I'm trying to create a blob container within an Azure storage account with Azure's Python API.

def create_storage_container(storageAccountName: str, containerName: str):
    print(
        f"Creating storage container '{containerName}'",
        f"in storage account '{storageAccountName}'"
    )
    credentials = DefaultAzureCredential()
    url = f"https://{storageAccountName}.blob.core.windows.net"
    blobClient = BlobServiceClient(account_url=url, credential=credentials)
    containerClient = blobClient.get_container_client(containerName)
    containerClient.create_container()

On create_container() I get the error:

Exception has occurred: HttpResponseError
This request is not authorized to perform this operation.
RequestId:8a3f8af1-101e-0075-3351-074949000000
Time:2022-12-03T20:00:25.5236364Z
ErrorCode:AuthorizationFailure
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:8a3f8af1-101e-0075-3351-074949000000
Time:2022-12-03T20:00:25.5236364Z</Message></Error>

The storage account was created like so:

# Creates a storage account if it does not already exist.
# Returns the name of the storage account.
def create_storage_account(
    resourceGroupName: str, location: str,
    subscriptionId: str, storageAccountName: str
):

    credentials = AzureCliCredential()

    # Why does this have creation powers for storage accounts
    # instead of the ResourceManagementClient?
    storageClient = StorageManagementClient(
        credentials, subscriptionId, "2018-02-01"
    )
    params = {
        "sku": {"name": "Standard_LRS", "tier": "Standard"},
        "kind": "StorageV2",
        "location": location,
        "supportsHttpsTrafficOnly": True,
    }

    result = storageClient.storage_accounts.begin_create(
        resourceGroupName, storageAccountName, params
    )  # type:ignore
    storageAccount = result.result(120)
    print(f"Done creating storage account with name: {storageAccount.name}")

The storage accounts that are generated like this seem to have completely open network access, so I wouldn't think that would be an issue.

Storage account network settings:

How can I fix this error or create a storage container in another way programmatically?

Thanks

CodePudding user response：

Check the RBAC roles your user is assigned to for the storage account. The default ones don’t always enable you to view data and sounds like it’s causing your problems.

CodePudding user response：

I tried in my environment and got same error in results:

Console:

If you are accessing storage account you need a role like Storage-blob-contributor or storage-blob-owner.

Go to portal -> storage accounts -> Access Control (IAM) ->Add -> Add role assignments -> storage-blob-contributor or storage-blob-owner.

Portal:

After assigning role to my storage account, I executed same code and it successfully created container.

Code:

from  azure.storage.blob  import  BlobServiceClient
from  azure.identity  import  DefaultAzureCredential

storageAccountName="venkat123"
containerName="test"

def create_storage_container():
    print(
        f"Creating storage container '{containerName}'",
        f"in storage account '{storageAccountName}'"
    )
    credentials = DefaultAzureCredential()
    url = f"https://{storageAccountName}.blob.core.windows.net"
    blobClient = BlobServiceClient(account_url=url, credential=credentials)
    containerClient = blobClient.get_container_client(containerName)
    containerClient.create_container()
    print("Container created")
create_storage_container()

Console:

Portal: