Question 104316 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – Can't Create Blob Container: This request is not authorized to perform this operation

I’m trying to create a blob container within an Azure storage account with Azure’s Python API.

def create_storage_container(storageAccountName: str, containerName: str):
    print(
        f"Creating storage container '{containerName}'",
        f"in storage account '{storageAccountName}'"
    )
    credentials = DefaultAzureCredential()
    url = f"https://{storageAccountName}.blob.core.windows.net"
    blobClient = BlobServiceClient(account_url=url, credential=credentials)
    containerClient = blobClient.get_container_client(containerName)
    containerClient.create_container()

On create_container() I get the error:

Exception has occurred: HttpResponseError
This request is not authorized to perform this operation.
RequestId:8a3f8af1-101e-0075-3351-074949000000
Time:2022-12-03T20:00:25.5236364Z
ErrorCode:AuthorizationFailure
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:8a3f8af1-101e-0075-3351-074949000000
Time:2022-12-03T20:00:25.5236364Z</Message></Error>

The storage account was created like so:

# Creates a storage account if it does not already exist.
# Returns the name of the storage account.
def create_storage_account(
    resourceGroupName: str, location: str,
    subscriptionId: str, storageAccountName: str
):

    credentials = AzureCliCredential()

    # Why does this have creation powers for storage accounts
    # instead of the ResourceManagementClient?
    storageClient = StorageManagementClient(
        credentials, subscriptionId, "2018-02-01"
    )
    params = {
        "sku": {"name": "Standard_LRS", "tier": "Standard"},
        "kind": "StorageV2",
        "location": location,
        "supportsHttpsTrafficOnly": True,
    }

    result = storageClient.storage_accounts.begin_create(
        resourceGroupName, storageAccountName, params
    )  # type:ignore
    storageAccount = result.result(120)
    print(f"Done creating storage account with name: {storageAccount.name}")

The storage accounts that are generated like this seem to have completely open network access, so I wouldn’t think that would be an issue.

Storage account network settings:

How can I fix this error or create a storage container in another way programmatically?

Thanks

Tags:

2

Answers


  1. 0

    Check the RBAC roles your user is assigned to for the storage account. The default ones don’t always enable you to view data and sounds like it’s causing your problems.

    Login or Signup to reply.
  2. 0

    I tried in my environment and got same error in results:

    Console:

    enter image description here

    If you are accessing storage account you need a role like Storage-blob-contributor or storage-blob-owner.

    Go to portal -> storage accounts -> Access Control (IAM) ->Add -> Add role assignments -> storage-blob-contributor or storage-blob-owner.

    Portal:

    enter image description here

    After assigning role to my storage account, I executed same code and it successfully created container.

    Code:

    from  azure.storage.blob  import  BlobServiceClient
from  azure.identity  import  DefaultAzureCredential

storageAccountName="venkat123"
containerName="test"

def create_storage_container():
    print(
        f"Creating storage container '{containerName}'",
        f"in storage account '{storageAccountName}'"
    )
    credentials = DefaultAzureCredential()
    url = f"https://{storageAccountName}.blob.core.windows.net"
    blobClient = BlobServiceClient(account_url=url, credential=credentials)
    containerClient = blobClient.get_container_client(containerName)
    containerClient.create_container()
    print("Container created")
create_storage_container()

    Console:

    enter image description here

    Portal:

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search