403 while being Owner
Antoine
Posted on June 19, 2021
Photo by Kyle Glenn on Unsplash
Our project is using Token provided by Microsoft.Azure.Services.AppAuthentication, like in this example.
For example, if you want to access KeyVault and database
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
using System.Data.SqlClient
// Use AzureServiceTokenProvider’s built-in callback for KeyVaultClient
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
// Request an access token for SqlConnection
sqlConnection = new SqlConnection(YourConnectionString))
{
sqlConnection.AccessToken = azureServiceTokenProvider.GetAccessTokenAsync("https://database.windows.net");
sqlConnection.Open();
}
Note: the token is cached across AzureServiceTokenProvider instance as you can see.
In the example, we use the scope "https://database.windows.net". For Storage, we can use "https://storage.windows.net".
Everything went fine as long as we use Container, but we get 403 response when we download blob content.
403 ? even if i have the Owner role ! how is it possible ?
The answer is in this blog post. There are role for Content Plane (Owner / Contributor etc ..), and for Data Plane (Storage Blob Data Contributor / Storage Queue Data Reader). Once set, manipulation blob or queue was possible.
Hope this help !
Posted on June 19, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
