locked
How to access Storage via Service Principal? RRS feed

  • Question

  • I have a storage account and a service principal, and I am trying to use this principal in Storage API to access the storage.

    When I login as this service principal in Azure CLI, I can list my storage account and containers in it.

    However, when I use it through API I only get `azure.core.exceptions.ResourceNotFoundError: The specified resource does not exist.`.

    Here is my code:

    import os
    from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient, StorageStreamDownloader
    from azure.common.credentials import ServicePrincipalCredentials
    
    
    subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]
    tenant_id = os.environ["AZURE_TENANT_ID"]
    client_id = os.environ["AZURE_CLIENT_ID"]
    client_secret = os.environ["AZURE_CLIENT_SECRET"]
    
    credential = ServicePrincipalCredentials(tenant=tenant_id, client_id=client_id, secret=client_secret)
    bs = BlobServiceClient("https://mysuperstoragename.blob.core.windows.net", credentials=credential)
    
    bs.list_containers().next()


    I give this service "Storage Blob Data Contributor" role scoped to the whole subscription, and I as well create another role giving the following permissions:

      permissions {
        actions = [
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Storage/storageAccounts/*",
        ]
    
        data_actions = [
          "Microsoft.Storage/storageAccounts/*"
        ]

    But it still doesn't help with accessing the storage from the API. But, as I mentioned, it works if I login to `az` as this service principal.

    Am I doing it wrong? And what would be the correct way of accessing Storage using Service Principal in API?



    MCP, MCAD

    Wednesday, May 20, 2020 6:30 AM

All replies

  • Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. 

    For better understanding the issue:  I would recommend to add a reader role in the service principal and let me know the status https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app#assign-a-role-to-an-azure-ad-security-principal

    Also, the refer to the below mentioned article for assigning RBAC role for access to blob and queue data is given below: https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal

    If the issue still persists, we need work closer on this issue.  

    Hope this helps! 

    Kindly let us know if the above helps or you need further assistance on this issue. 
    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Tuesday, May 26, 2020 11:17 AM
  •  Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Wednesday, May 27, 2020 8:15 AM
  • Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Thursday, June 4, 2020 3:24 PM