Accessing blob storage using azure CLI with managed identity

Question

Accessing blob storage using azure CLI with managed identity

Jan 101

I wanted to access blob storage with a managed system identity using the azure cli. Steps:

Create Ubuntu VM and assign managed system identity + roles
Log into VM
Install azure cli
Run: az login --identity (successful)
Run: az storage blob list -c <my_container_name> --account-name <my_account_name> --auth-mode login

Resulting error and stack trace are mentioned below. Is this a bug or am I doing something wrong?

The command failed with an unexpected error. Here is the traceback:

get_token() takes 1 positional argument but 2 were given
Traceback (most recent call last):
File "/opt/az/lib/python3.6/site-packages/knack/cli.py", line 215, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 654, in execute
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 718, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 709, in _run_job
cmd_copy.exception_handler(ex)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/storage/init.py", line 334, in new_handler
raise ex
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 688, in _run_job
result = cmd_copy(params)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/commands/init.py", line 325, in call
return self.handler(*args, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/cli/core/init.py", line 782, in default_command_handler
return op(**command_args)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/storage/operations/blob.py", line 67, in list_blobs
result = list_generator(pages=pages, num_results=num_results)
File "/opt/az/lib/python3.6/site-packages/azure/cli/command_modules/storage/track2_util.py", line 67, in list_generator
page = list(next(pages))
File "/opt/az/lib/python3.6/site-packages/azure/core/paging.py", line 74, in next
self._response = self._get_next(self.continuation_token)
File "/opt/az/lib/python3.6/site-packages/azure/multiapi/storagev2/blob/v2019_12_12/_list_blobs_helper.py", line 76, in _get_next_cb
use_location=self.location_mode)
File "/opt/az/lib/python3.6/site-packages/azure/multiapi/storagev2/blob/v2019_12_12/_generated/operations/_container_operations.py", line 1211, in list_blob_flat_segment
pipeline_response = self._client._pipeline.run(request, stream=False, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_base.py", line 211, in run
return first_node.send(pipeline_request) # type: ignore
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_base.py", line 71, in send
response = self.next.send(request)
[Previous line repeated 3 more times]
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_base.py", line 69, in send
_await_result(self._policy.on_request, request)
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/_tools.py", line 29, in await_result
result = func(*args, **kwargs)
File "/opt/az/lib/python3.6/site-packages/azure/core/pipeline/policies/_authentication.py", line 93, in on_request
self._token = self._credential.get_token(*self._scopes)
TypeError: get_token() takes 1 positional argument but 2 were given

Accepted answer

1 additional answer

Your answer

Answer 1

Jan 101

It's actually a bug in cli version 2.11.1. It works in version 2.10.1. This was suggested by a similar issue with keyvault: 14941

deherman-MSFT 38,021 Reputation points Microsoft Employee Moderator

2020-09-29T22:04:10.557+00:00

@Jan Glad you were able to find the solution to your issue. If you could also please accept your answer this would certainly benefit other community members.

Answer 2

deherman-MSFT 38,021 Microsoft Employee Moderator

@Jan
You need to set $spID after logging in. You can do this by using Azure Resource Manager and get the VM's service principal ID. Afterwards please try running your command minus the "--auth-mode login".

Alternatively you can access the storage account directly by getting an access token.

Hopefully this helps, if you are still having issues please let us know.

-----------------

Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Jan 101 Reputation points

2020-09-09T10:16:58.367+00:00
@deherman-MSFT
Some additional context: the managed identity had originally only the "storage blob data reader" role assigned.

I had to assign 2 additional roles to make the procedure as outlined in the references above, work:

Reader on resource group level

Storage Account Key operator service role

2 Remarks:

Why can't the service principal id not be part of the metadata of the VM or be returned by the "az login --identity" call? It now requires a privilege on resource group scope

The fact that it needs to retrieve the access keys (which are not time limited) seems less secure than what Amazon AWS implements. They get temporary access keys to access s3 (aws equivalent of blob storage) from a virtual machine with an IAM role assigned.

Or am I missing something?

Share via

Accessing blob storage using azure CLI with managed identity

1 additional answer

Your answer