What permission needs assigned to a SPN to gain access to blob metadata?

McCartneyAaron-0857 30 Reputation points
2024-01-23T18:45:24.0466667+00:00

I'm working on some automation using the python SDK to pull a list of blobs in a container and eventually get the tag information on those blobs. I'm doing this by utilizing a SDN. However, I'm unable to list_blob_names using the azure.storage.blob._container_client.ContainerClient class and instead receive a message similar to:

 'message': 'This request is not authorized to perform this operation using '
            'this permission.\n'
            'RequestId:<ID>\n'
            'Time:YYYY-MM-DDT18:41:15.8245107Z\n'
            'ErrorCode:AuthorizationPermissionMismatch',

...when attempting the list method. Ultimately, I want to know how many blobs exist in all storage account across our subscription and the tags associated to those blobs. Any suggestions as to what to do next would be helpful.

Azure Container Instances
Azure Container Instances
An Azure service that provides customers with a serverless container experience.
700 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,843 questions
Accepted answer
  1. kobulloc-MSFT 26,321 Reputation points Microsoft Employee
    2024-01-26T01:23:36.1566667+00:00

    Thank you, @McCartneyAaron-0857 !

    Edit: I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Why am I seeing an authorization error when attempting to access a blob using a Service Principal Name (SPN)?

    Edit: Solution provided by McCartneyAaron-0857:

    I was able to work with the team that assigns permissions to our SPN to get this working. We updated the automation to pull the keys from the storage account:

    StorageManagementClient.storage_accounts.list_keys()

    ... needed to add the "Storage Account Key Operator Service Role" permission. We then use these keys to get a BlobServiceClient. Using the BlobServiceClient to get a ContainerClient, which allowed us to the get blob metadata we were looking for.

    I hope this has been helpful! Your feedback is important so please take a moment to accept answers. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A! User's image

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. McCartneyAaron-0857 30 Reputation points
    2024-01-30T19:41:29.1233333+00:00

    I'm not sure whether your suggestion would have worked in our case. However, I was able to work with the team that assigns permissions to our SPN to get this working. We updated the automation to pull the keys from the storage account:

    StorageManagementClient.storage_accounts.list_keys()

    ... needed to add the "Storage Account Key Operator Service Role" permission. We then use these keys to get a BlobServiceClient. Using the BlobServiceClient to get a ContainerClient, which allowed us to the get blob metadata we were looking for. You can mark this closed. Thanks for your help.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.