Hey @Jody Whitlock
Hopefully you already solved your issue, but I will add an answer here in case anybody else faces the same issue.
For clarification, the target here is to create a VM Application.
While creating an app, you need to specify the link to the application bundle which is stored in a storage account.
To give access to your Compute Gallery to download the application bundle, you need to provide it access, and the recommended way of providing access to files stored in Azure Blob storage is with a User Delegated SAS token.
There are two important things to note here:
- User Delegated SAS Tokens are exactly as they sound - "A user delegation SAS is secured with Microsoft Entra credentials and also by the permissions specified for the SAS". This means that the user creating the token must first have access to the blob the token is generated for.
- Even if you have permissions to see the Storage Account resource, you don't necessarily have permissions to read the data plane. Read more about the difference between control and data plane here.
One interesting thing to note, even if the user does not have permissions to read the blob data, this won't prevent the user from creating the SAS token, because the user still has access to the control plane :O
So, in summary:
- Based on the provided SAS token structure in the question, the token created was a user token
- Based on the error, the user did not have sufficient data plane permissions.
To solve this issue, you have two options:
- Grant the user data plane permissions on the blob, such permissions could be: Storage Blob Data Reader
- Generate the token using the storage Account Key (not recommended)