Use a token to connect to a container

[kowiste]

I'm trying to connect to a blobstorage using a token that I get like this:

cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, clientSecret, nil)

I can use this function and see that return me a token:

policy := policy.TokenRequestOptions{ Scopes: []string{clientID + "/.default"}, } resp, err := ced.GetToken(context.Background(), policy)

In the program I call to this function

conn, err := azblob.NewContainerClient(containerURL, cred, nil)

When I try to write using this connection to the container I have the follow error:

===== RESPONSE ERROR (ErrorCode=AuthorizationPermissionMismatch) ===== Description=This request is not authorized to perform this operation using this permission. RequestId:19f268a9-301e-0027-28c1-06fd6a000000 Time:2022-01-11T08:03:07.6493384Z, Details: (none)
The devops tell me that the problem is I have to get the token using scopes, but what I see in NewContainerClient is that use this constant:

const tokenScope untyped string = "https://storage.azure.com/.default"

There is any way to pass scopes to NewContainerClient or I should use other way?

[chlowell]

Scopes are handled internally by clients, and https://storage.azure.com/.default is the only one for Azure Storage. I'm not so familiar with Storage (I'll assign someone who is) but that error suggests the problem is with authorization, that is to say the service principal isn't authorized to perform the operation.

[zezha-msft]

@kowiste could you please make sure that you've assigned the right permissions to the service principal on the account? e.g. Storage Blob Data Contributor

[kowiste]

Thanks @zezha-msft, I just check with the dev ops, we change the role for the app to contributor but it still give the same error. I can have a token with azidentity.NewClientSecretCredential . I use it in azblob.NewContainerClient and with the client when try to write I have the same error.

[zezha-msft]

@kowiste I don't think the Contributor is the correct one. Please try "Storage Blob Data Contributor" instead.

Useful reading: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet#assign-a-role-to-an-azure-ad-security-principal

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!