azureazure-storage-queuesazure-identity

How to write message into Azure storage queue with DefaultAzureCredential


Following issue: The below code snippet works to the point, where the queue is created with queue.createIfNotExists();:

import com.azure.identity.DefaultAzureCredential;
import com.azure.storage.queue.QueueClient;
import com.azure.storage.queue.QueueClientBuilder;
import com.azure.storage.queue.models.*;

import com.azure.identity.DefaultAzureCredentialBuilder;

// Boilerplate main code    

public static String createQueue()
{
    try
    {
        // Create a unique name for the queue
        String queueName = "some-crazy-queue";
        System.out.println("Creating queue: " + queueName);
        DefaultAzureCredential cred = new DefaultAzureCredentialBuilder().build();
        // Instantiate a QueueClient which will be
        // used to create and manipulate the queue
        QueueClient queue = new QueueClientBuilder()
                .credential(new DefaultAzureCredentialBuilder().build())
                .endpoint("https://stmyawesomestoragequeuetest.queue.core.windows.net/")
                .queueName(queueName)
                .buildClient();

        queue.createIfNotExists();
        queue.sendMessage("John Doe");
        return queue.getQueueName();
    }
    catch (QueueStorageException e)
    {
        System.out.println("Error code: " + e.getErrorCode() + "Message: " + e.getMessage());
        return null;
    }
}

Note that I use DefaultAzureCredentialBuilder (Azure Identity), and I am locally logged in with Azure CLI (az login ...). But sendMessage("...") fails:

Error code: AuthorizationPermissionMismatchMessage: If you are using a StorageSharedKeyCredential, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate method call. If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call. Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII. Status code 403, "AuthorizationPermissionMismatchThis request is not authorized to perform this operation using this permission. RequestId:1768bd8b-5003-0011-75e5-7933bb000000 Time:2023-04-28T15:20:49.6063051Z" null

Why does sending of the message not work, when the creation of the queue itself works?


Solution

  • ... a bit embarrassing, but 10 mins later I figured: It is not enough being owner of the Storage Account, the role "Storage Queue Data Contributor" is needed too!

    I hope this will help somebody else ...