Azure Container access via Python SDK fails with AuthorizationPermissionMismatch but I am owner
I'm trying to list the blobs in a container in Azure Storage in a python script using the Azure SDK.
However, I'm getting the error "AuthorizationPermissionMismatch".
This surprises me, because through the GUI I can list the contents just like that. I am the owner of the container:
and I think that I got all the code right:
from azure.identity import DefaultAzureCredential
from azure.storage.blob import ContainerClient
if __name__ == "__main__":
client = ContainerClient(
credential=DefaultAzureCredential(),
account_url="https://satestblobaccess.blob.core.windows.net",
container_name="stcnt-test-blob-access"
)
blob_names = client.list_blob_names()
print([b for b in blob_names])
I'm running this in a powershell while I am logged in as myself and the SDK seems to pick up my identity just fine.
So I would expect to get a list of the blob names.
Instead I get the AuthorizationPermissionMismatch error.
It would be great if someone could point out to me how to fix this ...
The output is this (sorry for the mangle, I can't get it to display the line breaks that I see in the powershell output window):
[INFO azure.identity._credentials.environment] No environment configuration found. INFO:azure.identity._credentials.environment:No environment configuration found. [INFO azure.identity._credentials.managed_identity] ManagedIdentityCredential will use IMDS INFO:azure.identity._credentials.managed_identity:ManagedIdentityCredential will use IMDS INFO:azure.core.pipeline.policies.http_logging_policy:Request URL: 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=REDACTED&resource=REDACTED' Request method: 'GET' Request headers: 'User-Agent': 'azsdk-python-identity/1.15.0 Python/3.10.13 (Windows-10-10.0.19045-SP0)' No body was attached to the request DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 169.254.169.254:80 [INFO azure.identity._credentials.chained] DefaultAzureCredential acquired a token from AzureCliCredential INFO:azure.identity._credentials.chained:DefaultAzureCredential acquired a token from AzureCliCredential INFO:azure.core.pipeline.policies.http_logging_policy:Request URL: 'https://satestblobaccess.blob.core.windows.net/stcnt-test-blob-access?restype=REDACTED&comp=REDACTED' Request method: 'GET' Request headers: 'x-ms-version': 'REDACTED' 'Accept': 'application/xml' 'User-Agent': 'azsdk-python-storage-blob/12.19.0 Python/3.10.13 (Windows-10-10.0.19045-SP0)' 'x-ms-date': 'REDACTED' 'x-ms-client-request-id': 'f729fa05-19dd-11ef-ae9a-a434d95f5cd9' 'Authorization': 'REDACTED' No body was attached to the request DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): satestblobaccess.blob.core.windows.net:443 DEBUG:urllib3.connectionpool:https://satestblobaccess.blob.core.windows.net:443 "GET /stcnt-test-blob-access?restype=container&comp=list HTTP/1.1" 403 279 INFO:azure.core.pipeline.policies.http_logging_policy:Response status: 403 Response headers: 'Content-Length': '279' 'Content-Type': 'application/xml' 'Server': 'Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0' 'x-ms-request-id': 'fc138e07-a01e-0062-75ea-ad615a000000' 'x-ms-client-request-id': 'f729fa05-19dd-11ef-ae9a-a434d95f5cd9' 'x-ms-version': 'REDACTED' 'x-ms-error-code': 'AuthorizationPermissionMismatch' 'Date': 'Fri, 24 May 2024 14:57:44 GMT' Traceback (most recent call last): File "C:\Users\yrdeb\PycharmProjects\test_blob_access_man_ident\main.py", line 30, in File "C:\Users\yrdeb\PycharmProjects\test_blob_access_man_ident\main.py", line 30, in print([b for b in blob_names]) File "C:\Users\yrdeb.conda\envs\env3106\lib\site-packages\azure\core\paging.py", line 123, in next return next(self._page_iterator) File "C:\Users\yrdeb.conda\envs\env3106\lib\site-packages\azure\core\paging.py", line 75, in next self._response = self._get_next(self.continuation_token) File "C:\Users\yrdeb.conda\envs\env3106\lib\site-packages\azure\storage\blob_list_blobs_helper.py", line 179, in _get_next_cb process_storage_error(error) File "C:\Users\yrdeb.conda\envs\env3106\lib\site-packages\azure\storage\blob_shared\response_handlers.py", line 184, in process_storage_error exec("raise error from None") # pylint: disable=exec-used # nosec File "", line 1, in azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission. RequestId:fc138e07-a01e-0062-75ea-ad615a000000 Time:2024-05-24T14:57:44.6182291Z Content:
AuthorizationPermissionMismatchThis request is not authorized to perform this operation using this permission. RequestId:fc138e07-a01e-0062-75ea-ad615a000000 Time:2024-05-24T14:57:44.6182291Z
AuthorizationPermissionMismatchThis request is not authorized to perform this operation using this permission. RequestId: fc138e07-a01e-0062-75ea-ad615a000000 Time: 2024-05-24T14:57:44.6182291Z
The above error occurs when you don't have proper permission to access the Azure Blob Storage.
According to this MS-Document,
To access the blob inside the container, you need to assign yourself or the user Storage Blob Data Contributor role.
In my environment, I assigned Storage Blob Data Contributor to the particular container in the portal.
Portal:
Now, after assigning the role, I executed the same code in my environment. It worked successfully.
Code
from azure.identity import DefaultAzureCredential
from azure.storage.blob import ContainerClient
if __name__ == "__main__":
client = ContainerClient(
credential=DefaultAzureCredential(),
account_url="https://venkat456.blob.core.windows.net",
container_name="test"
)
blob_names = client.list_blob_names()
print([b for b in blob_names])
Output:
['Adobe Scan 10-Apr-2024.pdf', 'document.PDF', 'gnupg-2.4.5.tar.bz2.sig', 'industry.csv.gpg', 'sample2.ps1']
- Require authenticated user in asp.net core but require custom policy in some actions require custom policy
- How to define the basic HTTP authentication using cURL correctly?
- Relation between Authorization middleware and filter Asp.net core
- Laravel `Auth` not compatible with 3rd party library ajax call?
- How to configure user and password for neo4j cluster without REST API
- Fetching custom Authorization header from incoming PHP request
- How can i ensure that controller methods are entered only in a specific sequence
- How to prevent users to access other user's data with dotnet core and RESTful APIs?
- How to know which controller method will be called from Web API Authorization filter
- .net how to set the the response body when the authorization failed?
- Spring security 6 - authorization not working
- Glide Image Download with Bearer fails
- Java: how to use UrlConnection to post request with authorization?
- How can I authenticate user token in Angular Guard if I am using Http-Only?
- Exploring Changes to Authentication and Authorization Setup in .NET 7 API with JWT
- How do I get access token inside Node.JS Google Cloud function?
- How to make Amazon AWS API call from Java?
- PUT request to Azure storage with shared key authorization
- Azure Container access via Python SDK fails with AuthorizationPermissionMismatch but I am owner
- Django user entitlements on creation / privilege escalation
- How to authenticate and authorize in blazor
- Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden while creating kubernetes deployment on Google Cloud
- Why is AllowAnonymous not working while deployed to Azure Websites?
- Difference between Passport and JWT?
- How do I implement "Authorization: Bearer <Token>" in a Delphi REST Server?
- Redirect Unauthorized Page Access in MVC to Custom View
- OAuth 2: separating resource server and authorization server
- What is the simplest way to restrict access to a static website using social auth
- .NET 7 Controller Authorization with Identity and JWT
- Errors "This action is unauthorized." using Form Request validations in Laravel