Facing issue while accessing file from private blob storage using AKS pods

Question

we are using a service from AKS pods, one of the functionalities is to hit the azure translator service which is trying to access the file from the blob storage which Access level is set to private.

we have enabled all required private end points from Translator to blob, also added role assignments but still unable to access the file from blob. we are encountering below error:

{'id': 'xxxx-5d1b-4e20-8002-xxx', 'createdDateTimeUtc': '2024-10-10T09:02:52.0829033Z', 'lastActionDateTimeUtc': '2024-10-10T09:02:54.0855904Z', 'status': 'ValidationFailed', 'error': {'code': 'InvalidRequest', 'message': 'Cannot access target document location with the current permissions.', 'target': 'Operation', 'innerError': {'code': 'InvalidTargetDocumentAccessLevel', 'message': 'Cannot access target document location with the current permissions.'}}, 'summary': {'total': 0, 'failed': 0, 'success': 0, 'inProgress': 0 , 'notYetStarted': 0, 'cancelled': 0, 'totalCharacterCharged': 0}}

we are using translator path as below using sas urls for source and destination URLs. TRANSLATOR_PATH = "translator/text/batch/v1.0/batches" API_ENDPOINT = ENDPOINT + TRANSLATOR_PATH

Not able to understand what we are missing still to access the files for translation from AKS pod. file upload is successful but accessing the files are being causing access issues. Help me out to resolve this issue.

Answer 1

'InvalidTargetDocumentAccessLevel', 'message': 'Cannot access target document location with the current permissions.'

The above error occurs when you don't have proper permission to access the target container in the azure storage account.

You can use the below sample code which generate SAS token and translate specific file from one container(English) to another container(Spanish) using python code.

Code:

import os
from azure.storage.blob import BlobServiceClient,generate_container_sas, ContainerSasPermissions
from datetime import datetime, timedelta
import requests
import json

# Azure Blob Storage and Translator API credentials
STORAGE_ACCOUNT_NAME = "venkat326123"
STORAGE_ACCOUNT_KEY = "Txxxxx"
TRANSLATOR_ENDPOINT = "https://xxxx.cognitiveservices.azure.com/"
SUBSCRIPTION_KEY = "8xxxxxxx6"


# Containers and blob details
SOURCE_CONTAINER_NAME = "test"
TARGET_CONTAINER_NAME = "venkat"
SOURCE_BLOB_NAME = "testblob.txt"
TARGET_BLOB_NAME="sample.txt"

# Function to generate SAS token for a blob
def generate_container_sas_token(container_name,permissions,expiry_hours=1):
    sas_token = generate_container_sas(
        account_name=STORAGE_ACCOUNT_NAME,
        container_name=container_name,
        account_key=STORAGE_ACCOUNT_KEY,
        permission=permissions,  # Permissions for the container
        expiry=datetime.utcnow() + timedelta(hours=expiry_hours)
    )
    return sas_token

def create_container_sas_urls():
    blob_service_client = BlobServiceClient(account_url=f"https://{STORAGE_ACCOUNT_NAME}.blob.core.windows.net", credential=STORAGE_ACCOUNT_KEY)

    source_sas_token = generate_container_sas_token(SOURCE_CONTAINER_NAME, ContainerSasPermissions(read=True,list=True))
    source_blob_url = f"https://{STORAGE_ACCOUNT_NAME}.blob.core.windows.net/{SOURCE_CONTAINER_NAME}/{SOURCE_BLOB_NAME}?{source_sas_token}"
    
    target_sas_token = generate_container_sas_token(TARGET_CONTAINER_NAME,ContainerSasPermissions(write=True,list=True))
    target_blob_url = f"https://{STORAGE_ACCOUNT_NAME}.blob.core.windows.net/{TARGET_CONTAINER_NAME}/{TARGET_BLOB_NAME}?{target_sas_token}"
    
    return source_blob_url, target_blob_url

def create_translation_batch(source_blob_url, target_blob_url):
    translator_path = "translator/text/batch/v1.0/batches"
    api_endpoint = TRANSLATOR_ENDPOINT + translator_path

    headers = {
        'Ocp-Apim-Subscription-Key': SUBSCRIPTION_KEY,
        'Content-Type': 'application/json'
    }

    body = {
        "inputs": [
            {
                "storageType": "File",
                "source": {
                    "sourceUrl": source_blob_url,
                },
                "targets": [
                    {
                        "targetUrl": target_blob_url,
                        "language": "es"  
                    }
                ]
            }
        ]
    }

    # Print the request body for debugging
    print(json.dumps(body, indent=4))

    # Send the request
    response = requests.post(api_endpoint, headers=headers, data=json.dumps(body))
    
    # Print response details for debugging
    print(f"Response Status Code: {response.status_code}")


# Main function to execute the steps
def main():

    blob_service_client = BlobServiceClient(account_url=f"https://{STORAGE_ACCOUNT_NAME}.blob.core.windows.net", credential=STORAGE_ACCOUNT_KEY)   

    source_blob_url ,target_blob_ur = create_container_sas_urls()
    print(f"Source Blob SAS URL: {source_blob_url}")
    print(f"Target blob SAS URL: {target_blob_ur}")

    create_translation_batch(source_blob_url, target_blob_ur)

if __name__ == "__main__":
    main()

Output:

Source Blob SAS URL: https://venkat326123.blob.core.windows.net/test/testblob.txt?se=2024-10-14T12%3A51%3A41Z&sp=rl&sv=2023-11-03&sr=c&sig=xxxxx
Target blob SAS URL: https://venkat326123.blob.core.windows.net/venkat/sample.txt?se=2024-10-14T12%3A51%3A41Z&sp=wl&sv=2023-11-03&sr=c&sig=xxxxx
{
    "inputs": [
        {
            "storageType": "File",
            "source": {
                "sourceUrl": "https://venkat326123.blob.core.windows.net/test/testblob.txt?se=2024-10-14T12%3A51%3A41Z&sp=rl&sv=2023-11-03&sr=c&sig=xxxxxxx
            },
            "targets": [
                {
                    "targetUrl": "https://venkat326123.blob.core.windows.net/venkat/sample.txt?se=2024-10-14T12%3A51%3A41Z&sp=wl&sv=2023-11-03&sr=c&sig=xxxxxx",
                    "language": "es"
                }
            ]
        }
    ]
}
Response Status Code: 202

Reference:

• Use Document Translation APIs programmatically - Azure AI services | Microsoft Learn
• How to fix "code":"InvalidDocumentAccessLevel","message":"Cannot access source document location with the current permissions." - Microsoft Q&A by Anand Prakash Yadav.