Azure Default Credential with Managed Identity not working (node)

Question

I was trying to use a user-assigned managed identity with the DefaultAzureCredential, but am getting the 403 permissions mismatch error. I'm following the code example found in MS docs and it still fails. However, replacing the DefaultAzureCredential with the explicit ManagedIdentityCredential works just fine.

This is my code:

const { BlobServiceClient } = require('@azure/storage-blob');
const { DefaultAzureCredential } = require('@azure/identity');
const {url, clientId} = require('./config');

const cred = new DefaultAzureCredential({managedIdentityClientId: clientId});
const containerClient = new BlobServiceClient(url, cred).getContainerClient('container-name');

(async () => {
  const exists = await containerClient.exists();
  console.log({exists});
})();

This looks like it should work, but it does not. Any thoughts?

versions:

"@azure/identity": "^1.1.0",
"@azure/storage-blob": "^12.12.0",
node v16.18.1

score 0 · Answer 1 · answered Jan 12 '23 at 05:29

I tried in my environment and got below results:

I tried to reproduce same code in my environment, and it successfully executed with container exist or not.

Code:

const { BlobServiceClient } = require('@azure/storage-blob');
const { DefaultAzureCredential } = require('@azure/identity');

const url="https://venkat123.blob.core.windows.net";
const clientId="<client-id>";
const cred = new DefaultAzureCredential({managedIdentityClientId: clientId});
const Client = new BlobServiceClient(url, cred);
const containerClient=Client.getContainerClient("test");

(async () => {
  const exists = await containerClient.exists();
  console.log({exists});
})();

Console:

enter image description here

403, This request is not authorized to perform this operation using this permission.

If you are accessing storage account with identity, you need a role like Storage-blob-contributor or storage-blob-owner.

Go to portal -> your storage account -> Access Control (IAM) ->Add -> Add role assignments -> storage-blob-contributor or storage-blob-owner->Add your user managed identity id.

enter image description here

Also, I tried with user-assigned managed identity with the DefaultAzureCredential it worked perfectly.

Code:

const { BlobServiceClient } = require('@azure/storage-blob');
const { DefaultAzureCredential } = require('@azure/identity');

const url="https://venkat123.blob.core.windows.net";
const cred = new DefaultAzureCredential();
const Client = new BlobServiceClient(url, cred);
const containerClient=Client.getContainerClient("test");

(async () => {
  const exists = await containerClient.exists();
  console.log({exists});
})();

Console:

enter image description here

appreciate you trying this. my permissions are configured correctly as i've been able to use the `ManagedIdentityCredential`. problem only exists with the `DefaultAzureCredential`, meaning it's client-side only. Can you share which version of the packages you're using? — Switch386, Jan 12 '23 at 15:05
The version of my packages is **`"@azure/identity": "^3.1.2"`** and **`"@azure/storage-blob": "^12.12.0"`**. — Venkatesan, Jan 13 '23 at 03:27

Azure Default Credential with Managed Identity not working (node)

1 Answers1