Search code examples
azure.net-coreazure-blob-storageazure-storageazure-sas

Azure blob read SAS token throws AuthorizationPermissionMismatch exception

I'm trying to generate a SAS token for a blob, so that any user with the token can read the blob. Below is the code I have. I get an exception when I try to read the blob. If I grant "Storage Blob Data Reader" access to the user, then it works. My understanding is that user with SAS token should be able to read the blob without granting specific permission. what am I missing here ?

            BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri("https://accountname.blob.core.windows.net/"), new DefaultAzureCredential());
            UserDelegationKey key = await blobServiceClient.GetUserDelegationKeyAsync(DateTimeOffset.UtcNow,
                                                               DateTimeOffset.UtcNow.AddDays(1));
            BlobSasBuilder sasBuilder = new BlobSasBuilder()
            {
                BlobContainerName = "containerName",
                BlobName = "file.json",
                Resource = "b",
                StartsOn = DateTimeOffset.UtcNow,
                ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
            };

           
            sasBuilder.SetPermissions(BlobSasPermissions.Read);
            string sasToken = sasBuilder.ToSasQueryParameters(key, "accountname").ToString();
            UriBuilder fullUri = new UriBuilder()
            {
                Scheme = "https",
                Host = string.Format("{0}.blob.core.windows.net", "accountname"),
                Path = string.Format("{0}/{1}", "containerName", "file.json"),
                Query = sasToken
            };

            var blobClient = new Azure.Storage.Blobs.BlobClient(fullUri.Uri);

            using (var stream = await blobClient.OpenReadAsync())  // throws exception 
            { }

Exception : Service request failed. Status: 403 (This request is not authorized to perform this operation using this permission.) ErrorCode: AuthorizationPermissionMismatch

Solution

  • I believe you are getting this error is because the user for which you are getting the user delegation key does not have permissions to access the data in the storage account.

    Assigning Owner permission enables the user to manage the storage account itself, it does not give them permissions to manage the data.

    Please try by assigning the user one of the data roles described here: https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory#azure-built-in-roles-for-blobs.

    To learn more about RBAC roles to manage data, please see this link: https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal.