1

I am trying to setup the hashicorp Vault server in a Azure VM to connect to a storage blob. I tried uploading files from the VM and listings the blob using the CLI from the VM and was succesful. However, when I try to run my vault server I am getting the following `

Error initializing storage of type azure: failed to get properties for container "CONTAINER NAME": -> github.com/hashicorp/vault/vendor/github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /gopath/src/github.com/hashicorp/vault/vendor/github.com/Azure/azure-storage-blob-go/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthorizationPermissionMismatch) =====
Description=This request is not authorized to perform this operation using this permission.
RequestId: sdfsdfsdf-601e-00df-87897-f34329000000
Time:2022-11-08T19:57:49.5256170Z, Details:
   Code: AuthorizationPermissionMismatch
   GET https://MANAGEDIDENTITY.blob.core.windows.net/CONTAINERNAME?restype=container&timeout=5
   Authorization: REDACTED
   User-Agent: [Azure-Storage/0.11 (go1.15.11; linux)]
   X-Ms-Client-Request-Id: [345345345-ee29-428c-7d92-bhjgjhuyssd]
   X-Ms-Version: [2019-12-12]
   --------------------------------------------------------------------------------
   RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.
   Content-Length: [279]
   Content-Type: [application/xml]
   Date: [Tue, 08 Nov 2022 19:57:48 GMT]
   Server: [Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0]
   X-Ms-Client-Request-Id: [345345345-ee29-428c-7d92-bhjgjhuyssd]
   X-Ms-Error-Code: [AuthorizationPermissionMismatch]
   X-Ms-Request-Id: [345345345-ee29-428c-7d92-bhjgjhuyssd]
   X-Ms-Version: [2019-12-12]

`

Here is my Vault config file `

{
"listener": [{
"tcp": {
"address" : "127.0.0.1:8200",
"tls_disable" : 1
}
}],
"disable_mlock": "true",
"api_addr": "http://127.0.0.1:8200",
"storage": {
    "azure": {
    "accountName" : "AccountName",
    "accountKey" : "",
    "container" : "ContainerName",
    "max_parallel": 512
    }
 },
"ui":true
}

I tried listing the blob from the VM and I was able to.

> --account-name "accountName" \
> --container-name containerName \
> --output table \
> --auth-mode login
Name        Blob Type    Blob Tier    Length    Content Type    Last Modified              Snapshot
----------  -----------  -----------  --------  --------------  -------------------------  ----------
helloworld  BlockBlob    Hot          13        text/plain      2022-11-08T21:14:44+00:00```
    enter code here
user1304271
  • 23
  • 2

1 Answers1

0

403 This request is not authorized to perform this operation using this permission.

The above 403 errors occurs you may not given proper permission to your storage account and also you may not assign roles in storage account.

For service principal authentication purpose you need to assign roles in your storage account.

  • Storage Blob Data Contributor
  • Storage Blob Data Reader

enter image description here

Also check the firewall settings whether, In networking if you are access in public enable the select all network or if you enabled selected networks add the virtual networks.

enter image description here

If you add firewall , add your client iP address and also enable "Allow trusted Microsoft services to access this storage account" allows you to access storage account.

Reference: Azure permission : not authorized to perform this operation - Stack Overflow

Venkatesan
  • 3,748
  • 1
  • 3
  • 15