What are the proper scopes for create share with control plane api and create file with data plane api at Azure File?
I successfully created a share with the control plane API:
PUT /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/fileServices/default/shares/sharename?api-version=2023-01-01 HTTP/1.1
Host: management.azure.com
Authorization: Bearer token
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 17
x-ms-date: Thu, 18 Apr 2024 09:26:55 GMT
x-ms-version: 2023-01-01
, But When I create a file at this share with the same bearer token, I get an error "Server Error [AuthenticationFailed]: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.".
The HTTP request to create file:
PUT /sharename/original.dat HTTP/1.1
Host: ***.file.core.windows.net
Authorization: Bearer token
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 0
x-ms-type: file
x-ms-content-length: 26214400
x-ms-version: 2022-11-02
x-ms-file-request-intent: backup
If I change the OAuth scope to "offline_access https://{account}.file.core.windows.net/user_impersonation" and get a new Bearer token for creating files, I will create the file successfully.
So,
a) Does the Bearer token get from OAuth scope: "https://management.azure.com/user_impersonation" cannot use for data plane API?
b) How can I create share and create files with once OAuth authentication? I tried to use multi OAuth scopes like this "offline_access https://{account}.file.core.windows.net/user_impersonation https://management.azure.com/user_impersonation"
and I get an error " Provided value for the input parameter scope cannot be empty when requesting an access token using the provided authorization code. Please specify a valid scope.".
Does the Bearer token get from OAuth scope: "https://management.azure.com/user_impersonation" cannot use for data plane API?
No, you cannot use bearer token having Azure Management API scope for data plane API call which throws Audience failed error like this:
PUT https://{account}.file.core.windows.net/sharename/testfile.dat
How can I create share and create files with once OAuth authentication?
It's not possible to get single access token with multiple OAuth scopes. The scope for token generation should match the host value of API calls.
When I tried to generate the token with multiple OAuth scopes, I too got similar error like this:
POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
client_secret:secret
scope:offline_access https://{account}.file.core.windows.net/user_impersonation https://management.azure.com/user_impersonation
code:code
redirect_uri: https://jwt.ms
Response:
As of now, the only way is to generate bearer tokens separately with scope matching the host value of API calls as below:
POST https://login.microsoftonline.com/tenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:appID
client_secret:secret
scope: https://{account}.file.core.windows.net/user_impersonation
code:code
redirect_uri: https://jwt.ms
Response:
You can decode this token in jwt.ms website and check aud claim value whether it matches host value of API or not:
When I used this token to create file in file share, I got the response with 201 Created code:
PUT /testshare/testfile.dat HTTP/1.1
Host: ***.file.core.windows.net
Authorization: Bearer <token>
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 0
x-ms-type: file
x-ms-content-length: 26214400
x-ms-version: 2022-11-02
x-ms-file-request-intent: backup
Response:
To confirm that, I checked the same in Portal where file created successfully like this:
Reference: Access Token With multiple API Scopes - Stack Overflow by juunas
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?