0

I am receiving an Access Forbidden message when I attempt to access an Azure storage table that I created in Pulumi.

I have tried accessing the storage table in the Azure portal and in Azure Storage Explorer.

{"odata.error":{"code":"AuthenticationFailed","message":{"lang":"en-US","value":"Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\nTime:2023-01-20T23:21:57.8113163Z"}}}

enter image description here

The following code does not resolve the access forbidden issue:

var sas = Pulumi.Azure.Storage.GetAccountSAS.Invoke(new()
{
    ConnectionString = storageAccount.PrimaryConnectionString,
    HttpsOnly = true,
    SignedVersion = "2017-07-29",
    ResourceTypes = new Pulumi.Azure.Storage.Inputs.GetAccountSASResourceTypesInputArgs
    {
        Service   = true,
        Container = true,
        Object    = false,
    },
    Services = new Pulumi.Azure.Storage.Inputs.GetAccountSASServicesInputArgs
    {
        Blob  = true,
        Queue = true,
        Table = true,
        File  = true,
    },
    Start  = DateTime.Now.ToString("yyyy-MM-ddTHH:mm:ssK"),
    Expiry = DateTime.Now.AddYears(1).ToString("yyyy-MM-ddTHH:mm:ssK"),
    Permissions = new Pulumi.Azure.Storage.Inputs.GetAccountSASPermissionsInputArgs
    {
        Read    = true,
        Write   = true,
        Delete  = false,
        List    = true,
        Add     = true,
        Create  = true,
        Update  = true,
        Process = true,
        Tag     = true,
        Filter  = true
    },
});

Update: I'm researching how to use an Account Access Key.

Access Control:

The following is my access control for the storage account that harbors the storage table:

enter image description here

Scott Nimrod
  • 11,206
  • 11
  • 54
  • 118
  • What RBAC role you currently have on storage account? – Sridevi Jan 21 '23 at 02:00
  • Contributor and reader. – Scott Nimrod Jan 21 '23 at 04:53
  • Are you getting error for only tables or blob containers too from Portal? – Sridevi Jan 21 '23 at 04:55
  • I'm getting an error for just the table. Attaching screenshot – Scott Nimrod Jan 21 '23 at 04:56
  • 1
    Please try by assigning [`Storage Table Data Contributor`](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-table-data-contributor) role to your Service Principal. – Gaurav Mantri Jan 21 '23 at 06:38
  • @GauravMantri That resolved my access issue. Feel free to post this as the answer if you'd like. I think I will need to post a second question on how to assign this role programmatically (without using the Azure portal). – Scott Nimrod Jan 21 '23 at 10:15
  • @Sridevi - Here's a separate question if you're available to help: https://stackoverflow.com/questions/75204048/unable-to-programmatically-add-update-azure-function-key – Scott Nimrod Jan 22 '23 at 21:30

1 Answers1

1

I agree with @Gaurav Mantri, you need to assign Storage Table Data Contributor role to your Service Principal.

I tried to reproduce the same in my environment and got same error like below:

enter image description here

To resolve the error, you need to assign Storage Table Data Contributor role to your service principal as below:

enter image description here

After assigning Storage Table Data Contributor role to my account, I'm able to access the tables successfully like below:

enter image description here

To assign this role programmatically (without using the Azure portal), you can make use of below commands:

PowerShell:

Connect-AzAccount
New-AzRoleAssignment -ObjectId  <sp_objectID> -RoleDefinitionName "Storage Table Data Contributor" -Scope "/subscriptions/<subscriptionID>/resourceGroups/<rgname>/providers/Microsoft.Storage/storageAccounts/<account_name>"

Response:

enter image description here

CLI:

az login
az role assignment create --assignee <sp_objectID> --role "Storage Table Data Contributor" --scope "/subscriptions/<subscriptionID>/resourceGroups/<rgname>/providers/Microsoft.Storage/storageAccounts/<account_name>"

Response:

enter image description here

When I checked Portal, role is assigned to service principal successfully under storage account like below:

enter image description here

Sridevi
  • 10,599
  • 1
  • 4
  • 17