AuthorizationPermissionMismatch when trying to upload to block with DefaultAzureCredential

Question

AuthorizationPermissionMismatch when trying to upload to block with DefaultAzureCredential

QA testing team 40

Hi,

I am following this tutorial: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-python?tabs=managed-identity%2Croles-azure-portal%2Csign-in-azure-cli

I want to upload a file to my storage account blob and try to authenticate with BlobServiceClient(which I did using account secret token) but I want to use DefaultAzureCredential as suggested in the guide, so I don't need to specify credentials in the code. I created a managed identity, tried giving it Storage Blob Data Contributor permissions for my storage account and I'm getting this error during blob_client.upload_blob:

*blob_client.upload_blob(data, overwrite=True) File "/Library/Python/3.9/site-packages/azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer return func(*args, **kwargs) File "/Library/Python/3.9/site-packages/azure/storage/blob/_blob_client.py", line 765, in upload_blob return upload_block_blob(*options) File "/Library/Python/3.9/site-packages/azure/storage/blob/_upload_helpers.py", line 195, in upload_block_blob process_storage_error(error) File "/Library/Python/3.9/site-packages/azure/storage/blob/_shared/response_handlers.py", line 184, in process_storage_error exec("raise error from None") # pylint: disable=exec-used # nosec File "<string>", line 1, in <module>azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.RequestId:.....Time:2023-11-17T22:34:53.4360923ZErrorCode:AuthorizationPermissionMismatchContent: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.

I tried giving the identity Storage Blob Data Owner permissions instead, but got same error as above.
I also tried giving permissions on the account storage level but it doesn't help.

What am I missing ?

Thanks in advance,

Ilya

Vinodh247 7,416 Reputation points

2023-11-18T16:09:14.7566667+00:00

can you check from which login are you trying to perform this and it has all the permissions? if you are trying from portal ensure that you dont have any other tab with some other login opened. Also sign-out and sign-in once from incognito if possible.
QA testing team 40 Reputation points

2023-11-18T17:12:18.66+00:00

Hi @Vinodh247
I'm running this from local pc, Python code, not from Web console.

Vinodh247 7,416 Reputation points

2023-11-18T16:09:14.7566667+00:00

can you check from which login are you trying to perform this and it has all the permissions? if you are trying from portal ensure that you dont have any other tab with some other login opened. Also sign-out and sign-in once from incognito if possible.
QA testing team 40 Reputation points

2023-11-18T17:12:18.66+00:00

Hi @Vinodh247
I'm running this from local pc, Python code, not from Web console.

Answer 1

SAMIT SARKAR 396 Microsoft Employee

Welcome to the Microsoft Q&A Platform. Thank you for reaching out, and I hope you are doing well.

From your comments I understand the Python application hosted in Azure VM trying to Access storage is getting error.

To configure Managed Identity to connect to Azure Storage, you can follow these steps:

Grant the Managed Identity Access to the Storage Account: In your storage account, select Access Control (IAM). Click Add and select add role assignment. Search for storage blob data Owner(necessary permission as required) , select it, and click Next.
On the Members’ tab, under Assign access to, choose Managed Identity. Select Member a blade will open in Azure Portal on your right side.
On that blade select the correct subscription, Resource and from the Button Select and Click Next

User's image

On Review+Sign at the buttom Review + Assign

User's image

Now Login to that VM and install Python. Generally, python gets installed in this location C:\Users<username>\AppData\Local\Programs\Python\Python312 Install the Following required Module a) py -m pip install azure-storage-blob b) py -m pip install azure-identity 6 Use the following snippet, save the script in c:\temp test.py extension and run C:/Users/<username>/AppData/Local/Programs/Python/Python312/python.exe c:/temp/tet.py

from azure.storage.blob import BlobServiceClient
from azure.identity import ManagedIdentityCredential

# Create a credential using ManagedIdentityCredential
creds = ManagedIdentityCredential()

# Create a BlobServiceClient using the credential
blob_service_client = BlobServiceClient(account_url="https://<storage Account>.blob.core.windows.net/", credential=creds)

# List all containers in the storage account
containers = blob_service_client.list_containers()
for container in containers:
    print(container.name)

While writing this, I have considered that the network of that storage account doesn't have any firewall/VNet/private endpoint and is open. If there are any specifics in that case, you will need additional configuration based on the scenario. Also, ensure that you have provided adequate permissions for listing.

Hope this helps.

QA testing team 40 Reputation points

2023-11-18T17:09:33.42+00:00

Hi @SAMIT SARKAR

I am trying to grant the permission to a managed identity whose client id will be used by any VM, not a specific VM, so I can't rely on any specific VM. Solution should be general and not break when the code is run on a different machine. So my final goal is to get access via BlobServiceClient such that it won't require me to type in any credentials in the code and that this code can run from anywhere, as long as the managed identity exists.
SAMIT SARKAR 396 Reputation points Microsoft Employee

2023-11-21T15:17:44.4166667+00:00
Hello Team,

Thank you for reaching out. I hope you are doing well. The last solution was based on a system-assigned Managed Identity. However, since you will be using a Managed Identity with a Client ID, we will need to leverage a User-Assigned Managed Identity. The same code will work in both the development and production environments. In this scenario, we can follow the steps below:

Please Refer https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview

Create a Managed Identity. Please Refer https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp.

Assign the correct Role to the user-assigned Identity (created in step 1) in the Storage Account (Refer to the screenshot).

Assign the User Identity to the Resource where the application will be deployed, for example, Azure VM or Function APP, etc (refer Screnshot from VM).

Please repeat the step 3 if you are deploying the code in multiple resources.

Log into the Dev computer's Visual Studio with the user credentials who have relevant access to the Azure storage used in Step 2.

Copy the Client ID for the Managed Identity created in Step 1.

7) Leverage the following demo code from your dev computer and deploy the same code in the resource configured in Step 4, which will list the containers.

from azure.storage.blob import BlobServiceClient from azure.identity import DefaultAzureCredential # Create a credential using ManagedIdentityCredential #In step 6 please use the client ID here assign to following variable UserAsignedclinetID UserAsignedclinetID = "XXXXX-XXXXXX-XXXXXX-XXXX-XXXXXXXXXX" creds = DefaultAzureCredential(managed_identity_client_id=UserAsignedclinetID) # Create a BlobServiceClient using the credential blob_service_client = BlobServiceClient(account_url="https://samitstorage.blob.core.windows.net/", credential=creds) # List all containers in the storage account containers = blob_service_client.list_containers() for container in containers: print(container.name)

Hope this Helps.

Thanks.
QA testing team 40 Reputation points

2023-11-22T07:19:22.24+00:00
Hi @SAMIT SARKAR

But if the code is to be run form a non-Azure VM, can this solution/or similar work ?

Because i try that from my local laptop and get:

DefaultAzureCredential failed to retrieve a token from the included credentials. Attempted credentials: EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
SAMIT SARKAR 396 Reputation points Microsoft Employee

2023-11-22T08:45:53.47+00:00

Hello Team,

Thank you for the update.

Yes, it works. please make sure if you have done Step 5.
"Log into the Development/ Local computer's Visual Studio with the user credentials who have relevant access to the Azure storage used in Step 2."

Thanks.
QA testing team 40 Reputation points

2023-11-24T13:27:56.5966667+00:00

@SAMIT SARKAR
The code I'm writing is part of automation and will be run from a VM that is not in Azure and is not part of any Azure service and the code is executed without manual intervention (for example a job in a jenkins server that runs this code within a docker container, all that on-prem). How would it work in that case ? currently it does not work.

SAMIT SARKAR 396 Microsoft Employee

Thank you for sharing more facts about this.

Refer: Authentication in server environments

As you currently mentioned that python application will be hosted in a docker environment which is not part of any Azure. Apps hosted outside of Azure (for example, on-premises apps) that need to connect to Azure services should use an application service principal. An application service principal represents the identity of the app in Azure and is created through the application registration process.

You can find the detailed steps about how to create an application specific service principal Azure resources from Python apps hosted on-premises

I am sharing the steps which I have followed to reproduce the issue.

On your Dev/VM outside of Azure please create .env file in the same directory where you have stored the python app/script.

Folder structure:

User's image

AZURE_CLIENT_ID=XXXX-XXXX-XXXX-XXXX-XXXXX
AZURE_TENANT_ID=xxxxx-xxx-xxxx-xxxx-xxx
AZURE_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxx

from azure.storage.blob import BlobServiceClient
from azure.identity import DefaultAzureCredential
from dotenv import load_dotenv

print("Loading environment variables from .env file")
load_dotenv(".env")

UserAsignedclinetID = "xxxxx-xxx-xxxx-xxx-xxxxxxx" #keeping this keeping in mind that this will be hosted using Managed Identity in Azure
creds = DefaultAzureCredential(managed_identity_client_id=UserAsignedclinetID)
#creds = DefaultAzureCredential()
# Create a BlobServiceClient using the credential
blob_service_client = BlobServiceClient(account_url="https://XXXXXX.blob.core.windows.net/", credential=creds)

# List all containers in the storage account
containers = blob_service_client.list_containers()
for container in containers:
    print(container.name)

FROM  python:3.9
ADD pythonapp.py .
ADD .env .
RUN  pip install  azure.storage.blob  azure.identity python-dotenv
CMD ["python","./pythonapp.py","./.env"]

Hope this helps.

Thanks

QA testing team 40 Reputation points

2023-11-30T04:55:22.8133333+00:00

Ok, I understand now, thanks !

AuthorizationPermissionMismatch when trying to upload to block with DefaultAzureCredential

0 additional answers

Activity