Access issue while using BlobServiceClientBuilder for accessing blob storage container details

Shivam Agarwal 0 Reputation points
2024-06-27T08:10:15.6633333+00:00

Hi,

I am trying to verify the existence of Azure Blob Storage Container in my scala code (via java sdk). I am trying to do something like this below: 

val azureCredential = new ClientCertificateCredentialBuilder()
      .pemCertificate(spPEMCertPath)
      .tenantId(tenantId)
      .clientId(spApplicationId)
      .authorityHost(azureEnvironments(azureEnvironment).getActiveDirectoryEndpoint)
      .sendCertificateChain(true)
      .build()
    val backupContainerName = "backup-data"
    try {
      val containerClient = blobServiceClient.getBlobContainerClient(backupContainerName)
      val context = new Context("Azure-Storage-Log-String-To-Sign", true)
      val timeout = Duration.ofSeconds(30)
      val containerExists = containerClient.existsWithResponse(timeout, context).getValue
      if (containerExists) {
        logger.info(s"Container '$backupContainerName' exists.")
        true
      } else {
        logger.info(s"Container '$backupContainerName' does not exist.")
        false
      }
    } catch {
      case e: BlobStorageException =>
        logger.error(s"Error occurred: ${e.getMessage}")
        false
    }

I see my service principal have Contributor role assigned which should be sufficient for checking the container existence, still I am running into access issues and getting below error:

If you are using a StorageSharedKeyCredential, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate method call. If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call. Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII. Status code 403, "<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.

Please could you help here if I am doing something incorrect?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,854 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,570 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nehruji R 3,971 Reputation points Microsoft Vendor
    2024-06-28T11:34:33.6233333+00:00

    Hello Shivam Agarwal,

    Greetings! Welcome to Microsoft Q&A Platform.

    The error message you’re encountering indicates an authorization failure when using StorageSharedKeyCredential or a SAS token with Azure Blob Storage. Please consider the following steps to troubleshoot this issue:

    If you’re using a StorageSharedKeyCredential, compare the string to sign with the one generated by the SDK. You can log the string to sign by passing the context key-value pair Azure-Storage-Log-String-To-Sign: true to the appropriate method call.

    Similarly, if you’re using a SAS token, compare the string to sign with the one generated by the SDK. To log the string to sign, use Azure-Storage-Log-String-To-Sign: true with the appropriate generateSas method call.

    Ensure that you’ve correctly set up your BlobServiceClientBuilder with the right credentials (either StorageSharedKeyCredential or SAS token) and the correct endpoint (in the format https://{accountName}.blob.core.windows.net).

    Double-check that your credentials are valid and have the necessary permissions to perform the desired operation.

    If you’re using an SAS token, consider creating an Account SAS in the Azure Portal. This token provides granular access control and can be generated for specific containers or blobs.

    Make sure the SAS token is correctly formatted and includes the required permissions (e.g., read, write, list) and please check if you provided the storage blob data contributor access.

    Verify that the authorization policies (e.g., CORS rules, firewall rules) for your storage account allow the requested operation. Check if there are any IP restrictions or network rules that might be blocking access.

    Check if you have enabled the "Allow trusted Microsoft services to access this storage account**"** allows you to access storage account refer article.

    reference - https://video2.skills-academy.com/en-us/dotnet/api/azure.storage.blobs.blobserviceclient.-ctor?view=azure-dotnet, https://stackoverflow.com/questions/76899527/authenticationerror-when-accessing-azure-blobserviceclient-in-java-app, https://video2.skills-academy.com/en-us/java/api/com.azure.storage.blob.blobserviceclientbuilder?view=azure-java-stable,

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments