Azure Container access via Python SDK fails with AuthorizationPermissionMismatch but I am owner
I'm trying to list the blobs in a container in Azure Storage in a python script using the Azure SDK.
However, I'm getting the error "AuthorizationPermissionMismatch".
This surprises me, because through the GUI I can list the contents just like that. I am the owner of the container:
and I think that I got all the code right:
from azure.identity import DefaultAzureCredential
from azure.storage.blob import ContainerClient
if __name__ == "__main__":
client = ContainerClient(
credential=DefaultAzureCredential(),
account_url="https://satestblobaccess.blob.core.windows.net",
container_name="stcnt-test-blob-access"
)
blob_names = client.list_blob_names()
print([b for b in blob_names])
I'm running this in a powershell while I am logged in as myself and the SDK seems to pick up my identity just fine.
So I would expect to get a list of the blob names.
Instead I get the AuthorizationPermissionMismatch error.
It would be great if someone could point out to me how to fix this ...
The output is this (sorry for the mangle, I can't get it to display the line breaks that I see in the powershell output window):
[INFO azure.identity._credentials.environment] No environment configuration found. INFO:azure.identity._credentials.environment:No environment configuration found. [INFO azure.identity._credentials.managed_identity] ManagedIdentityCredential will use IMDS INFO:azure.identity._credentials.managed_identity:ManagedIdentityCredential will use IMDS INFO:azure.core.pipeline.policies.http_logging_policy:Request URL: 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=REDACTED&resource=REDACTED' Request method: 'GET' Request headers: 'User-Agent': 'azsdk-python-identity/1.15.0 Python/3.10.13 (Windows-10-10.0.19045-SP0)' No body was attached to the request DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): 169.254.169.254:80 [INFO azure.identity._credentials.chained] DefaultAzureCredential acquired a token from AzureCliCredential INFO:azure.identity._credentials.chained:DefaultAzureCredential acquired a token from AzureCliCredential INFO:azure.core.pipeline.policies.http_logging_policy:Request URL: 'https://satestblobaccess.blob.core.windows.net/stcnt-test-blob-access?restype=REDACTED&comp=REDACTED' Request method: 'GET' Request headers: 'x-ms-version': 'REDACTED' 'Accept': 'application/xml' 'User-Agent': 'azsdk-python-storage-blob/12.19.0 Python/3.10.13 (Windows-10-10.0.19045-SP0)' 'x-ms-date': 'REDACTED' 'x-ms-client-request-id': 'f729fa05-19dd-11ef-ae9a-a434d95f5cd9' 'Authorization': 'REDACTED' No body was attached to the request DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): satestblobaccess.blob.core.windows.net:443 DEBUG:urllib3.connectionpool:https://satestblobaccess.blob.core.windows.net:443 "GET /stcnt-test-blob-access?restype=container&comp=list HTTP/1.1" 403 279 INFO:azure.core.pipeline.policies.http_logging_policy:Response status: 403 Response headers: 'Content-Length': '279' 'Content-Type': 'application/xml' 'Server': 'Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0' 'x-ms-request-id': 'fc138e07-a01e-0062-75ea-ad615a000000' 'x-ms-client-request-id': 'f729fa05-19dd-11ef-ae9a-a434d95f5cd9' 'x-ms-version': 'REDACTED' 'x-ms-error-code': 'AuthorizationPermissionMismatch' 'Date': 'Fri, 24 May 2024 14:57:44 GMT' Traceback (most recent call last): File "C:\Users\yrdeb\PycharmProjects\test_blob_access_man_ident\main.py", line 30, in File "C:\Users\yrdeb\PycharmProjects\test_blob_access_man_ident\main.py", line 30, in print([b for b in blob_names]) File "C:\Users\yrdeb.conda\envs\env3106\lib\site-packages\azure\core\paging.py", line 123, in next return next(self._page_iterator) File "C:\Users\yrdeb.conda\envs\env3106\lib\site-packages\azure\core\paging.py", line 75, in next self._response = self._get_next(self.continuation_token) File "C:\Users\yrdeb.conda\envs\env3106\lib\site-packages\azure\storage\blob_list_blobs_helper.py", line 179, in _get_next_cb process_storage_error(error) File "C:\Users\yrdeb.conda\envs\env3106\lib\site-packages\azure\storage\blob_shared\response_handlers.py", line 184, in process_storage_error exec("raise error from None") # pylint: disable=exec-used # nosec File "", line 1, in azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission. RequestId:fc138e07-a01e-0062-75ea-ad615a000000 Time:2024-05-24T14:57:44.6182291Z Content:
AuthorizationPermissionMismatchThis request is not authorized to perform this operation using this permission. RequestId:fc138e07-a01e-0062-75ea-ad615a000000 Time:2024-05-24T14:57:44.6182291Z
AuthorizationPermissionMismatchThis request is not authorized to perform this operation using this permission. RequestId: fc138e07-a01e-0062-75ea-ad615a000000 Time: 2024-05-24T14:57:44.6182291Z
The above error occurs when you don't have proper permission to access the Azure Blob Storage.
According to this MS-Document,
To access the blob inside the container, you need to assign yourself or the user Storage Blob Data Contributor role.
In my environment, I assigned Storage Blob Data Contributor to the particular container in the portal.
Portal:
Now, after assigning the role, I executed the same code in my environment. It worked successfully.
Code
from azure.identity import DefaultAzureCredential
from azure.storage.blob import ContainerClient
if __name__ == "__main__":
client = ContainerClient(
credential=DefaultAzureCredential(),
account_url="https://venkat456.blob.core.windows.net",
container_name="test"
)
blob_names = client.list_blob_names()
print([b for b in blob_names])
Output:
['Adobe Scan 10-Apr-2024.pdf', 'document.PDF', 'gnupg-2.4.5.tar.bz2.sig', 'industry.csv.gpg', 'sample2.ps1']
- How to Access Azure Table Storage using Shared Access Key in Postman?
- Azure ShareClient: This request is not authorized to perform this operation
- How to Implement Token Validation for External Users Consuming My Public API Using Auth0?
- CakePHP: How do I access the Auth->allow action array?
- How to define the basic HTTP authentication using cURL correctly?
- ASP.NET 5 Authorize against two or more policies (OR-combined policy)
- How to disable Authentication in FastAPI based on environment?
- How to Get All Endpoints List After Startup, Spring Boot
- Freshdesk OAuth SSO: Freshdesk Login Page Doesn't Ping My Auth Page?
- Are auth code and access token exclusive to a single resource owner?
- .Net 8.0 Blazor: Authorize with policy on Page always redirecting to non-existent Identity Access Denied page
- Use http Google Cloud Functions "Require Authentication" with Firebase
- Add custom JwtBearerHandler to "AddMicrosoftIdentityWebApi" in .net7
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens
- Should I Store Menu Data in Database or Hardcode in Frontend for Better Manageability and User Authorization?
- Spring Authorization Server provide "No AuthenticationProvider found"
- I want to know how to request POST using REST API. (Swift)
- Is it okay to check user claims in AuthorizationHandler only if a route parameter requires users to be authorized?
- Permission based access control using Entra ID with ASP.NET core
- Why Doesn't my Authorization Header need "Bearer"?
- What are stored in PersistedGrant table for IdentityServer
- ASP.NET custom middleware after authorization/authentication
- Slack to Google Sheets integration "dispatch failed" error from slash command
- Updating Authorization Filter to .NET Core
- How do you create a custom AuthorizeAttribute in ASP.NET Core?
- How can I authenticate user token in Angular Guard if I am using Http-Only?
- How to prevent AuthenticationEntryPoint being invoked after AccessDeniedHandler?
- JWT, is it safe to use the same key pair to sign from server-side and encrypt from client-side?
- How to fix global authorization in Blazor breaking CSS?
- Can i implement custom authorization in NATS.io?