Can't Access Storage Queue receiveMessages due AuthorizationPermissionMismatch

Question

I have accessed Azure Storage Queue methods using ClientSecretCredential but on accessing queue receiveMessages, queue peekMessages and deleteMessages it is giving me error

RestError: This request is not authorized to perform this operation using this permission. RequestId:c92577923e-a603-0004-61c0-f70a19000

here is my node js code

const { QueueServiceClient } = require("@azure/storage-queue");
const { ClientSecretCredential } = require("@azure/identity");
async function getQueueMessages() {
  try {
    let myStorageAccount = "hellostorage";
    const credential = new ClientSecretCredential(tenantId, app_id, SecretKey);
    const queueServiceClient = new QueueServiceClient(
      `https://${myStorageAccount}.queue.core.windows.net`,
      credential
    );
    const queueName = "hello-queue";
    const queueClient = queueServiceClient.getQueueClient(queueName);
    const response = await queueClient.receiveMessages(10);
    console.log("response: ", response);
  } catch (error) {
    console.log("error: ", error);
  }
}
getQueueMessages();

Here is my App permission

Answer 1

The screenshot you shared essentially allows your Service Principal to acquire token for your Storage Accounts. It does not give you permissions to perform operations on a Storage Account and this is why you are getting this error.

What you would need to do is give appropriate data related permissions to your Service Principal on a Storage Account. Please see this link for the appropriate RBAC roles that you must assign to your Service Principal to perform data related operations: https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory#manage-access-rights-with-rbac.

You can try with Storage Queue Data Message Processor or Storage Queue Data Contributor roles.

After you apply appropriate roles, you should be able to perform the operations.