Search code examples
pythonazureazure-blob-storageazure-storage

Using Azure DataLakeServiceClient to download a file got forbidden response after few minutes success

I want to use Python to download file from OneLake, the file was uploaded within Power BI. I have following code:

from azure.storage.filedatalake import DataLakeServiceClient
from azure.identity import DefaultAzureCredential

WORKSPACE_NAME = "workspace_2"
DATA_PATH = "DataflowsStagingLakehouse.Lakehouse/Files/logo.png"
account_url = f"https://onelake.dfs.fabric.microsoft.com"

token_credential = DefaultAzureCredential()
service_client = DataLakeServiceClient(account_url, credential=token_credential)
file_system_client = service_client.get_file_system_client(WORKSPACE_NAME)
stream = file_system_client.get_file_client(DATA_PATH).download_file()
data = stream.readall()
with open("tmp.png", "wb") as f:
    f.write(data)
  • I have created App registration in Azure portal named Eddie's App 2.
  • I have created Client secrets in Eddie's App 2.
  • I have setup environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET.
  • I have added Eddie's App 2 into my workspace as viewer.

I have successfully downloaded with the code & environment many times, but a few minutes later, it failed, I got following message:

azure.core.exceptions.HttpResponseError: User is not authorized to perform current operation for workspace 'some-uuid-xxxxxxx-xxxxxx' and artifact 'some-uuid-ooooooo-oooooo'
ErrorCode:Forbidden

I didn't change anything.

10:23:29 Success.
10:29:42 Success.
10:37:10 Fail.

Can someone help? thx.

Solution

  • azure.core.exceptions.HttpResponseError: The user is not authorized to perform the current operation for workspace 'some-uuid-xxxxxxx-xxxxxx' and artifact 'some-uuid-ooooooo-oooooo'. ErrorCode: Forbidden.

    Initially, I received the same error when I added my service principal to my workspace as a viewer.

    Error: Enter image description here

    To download files from Azure OneLake, the service principal should have the Contributor role in the workspace.

    Here are the steps to add the Contributor role to the workspace:

    Portal:

    Step 1:

    Enter image description here

    Step 2:

    Enter image description here

    After assigning the role to service principal, I ran the same code, and it executed successfully.

    Code and Output: Enter image description here