-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ManagedIdentityCredential failed when used to list blob containers #5539
Comments
running exactly the same code in the Azure function using SharedKeyCredential works perfectly. So this is a bug with Managed Identity. The only working credentials are shared key credentials. |
@daviwil Any ideas on what's going wrong? It is strange that |
I think this would be pretty simple to step through src code or use fiddler to see if right token is sent with the list rest request.
|
Hey all, I'll look into this tomorrow and will report back with my findings. |
@daviwil any update on this? |
Hey @leonbrag, sorry for the delay. It appears that the "Owner" role is not sufficient for listing blobs inside of your blob storage account. You'll have to use one of the "Storage Blob Data *" roles (like "Storage Blob Data Owner" before you can list blobs or containers. This seems to be the intended behavior of the blob storage service. |
Also, one thing that might help you in the future is to set the environment variable |
Hi @leonbrag, I believe this issue will be resolved by using the appropriate role in the access policy for your storage account so I'm going to close this issue for now. If you try with one of the roles I recommended and you still experience this issue, please let me know and I'll reopen it so that we can investigate further. Thanks a lot! |
Thanks for working with Microsoft on GitHub! Tell us how you feel about your experience using the reactions on this comment. |
Versions:
{ "name": "func", "version": "1.0.0", "description": "", "scripts": { "test": "echo \"No tests yet...\"" }, "dependencies": { "@azure/identity": "^1.0.0-preview.5", "@azure/storage-blob": "^12.0.0-preview.4", "azure-function-express": "^2.0.0", "express": "^4.17.1" }, "devDependencies": {} }
I have following Azure function that lists containers, and blobs and print content of the text blobs.
When run locally, function users SharedKeyCredential and works perfectly
When deployed to Azure function, it fails to list blobs, but it can list containers.
MSI of the function is given Owner permission to Storage account using IAM:
- | leonbragfunc/subscriptions/780fb010-REMOVED_/resourcegroups/leonbragfunc2/providers/Microsoft.Web/sites/leonbragfunc | App Service or Function App | Owner | This resource
Error only happens when blobs are listed, but only when MSI authentication used.
Error:
2019-10-14T03:00:39.448 [Information] JavaScript HTTP trigger function processed a request!!!!
2019-10-14T03:00:39.449 [Information] Runing in the cloud
2019-10-14T03:00:39.656 [Information] Container 1: leontest
2019-10-14T03:00:39.656 [Information] Listing all blobs using iter
2019-10-14T03:00:39.778 [Information] { Error:
AuthorizationPermissionMismatch
This request is not authorized to perform this operation using this permission.RequestId:58a303cd-301e-007f-653b-823796000000
Time:2019-10-14T03:00:39.7590873Z
at new RestError (D:\home\site\wwwroot\node_modules@azure\core-http\dist\coreHttp.node.js:1715:28)
at D:\home\site\wwwroot\node_modules@azure\core-http\dist\coreHttp.node.js:2948:37
at
at process._tickCallback (internal/process/next_tick.js:188:7)
code: undefined,
statusCode: 403,
request:
WebResource {
streamResponseBody: false,
url: 'https://leonbragtest.blob.core.windows.net/leontest?restype=container&comp=list',
method: 'GET',
headers: HttpHeaders { _headersMap: [Object] },
body: undefined,
query: undefined,
formData: undefined,
withCredentials: false,
abortSignal: undefined,
timeout: 0,
onUploadProgress: undefined,
onDownloadProgress: undefined,
proxySettings: undefined,
keepAlive: undefined,
operationSpec:
{ httpMethod: 'GET',
path: '{containerName}',
urlParameters: [Array],
queryParameters: [Array],
headerParameters: [Array],
responses: [Object],
isXML: true,
serializer: [Object] } },
response:
{ body: '
AuthorizationPermissionMismatch
This request is not authorized to perform this operation using this permission.\nRequestId:58a303cd-301e-007f-653b-823796000000\nTime:2019-10-14T03:00:39.7590873Z',headers: HttpHeaders { _headersMap: [Object] },
status: 403 },
body:
{ message: 'This request is not authorized to perform this operation using this permission.\nRequestId:58a303cd-301e-007f-653b-823796000000\nTime:2019-10-14T03:00:39.7590873Z',
Code: 'AuthorizationPermissionMismatch' } }
2019-10-14T03:00:39.785 [Information] Executed 'Functions.HttpTrigger' (Succeeded, Id=d7254521-46f7-4941-8b4e-651fede3c449)
Samples code:
`const express = require("express");
const createHandler = require("azure-function-express").createHandler;
const app = express();
//https://github.com/Azure/azure-sdk-for-js/blob/feature/storage/sdk/storage/storage-blob/samples/javascript/basic.js
// A helper method used to read a Node.js readable stream into string
async function streamToString(readableStream) {
return new Promise((resolve, reject) => {
const chunks = [];
readableStream.on("data", (data) => {
chunks.push(data.toString());
});
readableStream.on("end", () => {
resolve(chunks.join(""));
});
readableStream.on("error", reject);
});
}
app.get ("/api/authorize",
//module.exports = async function (context, req) {
async (req, res) => {
context = req.context
context.log('JavaScript HTTP trigger function processed a request!!!!');
let cred = null
});
module.exports = createHandler(app);`
here is the output of the code running locally:
// 20191013201951
// https://leonbragfunc.azurewebsites.net/api/authorize
{
"body": "Time is:Mon Oct 14 2019 03:19:50 GMT+0000 (Coordinated Universal Time)\r\nContainer 1: leontest "
}
The text was updated successfully, but these errors were encountered: