CODEWITHSUNDEEP
azureazure-active-directoryqueuestorageidentity
Stef Heyenrath
Stef Heyenrath

Reputation: 9850

How to use Azure.Identity.ClientSecretCredential to access a Azure Queue?

I've created an App Registration in Azure and added access to Azure Storage (user_impersonation): enter image description here

The console app uses these packages:

<PackageReference Include="Azure.Identity" Version="1.2.0-preview.6" />
<PackageReference Include="Azure.Storage.Queues" Version="12.4.0-preview.5" />

And the code looks like:

var tc = new ClientSecretCredential("{tenant-id}", "{client-id}", "{client-secret}");
var client = new QueueClient(new Uri("https://{storage-name}.queue.core.windows.net/example-q"), tc);

// this fails with error
client.SendMessage("msg");

The error message is like:

Unhandled exception. Azure.RequestFailedException: This request is not authorized to perform this operation using this permission.
RequestId:13f45216-9003-0061-49cf-616632000000
Time:2020-07-24T15:32:44.9586872Z
Status: 403 (This request is not authorized to perform this operation using this permission.)
ErrorCode: AuthorizationPermissionMismatch

Headers:
Server: Windows-Azure-Queue/1.0,Microsoft-HTTPAPI/2.0
x-ms-request-id: 13f45216-9003-0061-49cf-616632000000
x-ms-version: 2018-11-09
x-ms-error-code: AuthorizationPermissionMismatch
Date: Fri, 24 Jul 2020 15:32:44 GMT
Content-Length: 279
Content-Type: application/xml

   at Azure.Storage.Queues.QueueRestClient.Messages.EnqueueAsync_CreateResponse(ClientDiagnostics clientDiagnostics, Response response)
   at Azure.Storage.Queues.QueueRestClient.Messages.EnqueueAsync(ClientDiagnostics clientDiagnostics, HttpPipeline pipeline, Uri resourceUri, QueueSendMessage message, String version, Nullable`1 visibilitytimeout, Nullable`1 messageTimeToLive, Nullable`1 timeout, String requestId, Boolean async, String operationName, CancellationToken cancellationToken)
   at Azure.Storage.Queues.QueueClient.SendMessageInternal(String messageText, Nullable`1 visibilityTimeout, Nullable`1 timeToLive, Boolean async, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](Task`1 task)
   at Azure.Storage.Queues.QueueClient.SendMessage(String messageText, Nullable`1 visibilityTimeout, Nullable`1 timeToLive, CancellationToken cancellationToken)
   at Azure.Storage.Queues.QueueClient.SendMessage(String messageText)

Upvotes: 5

Views: 21597

Answers (1)

Jim Xu
Jim Xu

Reputation: 23141

If you want to use service principal to access Azure queue storage, you must assign Azure RABC role (Storage Queue Data Contributor) to the sp. For more details, please refer to the document

For example

  1. Create service principal and assign role
az login

az ad sp create-for-rbac -n "MyApp" --role 'Storage Queue Data Contributor' \
  --scope '/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>'
  1. Code (I use the same version sdk)
ClientSecretCredential cred = new ClientSecretCredential(tenantId, clientId, clientSecret);
var client = new QueueClient(new Uri("https://blobstorage0516.queue.core.windows.net/test"), cred);
string message = "First Message to azure Queue";
client.SendMessage(message);

enter image description here

Upvotes: 3

Related Questions