azure-sdk-for-python: AuthorizationPermissionMismatch when using AzureCliCredential

  • Package Name: azure-identity / azure-storage-blob
  • Package Version: azure-identity==1.10.0 / azure-storage-blob==12.11.0
  • Operating System: Azure Pipeline (image: ubuntu-latest)
  • Python Version: 3.9.12

Describe the bug When we run the following python script in Azure Devops Pipeline (using a service connection), it fails halfway through:

default_credential = AzureCliCredential()
blob_service_client = BlobServiceClient(account_url="https://MY_STORAGE_ACCOUNT.blob.core.windows.net", credential=default_credential)  
container_client = blob_service_client.get_container_client("MY_CONTAINER")  
print(container_client.exists())  # This returns True
for blob in container_client.list_blobs():  # This fails
    print(blob)

Even though this command az storage blob list -c MY_CONTAINER --account-name MY_STORAGE_ACCOUNT in the same configuration succeeds.

Here is the traceback:

True
Traceback (most recent call last):
  File "/home/vsts/work/1/s/./scripts/generate_sas_token.py", line 73, in <module>
    run()
  File "/home/vsts/work/1/s/./scripts/generate_sas_token.py", line 43, in run
    for blob in container_client.list_blobs():
  File "/opt/hostedtoolcache/Python/3.9.12/x64/lib/python3.9/site-packages/azure/core/paging.py", line 129, in __next__
    return next(self._page_iterator)
  File "/opt/hostedtoolcache/Python/3.9.12/x64/lib/python3.9/site-packages/azure/core/paging.py", line 76, in __next__
    self._response = self._get_next(self.continuation_token)
  File "/opt/hostedtoolcache/Python/3.9.12/x64/lib/python3.9/site-packages/azure/storage/blob/_list_blobs_helper.py", line 83, in _get_next_cb
    process_storage_error(error)
  File "/opt/hostedtoolcache/Python/3.9.12/x64/lib/python3.9/site-packages/azure/storage/blob/_shared/response_handlers.py", line 181, in process_storage_error
    exec("raise error from None")   # pylint: disable=exec-used # nosec
  File "<string>", line 1, in <module>
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.
RequestId:0ea3b6c8-101e-0006-4c24-5e7fc4000000
Time:2022-05-02T13:01:09.4026556Z
ErrorCode:AuthorizationPermissionMismatch
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.
RequestId:0ea3b6c8-101e-0006-4c24-5e7fc4000000
Time:2022-05-02T13:01:09.4026556Z</Message></Error>

To Reproduce Steps to reproduce the behavior:

  1. Connect to azure with azure cli
  2. Execute the cli command az storage blob list -c MY_CONTAINER --account-name MY_STORAGE_ACCOUNT
  3. Execute the python script given in the describe bug section

Expected behavior If both scripts authenticate the same way (which is the case here, using the azure cli), they should both have the same behavior.

Screenshots

Additional context As the bug was seen during an azure pipeline run, here is the script used to generate this pipeline:

pool:
  vmImage: ubuntu-latest
steps:
  - task: UsePythonVersion@0
    inputs:
      versionSpec: "3.9"
    displayName: Install Python
## Install the appropriate dependencies
  - task: AzureCLI@2
    inputs:
      azureSubscription: 'SERVICE_CONNECTION_NAME'
      scriptType: pscore
      scriptLocation: inlineScript
      inlineScript: |
        az storage blob list -c MY_CONTAINER --account-name MY_STORAGE_ACCOUNT --debug
        python3 my_python_script.py
      addSpnToEnvironment: true
      useGlobalConfig: true
      failOnStandardError: false
      powerShellIgnoreLASTEXITCODE: false

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 18 (6 by maintainers)

Commits related to this issue

Most upvoted comments

I do not understand the design idea behind this. I’m literally running the quickstart code samples, being a Subscription Owner -> Storage Account Owner, and I am getting AuthPermissionMismatch when trying to list blobs (but not containers) in the storage account.

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-python?tabs=managed-identity%2Croles-azure-portal%2Csign-in-azure-cli

If this instance

blob_service_client = BlobServiceClient(account_url, credential=default_credential)

is supposed to dynamically fetch my access token and find in claims whether I am able to access the resource or not, there is either:

  • something fundamentally wrong with my token claims
  • something fundamentally wrong with the way SDK interprets my token claims

There is no way Owner permissions are overwritten by not having explicit Storage Blob Data Contributor role on the Container?

UPD. And yes, if I assign myself additional role Storage Blob Data Reader, then I can list blobs. But I refuse to believe this is not a bug, because as an account owner I can simply retrieve the account key, so what’s the point of restricting my access to storage operations this way?

+3
george-zubrienko on Mar 31, 2023

Hi @samy-dougui Samy, thanks for reaching out. We’ll take a look and get back to you soon.

+1
jalauzon-msft on May 3, 2022
Read more comments on GitHub
← azure-sdk-for-python: AttributeError: 'UserPassCredentials' object has no attribute 'get_token'
azure-sdk-for-python: Azure DL Storage Gen2 runs into timeout on get_paths →