AuthorizationPermissionMismatch error when accessing blob file with indirect permission in RBAC

Kamil Zak 0 Reputation points
2024-04-18T23:01:28.29+00:00

Hi,

I'm using BlobContainerClient for accessing blobs from code (C#)

private async Task<BlobClient> GetBlobClientAsync(string blobName, string container, CancellationToken cancellationToken)
{
	var containerClient = await GetContainerClientAsync(container, cancellationToken);
	return containerClient.GetBlobClient(blobName);
}

private async Task<BlobContainerClient> GetContainerClientAsync(string container, CancellationToken cancellationToken)
{
	var blobContainer = _blobServiceClient.GetBlobContainerClient(container);
	await blobContainer.CreateIfNotExistsAsync(cancellationToken: cancellationToken);
	return blobContainer;
}

Application in the cloud has Managed Identity set. When in RBAC I have role Storage Blob Data Contributor assigned directly to my application - everything works correctly

User's image But when the role is assigned indirectly by the group, then I got an exception:

Status: 403 (Forbidden)
ErrorCode: AuthorizationPermissionMismatch

User's image User's image User's image

What should I do to fix this behavior?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,701 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,434 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
670 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,266 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,529 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nehruji R 1,976 Reputation points Microsoft Vendor
    2024-04-19T06:56:51.65+00:00

    Hello Kamil Zak,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you are getting AuthorizationPermissionMismatch error when attempting to access a blob file in Azure Blob Storage which might be due to insufficient permissions and below are some troubleshooting steps to overcome this error,

    • Make sure the user or application has the necessary permissions/access to the blob storage assigned: Assign an Azure role for access to blob data and listed under service principal of IAM Access.
    • Check the access policies for the blob container and confirm that your IP address is added to the CORS (Cross-Origin Resource Sharing) settings on the blob storage. This ensures that your requests are allowed from the specified IP.
    • When a user is part of a group, Azure evaluates permissions based on both direct and inherited roles. Ensure that the group itself has the necessary permissions on the blob storage and check if there are conflicting roles assigned directly to the user or application. Sometimes, a direct role assignment can override an inherited role from a group.
    • Use the Effective Permissions tool in the Azure portal to see the combined permissions for a user or application. It considers both direct and inherited roles.
    • Make sure you’ve properly configured your BlobServiceClient and that the container and blob names are correct.
    • Try using "Diagnose and solve problems" tool in the Azure portal sidebar for your storage account. It will help you look through your logs to see what's going on.

    Similar SO thread for reference - https://stackoverflow.com/questions/52769758/azure-blob-storage-authorization-permission-mismatch-error-for-get-request-wit

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments