CODEWITHSUNDEEP
azure-storageazure-authentication
Robert Sim
Robert Sim

Reputation: 1560

Authenticate to BlobServiceClient using ClientSecretCredential in a native app

I am trying to authenticate to azure blob storage in a native .net app. The following code yields a 403. I don't see any auth flow triggered (eg no consent or TFA prompt), but maybe that shouldn't be expected. The client registration is configured as a native app with user_impersonation scope. I'm wondering what steps I should take to troubleshoot.

var credential = new ClientSecretCredential(tenantid, appid, clientSecret);                                
client = new BlobServiceClient(accountUri, credential);

// Make a service request to verify we've successfully authenticated
var foo= await client.GetPropertiesAsync();

Response:

Azure.RequestFailedException: This request is not authorized to perform this operation using this permission.
RequestId:73e54cff-401e-004d-7211-685a00000000
Time:2020-08-01T14:37:01.2280787Z
Status: 403 (This request is not authorized to perform this operation using this permission.)
ErrorCode: AuthorizationPermissionMismatch

Headers:
x-ms-request-id: 73e54cff-401e-004d-7211-685a00000000
x-ms-client-request-id: a9a34270-db76-424b-ac33-750b2cdb2ffb
x-ms-version: 2019-12-12
x-ms-error-code: AuthorizationPermissionMismatch
Date: Sat, 01 Aug 2020 14:37:00 GMT
Server: Windows-Azure-Blob/1.0,Microsoft-HTTPAPI/2.0
Content-Length: 279
Content-Type: application/xml

Upvotes: 4

Views: 5982

Answers (1)

Jim Xu
Jim Xu

Reputation: 23111

If you want to client credential flow to access Azure storage, we need to assign Azure RABC role (Storage Blob Data Contributor) to the Azure AD application. For more details, please refer to the document

For example

  1. Register Azure AD application via Azure Portal.

  2. Create a client secret for the application

  3. Azure RABC role (Storage Blob Data Contributor) to the Azure AD application. enter image description here

  4. Code

var clientId = "42e0d***2d988c4";
            var secret = "Gbx2***fQpIjoae:";
            var tenant = "e4c9ab4***2a757fb";

            ClientSecretCredential credential = new ClientSecretCredential(tenant, clientId, secret);
            string accountName = "jimtestdiag924";

            string url = string.Format("https://{0}.blob.core.windows.net/", accountName);
            var client = new BlobServiceClient(new Uri(url), credential);

            var foo = await client.GetPropertiesAsync();

enter image description here

Upvotes: 2

Related Questions