Accessing blob storage using azure CLI with managed identity

asked 2020-09-08T11:25:14.593+00:00
Jan 101 Reputation points

I wanted to access blob storage with a managed system identity using the azure cli. Steps:

  • Create Ubuntu VM and assign managed system identity + roles
  • Log into VM
  • Install azure cli
  • Run: az login --identity (successful)
  • Run: az storage blob list -c <my_container_name> --account-name <my_account_name> --auth-mode login

Resulting error and stack trace are mentioned below. Is this a bug or am I doing something wrong?

The command failed with an unexpected error. Here is the traceback:

get_token() takes 1 positional argument but 2 were given
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 215, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 654, in execute
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 718, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 709, in _run_job
cmd_copy.exception_handler(ex)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/storage/init.py", line 334, in new_handler
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 688, in _run_job
result = cmd_copy(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 325, in call
return self.handler(*args, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/init.py", line 782, in default_command_handler
return op(**command_args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/storage/operations/blob.py", line 67, in list_blobs
result = list_generator(pages=pages, num_results=num_results)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/storage/track2_util.py", line 67, in list_generator
page = list(next(pages))
File "/opt/az/lib/python3.6/site-packages/azure/core/paging.py", line 74, in next
self._response = self._get_next(self.continuation_token)
File "/opt/az/lib/python3.6/site-packages/azure/multiapi/storagev2/blob/v2019_12_12/_list_blobs_helper.py", line 76, in _get_next_cb
use_location=self.location_mode)
File "/opt/az/lib/python3.6/site-packages/azure/multiapi/storagev2/blob/v2019_12_12/_generated/operations/_container_operations.py", line 1211, in list_blob_flat_segment
pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_base.py", line 211, in run
return first_node.send(pipeline_request) # type: ignore
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
[Previous line repeated 3 more times]
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_base.py", line 69, in send
_await_result(self._policy.on_request, request)
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_tools.py", line 29, in await_result
result = func(*args, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/policies/_authentication.py", line 93, in on_request
self._token = self._credential.get_token(*self._scopes)
TypeError: get_token() takes 1 positional argument but 2 were given

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
1,387 questions
No comments
{count} votes

Accepted answer
  1. answered 2020-09-15T08:12:21.48+00:00
    Jan 101 Reputation points

    It's actually a bug in cli version 2.11.1. It works in version 2.10.1. This was suggested by a similar issue with keyvault: 14941


1 additional answer

Sort by: Most helpful
  1. answered 2020-09-08T21:00:17.69+00:00
    deherman-MSFT 23,446 Reputation points Microsoft Employee

    @Jan
    You need to set $spID after logging in. You can do this by using Azure Resource Manager and get the VM's service principal ID. Afterwards please try running your command minus the "--auth-mode login".

    Alternatively you can access the storage account directly by getting an access token.

    Hopefully this helps, if you are still having issues please let us know.

    -----------------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.