Share via

AuthorizationPermissionMismatch for access to Azure storage using oauth

小田切 祥 0 Reputation points
2023-12-27T07:49:48.2333333+00:00 
from azure.storage.blob import BlobServiceClient
from flask import Flask, request, redirect
from azure.identity import ClientSecretCredential



app = Flask(__name__)
client_id = "xxxxxxxxxxxxxxxxxxxxxxx"
redirect_uri = 'http://localhost:8080/getAToken'
client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxx"

tenant_id = "xxxxxxxxxxxxxxxxxxxxx"
subscription_id = "xxxxxxxxxxxxxxxxxxxxx"

scopes = [
    "https://storage.azure.com/user_impersonation",
    "https://management.azure.com/user_impersonation",
    "https://graph.microsoft.com/.default"
]

@app.route('/login')
def login():
    auth_url = (
        f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize?"
        f"client_id={client_id}&"
        f"response_type=code&"
        f"redirect_uri={redirect_uri}&"
        f"response_mode=query&"
        f"scope={scopes[0]}"
    )
    return redirect(auth_url)


@app.route('/getAToken')
def get_token():
    credential = ClientSecretCredential(
        tenant_id=tenant_id,
        client_id=client_id,
        client_secret=client_secret
    )
    service_client = BlobServiceClient(
        account_url="https://hoge.blob.core.windows.net/",
        credential=credential
    )
    properties = service_client.get_service_properties()

    # 削除ポリシーを確認
    delete_retention_policy = properties['delete_retention_policy']
    return delete_retention_policy

if __name__ == '__main__':
    app.run(port=8080, debug=True)

When I run the above code, I get the following error

azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.

RequestId:dc4662a0-501e-0041-6797-3889e7000000

Time:2023-12-27T07:37:48.9208028Z

ErrorCode:AuthorizationPermissionMismatch

Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.

RequestId:dc4662a0-501e-0041-6797-3889e7000000

Time:2023-12-27T07:37:48.9208028Z</Message></Error>

The settings on the application side are as shown in the attached image, and OAuth authentication is agreed upon by the administrator.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,370 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 47,486 Reputation points Microsoft Employee
    2023-12-29T07:17:23.6833333+00:00

    @Welcome to Microsoft Q&A Forum, Thank you for posting you query here!

    Based on the error message, It's permission issue.
    Please provide mentioned access for client_id = "xxxxxxxxxxxxxxxxxxxxxxx" ( IAM permission) I would go into your storage account > IAM > Add role assignment, and add the special permissions for this type of request:

    Ensure that you have _Contributor _and Blob Data Contributor permissions on the storage account.

    Additional information: Assign an Azure role for access to blob data

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.