azureansibleazure-blob-storagedevops

Ansible - Download an Azure Blob file


I am trying to download an Azure Blob to a Windows target machine. As I refer to this question, it apparently can not be downloaded directly. So, my target area is the Ansible node controller and I intended to use copy function to move to the Windows target machine.

I have ensured I meet the pre-requisites for this module by running python v3.12.3 and the azcollection v2.7.0. I have worded the role to reflect as below:

- name: Download RDS Certificate
  azure.azcollection.azure_rm_storageblob:
    resource_group: "{{ resource_group }}"
    storage_account_name: "{{ storage_account }}"
    container: "{{ storage_container }}"
    blob: "{{ cert_blob }}"
    dest: "/tmp/{{ cert_blob }}"
    auth_source: auto
    subscription_id: "{{ lookup('env', 'AZURE_SUBSCRIPTION_ID') }}"
    client_id: "{{ lookup('env', 'AZURE_CLIENT_ID') }}"
    secret: "{{ lookup('env', 'AZURE_SECRET') }}"
    tenant: "{{ lookup('env', 'AZURE_TENANT') }}"
  register: rds_certificate_downloaded
  until: rds_certificate_downloaded is succeeded
  retries: 2
  delay: 10
  ignore_errors: true    #temporarily added

And the playbook reads:

- name: Perform activities pertaining to other RDS activities
  hosts: "localhost"
  connection: local
  roles:
    - plt_engg/download-rds-certificate
  tags:
    - download-rds-certificate

I have also ensured the Service Principal in use have both Contributor and Storage Blob Data Contributor RBAC roles added. But no matter what I do, it just fails at authentication every time. Does anyone have a workaround for this?

Error Snippet:

  File "<string>", line 1, in <module>
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.
RequestId:c5b434b1-d01e-0075-6380-2fa3b3000000
Time:2024-11-05T12:41:47.2537019Z
ErrorCode:AuthorizationFailure
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:c5b434b1-d01e-0075-6380-2fa3b3000000
Time:2024-11-05T12:41:47.2537019Z</Message></Error>
fatal: [localhost]: FAILED! => {
    "attempts": 2,
    "changed": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/home/USER/.ansible/tmp/ansible-tmp-1730810505.1070528-3075-81437847270667/AnsiballZ_azure_rm_storageblob.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/home/USER/.ansible/tmp/ansible-tmp-1730810505.1070528-3075-81437847270667/AnsiballZ_azure_rm_storageblob.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/USER/.ansible/tmp/ansible-tmp-1730810505.1070528-3075-81437847270667/AnsiballZ_azure_rm_storageblob.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.azure.azcollection.plugins.modules.azure_rm_storageblob', init_globals=dict(_module_fqn='ansible_collections.azure.azcollection.plugins.modules.azure_rm_storageblob', _modlib_path=modlib_path),\n  File \"<frozen runpy>\", line 226, in run_module\n  File \"<frozen runpy>\", line 98, in _run_module_code\n  File \"<frozen runpy>\", line 88, in _run_code\n  File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 682, in <module>\n  File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 678, in main\n  File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 290, in __init__\n  File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py\", line 474, in __init__\n  File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 305, in exec_module\n  File \"/tmp/ansible_azure.azcollection.azure_rm_storageblob_payload_qmx6i7_u/ansible_azure.azcollection.azure_rm_storageblob_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_storageblob.py\", line 440, in get_container\n  File \"/home/USER/ansible-env/lib/python3.12/site-packages/azure/core/tracing/decorator.py\", line 76, in wrapper_use_tracer\n    return func(*args, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^\n  File \"/home/USER/ansible-env/lib/python3.12/site-packages/azure/storage/blob/_container_client.py\", line 498, in get_container_properties\n    process_storage_error(error)\n  File \"/home/USER/ansible-env/lib/python3.12/site-packages/azure/storage/blob/_shared/response_handlers.py\", line 181, in process_storage_error\n    exec(\"raise error from None\")   # pylint: disable=exec-used # nosec\n    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n  File \"<string>\", line 1, in <module>\nazure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.\nRequestId:c5b434b1-d01e-0075-6380-2fa3b3000000\nTime:2024-11-05T12:41:47.2537019Z\nErrorCode:AuthorizationFailure\nContent: <?xml version=\"1.0\" encoding=\"utf-8\"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.\nRequestId:c5b434b1-d01e-0075-6380-2fa3b3000000\nTime:2024-11-05T12:41:47.2537019Z</Message></Error>\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

Solution

  • The culprit here was the storage account networking. I had it restricted to selected networks and apparently the VNET containing the ansible node controller was missing.

    *Azure Portal -> Storage Account -> Security+Networking -> Firewall and Virtual Networks -> Check Allow Access From (All Networks / Selected Networks).

    If it is checked for "Enabled from selected virtual networks and IP addresses" - It means the storage account is firewall restricted.*