I am receiving an Access Forbidden message when I attempt to access an Azure storage table that I created in Pulumi.
I have tried accessing the storage table in the Azure portal and in Azure Storage Explorer.
{"odata.error":{"code":"AuthenticationFailed","message":{"lang":"en-US","value":"Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\nTime:2023-01-20T23:21:57.8113163Z"}}}
The following code does not resolve the access forbidden issue:
var sas = Pulumi.Azure.Storage.GetAccountSAS.Invoke(new()
{
ConnectionString = storageAccount.PrimaryConnectionString,
HttpsOnly = true,
SignedVersion = "2017-07-29",
ResourceTypes = new Pulumi.Azure.Storage.Inputs.GetAccountSASResourceTypesInputArgs
{
Service = true,
Container = true,
Object = false,
},
Services = new Pulumi.Azure.Storage.Inputs.GetAccountSASServicesInputArgs
{
Blob = true,
Queue = true,
Table = true,
File = true,
},
Start = DateTime.Now.ToString("yyyy-MM-ddTHH:mm:ssK"),
Expiry = DateTime.Now.AddYears(1).ToString("yyyy-MM-ddTHH:mm:ssK"),
Permissions = new Pulumi.Azure.Storage.Inputs.GetAccountSASPermissionsInputArgs
{
Read = true,
Write = true,
Delete = false,
List = true,
Add = true,
Create = true,
Update = true,
Process = true,
Tag = true,
Filter = true
},
});
Update: I'm researching how to use an
CodePudding user response:
I agree with @Gaurav Mantri, you need to assign Storage Table Data Contributor role to your Service Principal.
I tried to reproduce the same in my environment and got same error like below:
To resolve the error, you need to assign Storage Table Data Contributor role to your service principal as below:
After assigning Storage Table Data Contributor role to my account, I'm able to access the tables successfully like below:
To assign this role programmatically (without using the Azure portal), you can make use of below commands:
PowerShell:
Connect-AzAccount
New-AzRoleAssignment -ObjectId <sp_objectID> -RoleDefinitionName "Storage Table Data Contributor" -Scope "/subscriptions/<subscriptionID>/resourceGroups/<rgname>/providers/Microsoft.Storage/storageAccounts/<account_name>"
Response:
CLI:
az login
az role assignment create --assignee <sp_objectID> --role "Storage Table Data Contributor" --scope "/subscriptions/<subscriptionID>/resourceGroups/<rgname>/providers/Microsoft.Storage/storageAccounts/<account_name>"
Response:
When I checked Portal, role is assigned to service principal successfully under storage account like below: