Why can't I connect to my azure blob storage account using a managed identity?

Question

I have a python 3.8 application deployed on a kubernetes cluster on azure that has to access a blob storage container in an account in a different resource group. I'm using a managed identity to authenticate and query the container:

from azure.storage.blob import BlobServiceClient
creds = ManagedIdentityCredential()
url_template = task_config["ACCOUNT_ADDRESS_TEMPLATE"]
account_name = task_config["BLOB_STORAGE_ACCOUNT"]
account_url = url_template.replace("*", account_name)

blob_service_client = BlobServiceClient(account_url=account_url, credential=creds)

if container not in [c.name for c in blob_service_client.list_containers()]:
    raise BlobStorageContainerDoesNotExistError(
        f"Container {container} does not exist"
    )
self.client: ContainerClient = blob_service_client.get_container_client(
    container=container

I have verified that the managed identity has been assigned the Storage Blob Data Contributor role in the storage account, and also at the level of the resource group. I have verified that the token generated when instantiating the ManagedIdentityCredential() object references the right managed identity, and I have whitelisted the outbound IP (and every other possible IP just in case) of my python application. Nevertheless, I keep getting this error when attempting to list the containers in the account:

Http ResponseError(response=response, model=error)\nazure.core.exceptions.HttpResponseError: Operation returned an invalid status 'This request is not authorized to perform this operation.'

Could anyone point me in the right direction?

Specs: 
azure-identity = "1.5"
azure-storage-blob= "12.8.1"
python = "3.8"
platform: linux docker containers running on kubernetes cluster deployed on azure.

Have you added the Service Principal in the Access Control Lists settings too ? At least at the container level. — Axel R., Oct 20 '21 at 13:08
Have you installed pod-identity https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity ? — Thomas, Oct 21 '21 at 07:16

score 1 · Accepted Answer · answered Oct 21 '21 at 13:01

1

I have tested in my environment

It seems you are using Storage Account to allow access from Selected Networks.

Please make sure to allow access from your AKS VMSS virtual network :

Then you can use the below python script to list the blob containers in the Storage Account :

from azure.storage.blob import BlobServiceClient
from azure.identity import ManagedIdentityCredential
creds = ManagedIdentityCredential ()

blob_service_client = BlobServiceClient(account_url="https://StorageAccountName.blob.core.windows.net/", credential=creds)
test = blob_service_client.list_containers()
for container in test :
    print(container.name)

answered Oct 21 '21 at 13:01

RamaraoAdapa

2,837
2
5
11

that did the trick. Do you know why whitelisting the application's IP is not enough in this case? – Boris Oct 22 '21 at 13:42
1

As per https://github.com/Azure/AKS/issues/1899, the network restriction option where you whitelist the public IP isn't working, when both resources are in the same region. As the traffic is handled internally in the region itself and never leaves the network via the outbound public IP – RamaraoAdapa Oct 25 '21 at 04:17

Why can't I connect to my azure blob storage account using a managed identity?

1 Answers1