Azure Function Managed Service Identity creating Data Lake File Forbidden issue


  • I have the following code in an Azure Function.

    var azureServiceTokenProvider = new AzureServiceTokenProvider();
                var keyVaultClient = new KeyVaultClient(
                    new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
                var secret = await keyVaultClient.GetSecretAsync("")
                var dataLakeToken = await azureServiceTokenProvider.GetAccessTokenAsync("");
                var randomfileName = Path.GetRandomFileName();
                var adlsClient = AdlsClient.CreateClient("", $"Bearer {dataLakeToken}");
                using (await adlsClient.CreateFileAsync($"{randomfileName}.xlsx", IfExists.Overwrite)) { };

    The call to the GetSecretAsync to the KeyVault works. 

    The call to CreateFileAsync does not. I get a forbidden exception.

    In the Data Explorer of the Data Lake I select Access. I add the Function MSI and give it Read, Write, Execute, This folder and all children and An access permission entry and a default permission entry.

    What am I doing incorrectly?

    Tuesday, November 20, 2018 3:05 PM


  • I rebuilt from scratch to insure I didn't mess up any steps. It is working now. Thank you for your input!
    • Marked as answer by baparker Wednesday, November 21, 2018 12:25 AM
    Wednesday, November 21, 2018 12:25 AM

All replies