Azure Blob authentication issue

Piotr Kalinski 25 Reputation points
2023-11-03T14:09:04.66+00:00

Hi,

I am trying to use Python to interact with the Azure Data Lake.
My organization uses Service Principal to give access to Azure.
I am able to acquire token with msal library.
This token works fine when I connect to an Azure SQL Database.
But it does not work when I want to interact with Data Lake.

The error I get looks like this:

azure.core.exceptions.ClientAuthenticationError: Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:1685618a-201f-0093-625c-0e9ea5000000
Time:2023-11-03T13:50:55.8952458Z
ErrorCode:NoAuthenticationInformation

Below is Python code that I use:

import msal
from azure.storage.blob import BlobServiceClient, ContentSettings

app = msal.ConfidentialClientApplication(client_id, client_credential=secret, authority=authority_url)

token = app.acquire_token_for_client(scopes=['https://graph.microsoft.com/.default'])
print (token)

blob_service_client = BlobServiceClient(account_url=url, TokenCredential=token["access_token"])
container_client = blob_service_client.get_container_client(dl_container)
blob_client = blob_service_client.get_blob_client(container=dl_container, blob="abc.txt")

with open(file="dataFromAzure.txt", mode="wb") as sample_blob:    
	download_stream = blob_client.download_blob()
	sample_blob.write(download_stream.readall())



{'token_type': 'Bearer', 'expires_in': 3599, 'ext_expires_in': 3599, 'access_token': 'xxxxx'}

Traceback (most recent call last):
  File "C:\Project_05_compareDBs\dataLake_authentication.py", line 37, in <module>
    download_stream = blob_client.download_blob()
  File "C:\Project_05_compareDBs\venv\lib\site-packages\azure\core\tracing\decorator.py", line 78, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "C:\Project_05_compareDBs\venv\lib\site-packages\azure\storage\blob\_blob_client.py", line 933, in download_blob
    return StorageStreamDownloader(**options)
  File "C:\Project_05_compareDBs\venv\lib\site-packages\azure\storage\blob\_download.py", line 366, in __init__
    self._response = self._initial_request()
  File "C:\Project_05_compareDBs\venv\lib\site-packages\azure\storage\blob\_download.py", line 462, in _initial_request
    process_storage_error(error)
  File "C:\Project_05_compareDBs\venv\lib\site-packages\azure\storage\blob\_shared\response_handlers.py", line 184, in process_storage_error
    exec("raise error from None")   # pylint: disable=exec-used # nosec
  File "<string>", line 1, in <module>
  File "C:\Project_05_compareDBs\venv\lib\site-packages\azure\storage\blob\_download.py", line 414, in _initial_request
    location_mode, response = self._clients.blob.download(
  File "C:\Project_05_compareDBs\venv\lib\site-packages\azure\core\tracing\decorator.py", line 78, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "C:\Project_05_compareDBs\venv\lib\site-packages\azure\storage\blob\_generated\operations\_blob_operations.py", line 1611, in download
    map_error(status_code=response.status_code, response=response, error_map=error_map)
  File "C:\Project_05_compareDBs\venv\lib\site-packages\azure\core\exceptions.py", line 165, in map_error
    raise error
azure.core.exceptions.ClientAuthenticationError: Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:1685618a-201f-0093-625c-0e9ea5000000
Time:2023-11-03T13:50:55.8952458Z
ErrorCode:NoAuthenticationInformation

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,397 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,552 questions
{count} votes

Accepted answer
  1. Boris Von Dahle 3,121 Reputation points
    2023-11-03T20:20:34.44+00:00

    Hello,

    The token you're acquiring is for the Microsoft Graph API (https://graph.microsoft.com/.default), but you're trying to use it to access Azure Data Lake. You need to acquire a token for the specific resource you're trying to access.

    In your case, you might want to use ClientSecretCredential, which enables you to authenticate with a client (app) ID and client secret, as you're doing with the msal library.

    from azure.identity import ClientSecretCredential
    from azure.storage.blob import BlobServiceClient
    
    credential = ClientSecretCredential(
        tenant_id="<azure-tenant-id>",
        client_id="<azure-app-id>",
        client_secret="<azure-app-secret>",
        authority="<authority-url>"
    )
    
    blob_service_client = BlobServiceClient(account_url="<storage-account-url>", credential=credential)
    
    # rest of your code
    

    Hop this helps

    If you found this answer helpful, please accept it so that other users can find this topic.

    Regards


0 additional answers

Sort by: Most helpful