403 Exception trying to access blob in desktop client

Leon H 0 Reputation points
2024-04-21T02:34:08.72+00:00

A file in the pic is being accessed in my code and throws 403 exception in OpenReadAsync. That despite that I assigned read/write permission to all users in Azure AD. I am using this code and all the parameters and URL are correct. The strange part is that my web service copies the files to Azure Blob just fine and I can see the files in the container...

` private async Task FetchAndDisplayDocument(string blobUrl) { using (Log.VerboseCall()) { try { var credential = new ClientSecretCredential(_azConfig.AzureAD.TenantId, _azConfig.AzureAD.ClientId, _azConfig.AzureAD.ClientSecret);

                // Instantiate a BlobClient which will be used to create or reference a blob
                var blobClient = new BlobClient(new Uri(blobUrl), credential);

                // Download the blob's contents as a stream
                Stream blobStream = await blobClient.OpenReadAsync();

                // Assuming you have a method to display this stream content in your right pane
                // and assuming 'this' is a Form or Control that has a method named DisplayDocumentStream
                this.Invoke((MethodInvoker)delegate
                {
                    DisplayDocumentStream(blobStream);
                });
            }
            catch(RequestFailedException ex)
            {
                Log.Verbose($"{ex.Message}");

                this.Invoke((MethodInvoker)delegate
                {
                    XtraMessageBox.Show(ex.Message, Properties.Settings.Default.AppTitle, 
                        MessageBoxButtons.OK, MessageBoxIcon.Warning);
                    return;
                });
            }
        }
    }`

So I concluded that the problem is in configuring Azure AD/Entra. I registered my desktop app and have the following.

In API Permissions:

enter image description here

In the "Expose and API" section:

enter image description here

In the App Roles:

enter image description here

I have Storage Account of V2 Kind.

In Access Control (IAM): (all these users/admins is me)

enter image description here

enter image description here

So, I was banging my head against the wall for a day and can't figure out what am I doing wrong... I hope I did not forget to show any other significant settings and did not expose too much.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,489 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,014 questions
Microsoft Entra Private Access
Microsoft Entra Private Access
Microsoft Entra Private Access provides secure and deep identity-aware, Zero Trust network access to all private apps and resources.
45 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anand Prakash Yadav 6,785 Reputation points Microsoft Vendor
    2024-04-22T07:07:59.0933333+00:00

    Hello Leon H,

    Thank you for posting your query here!

    Can you please ensure that you have assigned appropriate RBAC role to this service principal, here are the detailed steps to correctly assign the necessary roles to the service principal. This will ensure that it has the required permissions to access the Azure Blob Storage:

    Steps to Assign Role to Service Principal:

    Step 1: Open Azure Portal

    Go to Azure Portal.

    Step 2: Navigate to Your Storage Account

    Find and select the specific Storage Account where the blob resides.

    Go to the "Access control (IAM)" section.

    Step 3: Add Role Assignment

    Click on "+ Add" and select "Add role assignment" to open the Add role assignment pane.

    Step 4: Select the Appropriate Role

    Choose the role that corresponds to the access level you want the application to have. For reading blobs, select "Storage Blob Data Reader". If the application needs to write or delete blobs, select "Storage Blob Data Contributor".

    Step 5: Assign Access to the Service Principal

    Under "Assign access to", select "Service Principal".

    In the search box, type the name of your app registration or the client ID. It should appear in the search results.

    Select your service principal from the list.

    Step 6: Save the Role Assignment

    Click "Save" to apply the role assignment.

    Source: https://stackoverflow.com/questions/78363041/403-exception-trying-to-read-file-in-azure-blob

    I hope this helps! Please let me know if the issue persists or if you have any other questions.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

    0 comments No comments