Reputation: 131
Can't access azure storage blob via url even though authenticated
I have a nodejs application using the express framework. The user must sign in via Oauth2 protocol against their MS Azure Active Directory credentials. This is done using the passport-azure-ad-oauth2 npm package
I have successfully got the application working so that I can upload files in blob form to an azure storage container. The container access level is set to private. I have assigned user roles for the container so that certain users within the AD have 'reader and data access'. So my understanding is that when these users are authenticated via Oauth2, they should be able to access the files when retrieving the file's URL. However, after authentication, I am not able to access the files. I get the following error.
ResourceNotFound
The specified resource does not exist. RequestId:6341ef80-f01e-0011-6442-08f7c2000000 Time:2021-02-21T11:14:26.3475641Z
I have also followed the steps to grant the application permissions to azure storage here
What do I need to do so that authenticated users can go to the specific url for each blob and get access? Do I need to pass a token in the request? If so, how do you do this?
Any help would be much appreciated.
Upvotes: 0
Views: 1173
Answers (1)
Reputation: 7483
The 404 error(The specified resource does not exist) is always related to your request URL, but not the access token.
For example to get blob, you need to use GET Method, and some of the Request Headers are required.
GET https://myaccount.blob.core.windows.net/mycontainer/myblob
headers:
Authorization: Bear <access-token>
x-ms-version: 2020-04-08
x-ms-date: Fri, 26 Jun 2015 23:39:12 GMT
Get access token by application permission without user:
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id={client_id}
&client_secret={client_secret}
&scope=http://storage.azure.com/.default // change to http://storage.azure.com/ for resource
&grant_type=client_credentials
Get access token by delegated permission with a signed-in user:
GET https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=token
&redirect_uri=https://localhost:44300/
&scope=https://storage.azure.com/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910
Note: Navigate to your storage account -> Access Control (IAM) -> Add role assignment -> select Storage Blob Data XXX role and your login account. I add Storage Blob Data Contributor in my side, it might take up to 5 minutes to propagate the RBAC rule.
Upvotes: 1
Related Questions
- Azure Blob Storage "Authorization Permission Mismatch" error for get request with AD token
- Authorization Permission Mismatch when trying to PUT a file in Azure Blob with AD token/ Bearer Token[Azure-Blob][Bearer-Token]
- azure blob returns 403 forbidden with correct access key
- Authentication Failed while making REST API call to GET container details in AZURE STORAGE BLOB
- Authorization Failed while making GET Request to Azure Blob Storage [REST API][Azure Blob Storage]
- Accessing Images From Azure Blob Storage
- Azure Storage : Unable to access Container blobs with defined Credentials
- Azure Blob Storage - Server failed to authenticate the request
- Azure Blob Storage 403 Authentication Failed
- AuthenticationFailed with Azure node.js SDK's createContainerIfNotExist method