GetAccessPolicyAsync/SetAccessPolicyAsync not working with Managed Identity

Question

I am updating some legacy code to work with a managed identity instead of an access key.
The code:

1. Creates a DataLakeServiceClient
2. Uses that to get a file DataLakeFileSystemClient (var dlfsc = dlsc.GetFileSystemClient(containerName);)
3. Calls GetAccessPolicyAsync and SetAccessPolicyAsync (var acl = await client.GetAccessPolicyAsync().ConfigureAwait(false);)

When I construct the DataLakeServiceClient using a StorageSharedKeyCredential everything works fine. However, when I construct the DataLakeServiceClient using a ManagedIdentityCredential vai(DefaultAzureCredential), the following exception is thrown:

The specified resource does not exist.
RequestId:f2543e09-a01e-000d-321b-e47741000000
Time:2021-11-28T05:51:15.6906885Z
Status: 404 (The specified resource does not exist.)
ErrorCode: ResourceNotFound

Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>ResourceNotFound</Code><Message>The specified resource does not exist.
RequestId:f2543e09-a01e-000d-321b-e57741000000
Time:2021-11-28T05:51:15.6906885Z</Message></Error>

I assume this is coming from when Azure.Identity is trying to obtain a token using the ManagedIdentityCredential?

An important point to note is the DataLakeFileSystemClient ExistsAsync() method is also being called, and works fine in either case.

So my question is, why does the AccessPolicy methods work fine when the DataLakeFileSystemClient has been created using StorageSharedKeyCredential, but not when it is created using ManagedIdentityCredential?

Answer 1

So my question is, why does the AccessPolicy methods work fine when the DataLakeFileSystemClient has been created using StorageSharedKeyCredential, but not when it is created using ManagedIdentityCredential?

This is because the access policy operations are only supported with shared access key credentials and not Azure AD credentials which is used when you use Managed Identity.

From this link: