TechQA.

Managed identity access to storage using Flask application

211 views Asked by At

I am using azure-identity and azure-storage-file-share package in Flask.

The app is trying to connect to Azure storage using User assigned managed identity, to read the File Share.

I have created the UAMI and assigned the roles Storage Blob Data Contributor and Storage File Data Privileged Contributor in Azure storage.

The application is deployed in AKS cluster.

Help/Feedback is appreciated.

I am getting the error below in my pod logs when trying to access the storage account.

enter image description here

My application code is simple

enter image description here

Update:

I confirmed that my Managed Identity has Storage Blob Data Contributor and Storage File Data Privileged Contributor in Azure storage.

Now I changed my application code slighly on @Venkatesan comment as follows enter image description here

After deploying in AKS cluster. I am getting following error in my pod logs: enter image description here

I went to my Managed Identity and checked Azure role assignments. It does have proper roles to the storage account. What am I missing??

flask azure-managed-identity azure-storage-files azure-identity
Original Q&A
1

There are 1 answers

8
Venkatesan On

This request is not authorized to perform this operation using this permission.

The above error occurs when your UAMI (User-assigned managed identity) doesn't have access to Azure file storage.

In my environment, I created UAMI(User-assigned managed identity) and added Storage File Data Privileged Contributor to my Azure storage account.

Portal:

enter image description here

You can refer to this MS-document to Specify a user-assigned managed identity for DefaultAzureCredential.

When I tried the below sample code to fetch a list file name with managed identity with client id using Azure Python SDK it executed successfully.

Code:

from azure.storage.fileshare import ShareServiceClient
from azure.identity import DefaultAzureCredential

client_id="<client id of user managed identity>"
Client=ShareServiceClient(account_url="<Your-account-url>",credential=DefaultAzureCredential(managed_identity_client_id=client_id),token_intent= 'backup')
shareclient=Client.get_share_client("test")
directory_client = shareclient.get_directory_client("directory1")
my_list = list(directory_client.list_directories_and_files())
for list in my_list:
    print(list.name)

Output:

20-11-2023 (1).html
21-11-2023.html
22-11-2023 (1).html
22-11-2023.html
Nov 9.html

enter image description here

Related Questions in FLASK

Related Questions in AZURE-MANAGED-IDENTITY

Related Questions in AZURE-STORAGE-FILES

Related Questions in AZURE-IDENTITY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions