted answer
  1. JamesTran-MSFT 36,541 Reputation points Microsoft Employee
    2023-03-29T17:47:22.5666667+00:00

    @Vadym Chaban

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to accept the answer.

    Error Message:

    Status: 403 (This request is denied to perform this operation using this permission.)
ErrorCode: AuthorizationPermissionDenied

    Issue:

    When requesting a Storage Account User Delegation Key to generate a SAS token to access one of your Storage Account Blobs, you're running into the error message above which could be related to a cross tenant issue.

    Solution:

    After working with our Azure Support team, you were able to identify that user-assigned managed identities and managed applications have limitations when it comes to cross tenant scenarios.

    For example, as a publisher, you cannot see Key Vault secrets, but this is not critical as the app can access them using the user-assigned managed identity. However, in our case, there are some limitations with the storage account that you should be aware of. You cannot create a container, request a user delegation key, and possibly even more. Therefore, for now, I will fall back to the account key to work around these problems.

    Since this is a feature/product limitation, I'd also recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this. I've also created an internal feature request, so our engineering team is aware of this as well.

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps!

    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vadym Chaban 20 Reputation points
    2023-03-27T13:10:54.9+00:00

    With a help of azure support, it turns out that user-assigned managed identities and managed applications have a set of limitations, particularly in cross-tenant scenarios.

    For example, as a publisher, you cannot see Key Vault secrets, but this is not critical as the app can access them using the user-assigned managed identity.

    However, in our case, there are some limitations with the storage account that you should be aware of. You cannot create a container, request a user delegation key, and possibly even more.

    Therefore, for now, I will fall back to the account key to work around these problems.

    I'm looking forward to Microsoft fixing/implementing these limitations because managed applications have a lot of promise. It would be great to have the same experience as when you work with your resources in Azure.

    0 comments