403 Exception trying to access blob in desktop client

Leon H 0 Reputation points
2024-04-21T02:35:25.23+00:00
A file in the pic is being accessed in my code and throws 403 exception in OpenReadAsync. That despite that I assigned read/write permission to all users in Azure AD. I am using this code and all the parameters and URL are correct. The strange part is that my web service copies the files to Azure Blob just fine and I can see the files in the container...

`        private async Task FetchAndDisplayDocument(string blobUrl)
        {
            using (Log.VerboseCall())
            {
                try
                {
                    var credential = new ClientSecretCredential(_azConfig.AzureAD.TenantId, _azConfig.AzureAD.ClientId, _azConfig.AzureAD.ClientSecret);

                    // Instantiate a BlobClient which will be used to create or reference a blob
                    var blobClient = new BlobClient(new Uri(blobUrl), credential);

                    // Download the blob's contents as a stream
                    Stream blobStream = await blobClient.OpenReadAsync();

                    // Assuming you have a method to display this stream content in your right pane
                    // and assuming 'this' is a Form or Control that has a method named DisplayDocumentStream
                    this.Invoke((MethodInvoker)delegate
                    {
                        DisplayDocumentStream(blobStream);
                    });
                }
                catch(RequestFailedException ex)
                {
                    Log.Verbose($"{ex.Message}");

                    this.Invoke((MethodInvoker)delegate
                    {
                        XtraMessageBox.Show(ex.Message, Properties.Settings.Default.AppTitle, 
                            MessageBoxButtons.OK, MessageBoxIcon.Warning);
                        return;
                    });
                }
            }
        }`

So I concluded that the problem is in configuring Azure AD/Entra.
I registered my desktop app and have the following.

In API Permissions:

![enter image description here](/api/attachments/579c8a52-cf05-4f29-b73d-9452488f3eab?platform=QnA)

In the "Expose and API" section:

![enter image description here](/api/attachments/0b3594b3-624d-49a1-89d6-daa63c75a7d7?platform=QnA)

In the App Roles:

![enter image description here](/api/attachments/9d8399a1-2110-4bbf-b763-6a70e13b942e?platform=QnA)

I have Storage Account of V2 Kind.

In Access Control (IAM): (all these users/admins is me)

![enter image description here](/api/attachments/2b769edf-f02a-4899-afcc-4e8a558917a7?platform=QnA)

![enter image description here](/api/attachments/251db310-228f-4789-87c9-de617f6988d2?platform=QnA)

So, I was banging my head against the wall for a day and can't figure out what am I doing wrong...
I hope I did not forget to show any other significant settings and did not expose too much.
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,919 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,015 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.