Azure Blob - Using InteractiveBrowserCredential as an alternative to ClientSecretCredential -> AuthorizationPermissionMismatch #14490

Krande · 2020-10-14T07:06:01Z

Packages

azure-storage-blob:
12.5.0:
azure-identity:
1.5.0b1:

OS

Windows 10:
Python 3.8.3:

The issue
So this might not be an issue but perhaps a case of me misunderstanding some of the basic concepts. Nevertheless I am having a hard time understanding how to (if at all possible) use the InteractiveBrowserCredential class as an alternative to the ClientSecretCredential class when downloading from my azure storage blob (which has a private access level). The ClientSecretCredential (based on this) works as intended, but whenever I try to use the InteractiveBrowserCredential the following error occurs:

azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.
RequestId:efa92bbe-c01e-0059-6ef1-a1e0db000000
Time:2020-10-14T06:17:37.7546405Z
ErrorCode:AuthorizationPermissionMismatch
Error:None

A Reproducible example

from azure.identity import InteractiveBrowserCredential, ClientSecretCredential
from azure.storage.blob import BlobServiceClient

tenant_id = #yourinput
client_id = #yourinput
client_secret = #yourinput
account_name = #yourinput
blob_name = #yourinput
container_name = #yourinput
destination_file = #yourinput

# This works
token_credential = ClientSecretCredential(tenant_id, client_id, client_secret)

# This does not work
token_credential_alt = InteractiveBrowserCredential(client_id=client_id, tenant_id=tenant_id)
record = token_credential_alt.authenticate(scopes=[f'https://{account_name}.blob.core.windows.net/.default'])

blob_service_client = BlobServiceClient(
    account_url=f'https://{account_name}.blob.core.windows.net',
    credential=token_credential_alt
)

blob = blob_service_client.get_blob_client(container=container_name, blob=blob_name)

with open(destination_file, "wb") as my_blob:
    blob_data = blob.download_blob()
    blob_data.readinto(my_blob)

I am a bit unsure of what exactly is the correct input for scopes in the authenticate()method. I do believe my app registration is OK (given that it works using the ClientSecretCredential class.

I have tried to find related issues that could help me with this, but the closest ones I could find #13826 and #13834 does not seem to offer any specific reproducible examples (which a novice like myself is in dire need of!).

Please let me know if you need any more information regarding this issue?

Best Regards
Kristoffer

The text was updated successfully, but these errors were encountered:

chlowell · 2020-10-14T17:57:36Z

InteractiveBrowserCredential authenticates a user while ClientSecretCredential authenticates a service principal. These different identities may have different permissions and therefore aren't substitutes for each other in accessing a particular resource. So in this case I suppose the user you're authenticating isn't authorized to access that blob. I'm not so familiar with storage access control, but I think the user would need at least the Storage Blob Data Reader role.

Also, in your example it isn't necessary to call InteractiveBrowserCredential.authenticate. BlobServiceClient will authenticate as needed with the credential it's given.

Krande · 2020-10-14T20:44:21Z

Aha, thank you very much for clarifying the principle differences! You are absolutely correct! By giving a group of users Reader and Storage Blob Data Reader roles to a specific private container I was able to access the blobs by simply using

blob_service_client = BlobServiceClient(
    account_url=f'https://{account_name}.blob.core.windows.net',
    credential=InteractiveBrowserCredential()
)

I'll close this issue now.

Best Regards
Kristoffer

Web ant93 release: Updating API version to 2021-01-01 (Azure#14489) * Adds base for updating Microsoft.Web from version stable/2020-12-01 to version 2021-01-01 * Updates readme * Updates API version in new specs and examples * Bring in swagger for Microsoft.CertificateRegistration and Microsoft.… (Azure#14212) * Bring in swagger for Microsoft.CertificateRegistration and Microsoft.DomainRegistration RPs * Add custom word * Actually bring in swagger for Microsoft.CertificateRegistration and Microsoft.DomainRegistration RPs * Update AppServicePlan.json with preoperty (Azure#14388) Adding ElasticScaleEnabled to ASP object! * Swagger changes for kubeenv (Azure#14417) * Swagger changes for kubeenv * Add examples for create and update * Fixing model validations in examples * Supress systemData for kubeenvironments.json * Making small change to trigger a re-run of ApiReview runner * Fixing extendedLocation bug in swagger * fix model validation * Carry over missing Acr properties from previous version (Azure#14490) * [python]Update readme.python.md (Azure#14493) * Update readme.python.md * Update readme.md Co-authored-by: jocawtho <[email protected]> Co-authored-by: JennyLawrance <[email protected]> Co-authored-by: msyyc <[email protected]>

* CodeGen from PR 14489 in Azure/azure-rest-api-specs Web ant93 release: Updating API version to 2021-01-01 (#14489) * Adds base for updating Microsoft.Web from version stable/2020-12-01 to version 2021-01-01 * Updates readme * Updates API version in new specs and examples * Bring in swagger for Microsoft.CertificateRegistration and Microsoft.… (#14212) * Bring in swagger for Microsoft.CertificateRegistration and Microsoft.DomainRegistration RPs * Add custom word * Actually bring in swagger for Microsoft.CertificateRegistration and Microsoft.DomainRegistration RPs * Update AppServicePlan.json with preoperty (#14388) Adding ElasticScaleEnabled to ASP object! * Swagger changes for kubeenv (#14417) * Swagger changes for kubeenv * Add examples for create and update * Fixing model validations in examples * Supress systemData for kubeenvironments.json * Making small change to trigger a re-run of ApiReview runner * Fixing extendedLocation bug in swagger * fix model validation * Carry over missing Acr properties from previous version (#14490) * [python]Update readme.python.md (#14493) * Update readme.python.md * Update readme.md Co-authored-by: jocawtho <[email protected]> Co-authored-by: JennyLawrance <[email protected]> Co-authored-by: msyyc <[email protected]> * version,CHANGELOG * test * test fix Co-authored-by: SDKAuto <[email protected]> Co-authored-by: jocawtho <[email protected]> Co-authored-by: JennyLawrance <[email protected]> Co-authored-by: msyyc <[email protected]> Co-authored-by: PythonSdkPipelines <PythonSdkPipelines>

xiangyan99 assigned xiafu-msft Oct 14, 2020

xiangyan99 added the Storage Storage Service (Queues, Blobs, Files) label Oct 14, 2020

ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Oct 14, 2020

xiangyan99 assigned chlowell Oct 14, 2020

xiangyan99 added the Azure.Identity label Oct 14, 2020

Krande closed this as completed Oct 14, 2020

github-actions bot locked and limited conversation to collaborators Apr 12, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Azure Blob - Using InteractiveBrowserCredential as an alternative to ClientSecretCredential -> AuthorizationPermissionMismatch #14490

Azure Blob - Using InteractiveBrowserCredential as an alternative to ClientSecretCredential -> AuthorizationPermissionMismatch #14490

Krande commented Oct 14, 2020

chlowell commented Oct 14, 2020

Krande commented Oct 14, 2020

Azure Blob - Using InteractiveBrowserCredential as an alternative to ClientSecretCredential -> AuthorizationPermissionMismatch #14490

Azure Blob - Using InteractiveBrowserCredential as an alternative to ClientSecretCredential -> AuthorizationPermissionMismatch #14490

Comments

Krande commented Oct 14, 2020

chlowell commented Oct 14, 2020

Krande commented Oct 14, 2020