REST api for Azure DataLake Storage Service Principal not possible to use folder-specific access
I'm trying to configure folder-specific access to adls (gen2) storage using app registration (active directory/service principal) auth. It works well when I'm using RBAC configuration to the whole storage/container, but I still got a 403 error when I'm configuring the access (read+execute) even to the root folder. Here are the steps I did during my configuration:
- I created app registration, create a secret for it and add an API permission to blob storages and adls:
- In the root directory of my storage account the I add the ACL (Access control list) for Read and Execute access.
- Using postman I got the Oauth token for my application and trying to execute a GET request for the container to get the list of files in the directory using the URL from the azure docs (https://learn.microsoft.com/en-us/rest/api/storageservices/datalakestoragegen2/path/list) :
And got the error:
{
"error": {
"code": "AuthorizationPermissionMismatch",
"message": "This request is not authorized to perform this operation using this permission.\nRequestId:12401499-f01f-0105-2a98-327246000000\nTime:2021-04-16T08:15:07.8676657Z"
}
}
And it works when I set RBAC (IAM) access to the whole container instead of ACL. What should I also add in my configuration to use folder-specific access for the service principal account?
I can also reproduce your issue on my side, from your request url, you want to do operation List /abc/d/, so to solve the issue, you need to give the ACL permissions like below.
| Operation | / | abc/ | d/ |
|---|---|---|---|
| List /abc/d/ | --X |
--X |
R-X |
You have already given the R-X(actually--x is enough) permission at the container( i.e. /), so you just need to give --X at abc directory and R-X at d directory, then it will work fine.
To give the ACL permissions to the directory, refer to the screenshot below.
See reference - Common scenarios related to ACL permissions, your case is the same as the last one.
Test(The command essentially calls the REST API you used):
- Invalid operands found for operator -eq
- Adding custom headers to Azure Functions response
- Azure Queue Trigger is hit but not executing the logic inside of it
- az cli not showing redisenterprise keys
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- Azure Devops Server Pipelines: Any way to have a Stage result as "Succeeded" even if a constituent Job reported "SucceededWithIssues"?
- YAML strings including special characters % and & were not printed correctly for Windows environment
- Azure function returns error: No job functions found. Try making your job classes and methods public
- How to view Oldest Query results in Azure Monitor Metrics for an Azure PostgreSQL Flex Server instance
- Authenticate to Azure with certificate from Linux
- What are the minimum Azure permissions required to publish a Power BI report using "App Owns the Data"?
- Refresh an Azure search index
- Best way to clean up resources in StatefulService
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Query Azure SQL Database using Rest-API
- How to create a feature burndown chart in Azure DevOps?
- Why is this "call is ambiguous between the following methods or properties" when calling ValidateOnStart?
- How to write a Bicep API Connection formrecognizer with api key
- Where can I find docker container logs for Azure App Service
- will looping GetBlobsAsync() but doing nothing in the loop body read the contents of the blob
- Connect to OneDrive using Python (msal) and client secret
- How to debug ServiceBus-triggered Azure Function locally?
- Does Azure Cognitive Services support (detect and compare) Handwritten Signatures and Stamps from two images?
- Modify ARM-Template for quick deployment
- Does anyone have implemented auxiliary logs deployment in sentinel?
- Get request headers in azure functions NodeJs Http Trigger
- Filter specific items that are alone in an array of Collection String in Azure Search
- Trouble obtaining access token for managed identity with application role
- Azure Autoscaling Duration Time and Cool Down Time
- Partition Key for Cosmos DB