I am trying to download an Azure Blob to a Windows target machine. As I refer to this question, it apparently can not be downloaded directly. So, my target area is the Ansible node controller and I intended to use copy function to move to the Windows target machine.
I have ensured I meet the pre-requisites for this module by running python v3.12.3 and the azcollection v2.7.0. I have worded the role to reflect as below:
- name: Download RDS Certificate
azure.azcollection.azure_rm_storageblob:
resource_group: "{{ resource_group }}"
storage_account_name: "{{ storage_account }}"
container: "{{ storage_container }}"
blob: "{{ cert_blob }}"
dest: "/tmp/{{ cert_blob }}"
auth_source: auto
subscription_id: "{{ lookup('env', 'AZURE_SUBSCRIPTION_ID') }}"
client_id: "{{ lookup('env', 'AZURE_CLIENT_ID') }}"
secret: "{{ lookup('env', 'AZURE_SECRET') }}"
tenant: "{{ lookup('env', 'AZURE_TENANT') }}"
register: rds_certificate_downloaded
until: rds_certificate_downloaded is succeeded
retries: 2
delay: 10
ignore_errors: true #temporarily added
And the playbook reads:
- name: Perform activities pertaining to other RDS activities
hosts: "localhost"
connection: local
roles:
- plt_engg/download-rds-certificate
tags:
- download-rds-certificate
I have also ensured the Service Principal in use have both Contributor and Storage Blob Data Contributor RBAC roles added. But no matter what I do, it just fails at authentication every time. Does anyone have a workaround for this?
Error Snippet:
File "<string>", line 1, in <module>
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.
RequestId:c5b434b1-d01e-0075-6380-2fa3b3000000
Time:2024-11-05T12:41:47.2537019Z
ErrorCode:AuthorizationFailure
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:c5b434b1-d01e-0075-6380-2fa3b3000000
Time:2024-11-05T12:41:47.2537019Z</Message></Error>
fatal: [localhost]: FAILED! => {
"attempts": 2,
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/home/USER/.ansible/tmp/ansible-tmp-1730810505.1070528-3075-81437847270667/AnsiballZ_azure_rm_storageblob.py\", line 107, in <module>\n _ansiballz_main()\n File \"/home/USER/.ansible/tmp/ansible-tmp-1730810505.1070528-3075-81437847270667/AnsiballZ_azure_rm_storageblob.py\", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/USER/.ansible/tmp/ansible-tmp-1730810505.1070528-3075-81437847270667/AnsiballZ_azure_rm_storageblob.py\", line 47, in invoke_module\n runpy.run_module(mod_name='ansible_collections.azure.azcollection.plugins.modules.azure_rm_storageblob', init_globals=dict(_module_fqn='ansible_collections.azure.azcollection.plugins.modules.azure_rm_storageblob', _modlib_path=modlib_path),\n File \"<frozen runpy>\", line 226, in run_module\n File \"<frozen runpy>\", line 98, in _run_module_code\n File \"<frozen runpy>\", line 88, in _run_code\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 682, in <module>\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 678, in main\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 290, in __init__\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 474, in __init__\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 305, in exec_module\n File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 440, in get_container\n File \"/home/USER/ansible-env/lib/python3.12/site-packages/azure/core/tracing/decorator.py\", line 76, in wrapper_use_tracer\n return func(*args, **kwargs)\n ^^^^^^^^^^^^^^^^^^^^^\n File \"/home/USER/ansible-env/lib/python3.12/site-packages/azure/storage/blob/_container_client.py\", line 498, in get_container_properties\n process_storage_error(error)\n File \"/home/USER/ansible-env/lib/python3.12/site-packages/azure/storage/blob/_shared/response_handlers.py\", line 181, in process_storage_error\n exec(\"raise error from None\") # pylint: disable=exec-used # nosec\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"<string>\", line 1, in <module>\nazure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.\nRequestId:c5b434b1-d01e-0075-6380-2fa3b3000000\nTime:2024-11-05T12:41:47.2537019Z\nErrorCode:AuthorizationFailure\nContent: <?xml version=\"1.0\" encoding=\"utf-8\"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.\nRequestId:c5b434b1-d01e-0075-6380-2fa3b3000000\nTime:2024-11-05T12:41:47.2537019Z</Message></Error>\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
The culprit here was the storage account networking. I had it restricted to selected networks and apparently the VNET containing the ansible node controller was missing.
*Azure Portal -> Storage Account -> Security+Networking -> Firewall and Virtual Networks -> Check Allow Access From (All Networks / Selected Networks).
If it is checked for "Enabled from selected virtual networks and IP addresses" - It means the storage account is firewall restricted.*