using azure function identity to access a storage container

by

Step 1) Turn on azure identity for azure function (python 3.10)
Step 2) Copy over Object (principal) ID as new access policy in container settings
Step 3) try to run


def access_another_blob_container():

    # Initialize the BlobServiceClient
    blob_service_client = BlobServiceClient(

        account_url="https://basefunctionstorage.blob.core.windows.net/",
        credential=DefaultAzureCredential()

    )

    # Get the container client
    container_client = blob_service_client.get_container_client("complete")

    # List all blobs in the container
    blob_list = container_client.list_blobs()
    blobs = [blob.name for blob in blob_list]
    
    logging.info(f"Blob Names in another container: {blobs}")

    # Read the content of a specific blob
    blob_client = container_client.get_blob_client("test_file.xlsx")
    blob_content = blob_client.download_blob().readall()

    logging.info(f"Blob Content in another container: {blob_content.decode('utf-8')}")

This resulting in 403 Forbidden: AuthorizationPermissionMismatch any advice on missed steps

I have added the object ID under this section with all permissions: ‘racwdl’

enter image description here

  • Make sure to have “Storage Blob Data Contributor” for the container or blob you are trying to access. Ensure that the access policy grants the Managed Identity (by its Object ID) the required permissions (e.g., read access) on the container or blob.

    – 

  • @ZiyaMertKarakas I have added an image to show where I have added the Object ID. Please view it and confirm; if correct.

    – 

  • @ZiyaMertKarakas by “storage blob data contributor” you mean I have to also carry over the object ID of azure function to (IAM)?

    – 




  • Yes, when you grant the “Storage Blob Data Contributor” role to an object (typically a managed identity, service principal, or user), you should specify the Object ID of the identity that needs the permission. In your case, since you want your Function (which uses a managed identity) to have these permissions, you should specify the Object ID of the managed identity associated with your Azure Function.

    – 

  • Also, make sure that the managed identity is correctly associated with your Function.

    – 




Leave a Comment