AuthorizationPermissionMismatch when trying to upload to block with DefaultAzureCredential

QA testing team 50 Reputation points
2023-11-17T22:45:55.5633333+00:00

Hi,

I am following this tutorial: https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-python?tabs=managed-identity%2Croles-azure-portal%2Csign-in-azure-cli

I want to upload a file to my storage account blob and try to authenticate with BlobServiceClient(which I did using account secret token) but I want to use DefaultAzureCredential as suggested in the guide, so I don't need to specify credentials in the code. I created a managed identity, tried giving it Storage Blob Data Contributor permissions for my storage account and I'm getting this error during blob_client.upload_blob:

*blob_client.upload_blob(data, overwrite=True) File "/Library/Python/3.9/site-packages/azure/core/tracing/decorator.py", line 78, in wrapper_use_tracer return func(*args, **kwargs) File "/Library/Python/3.9/site-packages/azure/storage/blob/_blob_client.py", line 765, in upload_blob return upload_block_blob(*options) File "/Library/Python/3.9/site-packages/azure/storage/blob/_upload_helpers.py", line 195, in upload_block_blob process_storage_error(error) File "/Library/Python/3.9/site-packages/azure/storage/blob/_shared/response_handlers.py", line 184, in process_storage_error exec("raise error from None") # pylint: disable=exec-used # nosec File "<string>", line 1, in <module>azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.RequestId:.....Time:2023-11-17T22:34:53.4360923ZErrorCode:AuthorizationPermissionMismatchContent: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.

I tried giving the identity Storage Blob Data Owner permissions instead, but got same error as above.
I also tried giving permissions on the account storage level but it doesn't help.

What am I missing ?

Thanks in advance,

Ilya

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,632 questions
{count} votes

Accepted answer
  1. SAMIT SARKAR 791 Reputation points Microsoft Employee
    2023-11-18T16:22:22.6266667+00:00

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out, and I hope you are doing well.

    From your comments I understand the Python application hosted in Azure VM trying to Access storage is getting error.

    To configure Managed Identity to connect to Azure Storage, you can follow these steps:

    1. Grant the Managed Identity Access to the Storage Account: In your storage account, select Access Control (IAM). Click Add and select add role assignment. Search for storage blob data Owner(necessary permission as required) , select it, and click Next. User's image
    2. On the Members’ tab, under Assign access to, choose Managed Identity. Select Member a blade will open in Azure Portal on your right side.
    3. On that blade select the correct subscription, Resource and from the Button Select and Click Next

    User's image

    1. On Review+Sign at the buttom Review + Assign

    User's image

    Now Login to that VM and install Python. Generally, python gets installed in this location C:\Users<username>\AppData\Local\Programs\Python\Python312 Install the Following required Module a) py -m pip install azure-storage-blob b) py -m pip install azure-identity 6 Use the following snippet, save the script in c:\temp test.py extension and run C:/Users/<username>/AppData/Local/Programs/Python/Python312/python.exe c:/temp/tet.py

    from azure.storage.blob import BlobServiceClient
    from azure.identity import ManagedIdentityCredential
    
    # Create a credential using ManagedIdentityCredential
    creds = ManagedIdentityCredential()
    
    # Create a BlobServiceClient using the credential
    blob_service_client = BlobServiceClient(account_url="https://<storage Account>.blob.core.windows.net/", credential=creds)
    
    # List all containers in the storage account
    containers = blob_service_client.list_containers()
    for container in containers:
        print(container.name)
    
    

    While writing this, I have considered that the network of that storage account doesn't have any firewall/VNet/private endpoint and is open. If there are any specifics in that case, you will need additional configuration based on the scenario. Also, ensure that you have provided adequate permissions for listing.

    Hope this helps.


0 additional answers

Sort by: Most helpful