Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthorizationFailure error while using DefaultAzureCredential authorization for Azure Storage Blob for creating new blob #13101

Closed
2 of 6 tasks
prashanthmadduri opened this issue Jan 7, 2021 · 8 comments
Closed
2 of 6 tasks

AuthorizationFailure error while using DefaultAzureCredential authorization for Azure Storage Blob for creating new blob #13101

prashanthmadduri opened this issue Jan 7, 2021 · 8 comments
Assignees
@ljian3377
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Storage Storage Service (Queues, Blobs, Files)

Comments

@prashanthmadduri
Copy link

prashanthmadduri commented Jan 7, 2021
edited by ljian3377
Loading

  • Package Name: @azure/storage-blob, @azure/identity
  • Package Version: 12.3.0, 1.2.0
  • Operating system: Windows 10
  • nodejs
    • version: v10.16.3
  • browser
    • name/version:
  • typescript
    • version: 1.5.3
  • Is the bug related to documentation in

Describe the bug

  • As per the example provided here https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/storage/storage-blob/samples/javascript/azureAdAuth.js. The Azure AD authentication should work but it is failing with AuthorizationFailure error.

  • We have register the application and provided access to https://storage.azure.com/user_impersonation and also enabled Access tokens, ID tokens for Implicit grant and hybrid flows. Also, assigned the Storage Blob Data Owner role to the user using. We could able create blob using InteractiveBrowserCredential with same application registration values.

To Reproduce
Steps to reproduce the behavior:

  1. Created application registration with https://storage.azure.com/user_impersonation access.
  2. Provided Storage Blob Data Owner role to user.
  3. Tried accessing Storage Blob using Azure AD using @azure/identity but failing as explained above.

Expected behavior
A clear and concise description of what you expected to happen.
Expecting the Storage Blob accessing using Azure AD using @azure/identity as provided sample here https://github.com/Azure/azure-sdk-for-js/blob/master/sdk/storage/storage-blob/samples/javascript/azureAdAuth.js using AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET values.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 7, 2021
@ramya-rao-a ramya-rao-a added Client This issue points to a problem in the data-plane of the library. Storage Storage Service (Queues, Blobs, Files) labels Jan 7, 2021
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Jan 7, 2021
@ghost ghost added the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Jan 7, 2021
@jeremymeng
Copy link
Member

@prashanthmadduri does Storage Blob Data Contributor role work? It feels that Owner role should have all of and more permissions than Contributor but worth a quick try.

@prashanthmadduri
Copy link
Author

prashanthmadduri commented Jan 8, 2021
edited
Loading

@jeremymeng We have added below attached three roles at storage account level Owner, Storage Blob Data Owner and Storage Blob Data Contributor as attached screenshot but still we have same issue.

image

@ljian3377
Copy link
Member

ljian3377 commented Jan 8, 2021
edited
Loading

Please double check you have followed the doc. https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/storage/storage-blob#with-defaultazurecredential-from-azureidentity-package

  • register your app in AAD, create a client secret
  • in storage side, assign a role to that app
  • set AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET as environment variables

@ljian3377
Copy link
Member

ljian3377 commented Jan 8, 2021
edited
Loading

If it still doesn't work, please provide more details, for example, the failed request id, so we can take look at the log.

@prashanthmadduri
Copy link
Author

@ljian3377

We have followed the steps mentioned above. Please find the request id for the same.

RestError: This request is not authorized to perform this operation.
RequestId:75f25569-001e-001c-089d-e5fe5d000000
Time:2021-01-08T09:03:03.2092431Z

@ljian3377
Copy link
Member 

RBAC Authorization Failed : Control Action permission Microsoft.Storage/storageAccounts/blobServices/containers/write not present.

testpsl does not have Write access to resource /testpsl/newcontainer1610096581184/

Storage Blob Data Owner is enough.
One thing that looks weird to me is that the types of the roles in the screenshot are "User" instead of "App".
Select the AAD app rather than your storage account when adding role assignment.

@prashanthmadduri
Copy link
Author

@ljian3377 Thank you for your inputs. It started working as expected after giving Storage Blob Data Contributor role to registered App instead account user as shown in attached screenshot.

image

@ljian3377
Copy link
Member

Good to know. Will close the issue now. You can re-open it if anything is needed from us for this. Thanks.

@prashanthmadduri prashanthmadduri mentioned this issue Feb 1, 2021
Closed
6 tasks
openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-js that referenced this issue Feb 23, 2021
CodeGen from PR 13101 in Azure/azure-rest-api-specs
bef2abd 
Microsoft.ExtendedLocation/customLocations Swagger (Azure#13101)

* save before rebase

* rebase

* recreating PR from private repo to be merged

* updating python readme

* remove readonly for consistency with internal repo - update python readme for sdk gen

* after discussion - add back readonly on the systemdata
@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ljian3377 ljian3377

Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jeremymeng @ljian3377 @prashanthmadduri @ramya-rao-a