ADLS Gen-2. Get AuthorizationPermissionMismatch error from PUT requst about creating new filesystem by postman

Question

I login to adls gen 2 by these POST request:

https://login.microsoftonline.com//oauth2/v2.0/token

Request body:

grant_type:client_credentials

client_id: my_client_id from App registrations -> Owned applications -> Mu application

client_secret: my_client_secret from App registrations -> Owned applications -> My application

scope: https://storage.azure.com/.default

provider_type: org.apache.hadoop.fs.azurebfs.oauth2.ClientCredsTokenProvider

And get successfull responce code 200:

{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": <token>
}

After I tryed to create filesystem by using following PUT request: https://dbmiadlsgen2.dfs.core.windows.net/mydata?resource=filesystem

Headers:

Authorization - Bearer Content-Type - text/plain x-ms-version - 2018-11-09

And get folloing error:

    {
        "error": {
            "code": "AuthorizationPermissionMismatch",
            "message": "This request is not authorized to perform this operation using this permission.\nRequestId:bcb4c0d3-901f-00cc-0722-2b7f0c000000\nTime:2019-06-25T06:54:57.3437434Z"
        }

}

I get grand to my user from azure portal: Storage Blob Data Contributor role, but it is not help...

How do you think what kind of role I should use? Are some request body or header parameters incorrect? Thank you.

Answer 1

It's not enough for the app and account to be added as owners, I would suggest you to go to your storage account > IAM > Add role and add the special permission for this type of request, STORAGE BLOB DATA CONTRIBUTOR .

For further reference please visit:

https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app

Hope it helps.