I am trying to access a Azure Blob Storage account to read .PDF files using RBAC to secure the system. Using the code below I am able to read single files if I know the exact name they have in the Blob, but cannot use the list command to search for files.
I have used Entra App Registrations to give set up a access point to the Blob via which users can authenticate, the API permissions are set to give the API user impersonation rights on the Blob API and I have given the Azure Group that controls the access to the Blob "Storage Blob Data Reader" within the blob itself.
Role Permissions Set in the Storage Account
Using the code shown below I can download a PDF and view it if I already know its filename in the blob, but cannot use the list command to get a list of blob with a given starting filename. I get the following error when doing the list command.
Azure.RequestFailedException: 'This request is not authorized to perform this operation using this permission.
Status: 403 (This request is not authorized to perform this operation using this permission.)
ErrorCode: AuthorizationPermissionMismatch
I have tried adding other permissions from the Storage Azure group (Contributor, Delegator), but everything I have read says Reader permission should grant this.
Code Below, ID's and Uri's removed from example code!
// Setup Access Token
InteractiveBrowserCredentialOptions Options = new InteractiveBrowserCredentialOptions
{
TenantId = TentantID,
ClientId = clientId,
RedirectUri = new Uri(RedirectUri)
};
// Setup Client
InteractiveBrowserCredential cred = new InteractiveBrowserCredential((Options));
BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri(BlobUri), cred);
BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(containerName);
// Read Single File of Known Filename
string Filename = "REP000001_V000001_Report.pdf";
BlobClient blobClient = containerClient.GetBlobClient(Filename);
blobClient.DownloadTo(@"C:\Temp\" + Filename);
System.Diagnostics.Process.Start(@"C:\Temp\" + Filename);
// Search for Matching files.
string Prefix = string.Format("{0}{1:000000}_V{2:000000}", "REP", 1, 1);
try
{
Azure.Pageable<BlobItem> List = containerClient.GetBlobs(BlobTraits.All, BlobStates.All, Prefix);
if (List.Count<BlobItem>() == 1) //<= Errors here
{
}
}
catch(Exception ex)
{
Console.WriteLine(ex.ToString());
}
It seems that in order to do the List command using the code I was using the search tags function even though I am not providing any tags.
The bottom of this article (https://learn.microsoft.com/en-us/rest/api/storageservices/list-blobs?tabs=microsoft-entra-id) shows that to do this requires a different permission "Storage Blob Data Owner" rather than just "Storage Blob Data Reader"
Assigning this to the Group my user is in at the top level of the storage account fixed the problem.