I created an Azure AD Service Principal and to generate token I am using Client Credential Flow:

POST https://login.microsoftonline.com/tenantID/oauth2/token
 &client_id = redacted
 &grant_type = client_credentials
 &resource = https://storage.azure.com
 &client_secret = redacted

Token generated successfully but when I tried to list the containers in my storage account, it threw me Authorization Permission Mismatched error.

To list containers, I used below query

 GET https://storageaccname.blob.core.windows.net/?comp=list

Error Details:

<?xml  version="1.0"  encoding="utf-8"?>
<Error>
<Code>AuthorizationPermissionMismatch</Code>
<Message>This request is not authorized to perform this operation using this permission.
RequestId:
Time:2022-11-20T08:12:24.9827677Z</Message>
</Error>

I am not sure what permissions I am missing after some Google search I found Storage Blob Data Contributor Role is required. I assigned this role to the Service Principal I created.

But still the same error, any workaround to resolve my issue??

CodePudding user response：

I tried to reproduce the same in my environment and got the same error as below:

GET https://StorageAccName.blob.core.windows.net/?comp=list

Check whether you have assigned Storage Blob Data Contributor Role to the Service Principal and like below:

Go to Azure Portal -> Storage Accounts -> Your Storage Account -> Access Control (IAM) -> Add role assignment

To resolve the error try generating the token using v2.0 token endpoint like below:

POST https://login.microsoftonline.com/Tenant_ID/oauth2/v2.0/token
 &client_id = Client_ID
 &grant_type = client_credentials
 &resource = https://storage.azure.com
 &client_secret = Client_Secret

Using the above generated access token, I am able to get the list of containers successfully like below: