Can't Create Blob Container: This request is not authorized to perform this operation

Question

I'm trying to create a blob container within an Azure storage account with Azure's Python API.

def create_storage_container(storageAccountName: str, containerName: str):
    print(
        f"Creating storage container '{containerName}'",
        f"in storage account '{storageAccountName}'"
    )
    credentials = DefaultAzureCredential()
    url = f"https://{storageAccountName}.blob.core.windows.net"
    blobClient = BlobServiceClient(account_url=url, credential=credentials)
    containerClient = blobClient.get_container_client(containerName)
    containerClient.create_container()

On create_container() I get the error:

Exception has occurred: HttpResponseError
This request is not authorized to perform this operation.
RequestId:8a3f8af1-101e-0075-3351-074949000000
Time:2022-12-03T20:00:25.5236364Z
ErrorCode:AuthorizationFailure
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:8a3f8af1-101e-0075-3351-074949000000
Time:2022-12-03T20:00:25.5236364Z</Message></Error>

The storage account was created like so:

# Creates a storage account if it does not already exist.
# Returns the name of the storage account.
def create_storage_account(
    resourceGroupName: str, location: str,
    subscriptionId: str, storageAccountName: str
):

    credentials = AzureCliCredential()

    # Why does this have creation powers for storage accounts
    # instead of the ResourceManagementClient?
    storageClient = StorageManagementClient(
        credentials, subscriptionId, "2018-02-01"
    )
    params = {
        "sku": {"name": "Standard_LRS", "tier": "Standard"},
        "kind": "StorageV2",
        "location": location,
        "supportsHttpsTrafficOnly": True,
    }

    result = storageClient.storage_accounts.begin_create(
        resourceGroupName, storageAccountName, params
    )  # type:ignore
    storageAccount = result.result(120)
    print(f"Done creating storage account with name: {storageAccount.name}")

The storage accounts that are generated like this seem to have completely open network access, so I wouldn't think that would be an issue.

Storage account network settings:

How can I fix this error or create a storage container in another way programmatically?

Thanks

Answer 1

I tried in my environment and got same error in results:

Console:

If you are accessing storage account you need a role like Storage-blob-contributor or storage-blob-owner.

Go to portal -> storage accounts -> Access Control (IAM) ->Add -> Add role assignments -> storage-blob-contributor or storage-blob-owner.

Portal:

After assigning role to my storage account, I executed same code and it successfully created container.

Code:

from  azure.storage.blob  import  BlobServiceClient
from  azure.identity  import  DefaultAzureCredential

storageAccountName="venkat123"
containerName="test"

def create_storage_container():
    print(
        f"Creating storage container '{containerName}'",
        f"in storage account '{storageAccountName}'"
    )
    credentials = DefaultAzureCredential()
    url = f"https://{storageAccountName}.blob.core.windows.net"
    blobClient = BlobServiceClient(account_url=url, credential=credentials)
    containerClient = blobClient.get_container_client(containerName)
    containerClient.create_container()
    print("Container created")
create_storage_container()

Console:

Portal: