Hello. Getting in BC the error AuthorizationFailure (This request is not authorize

Hi. in the InvokeRestAPI URL is the following: <c

Dear <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url

Hello <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-ur

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Azure Blob Storage error about Permissions mismatch about bc2adls HOT 8 CLOSED

microsoft commented on September 17, 2024

Azure Blob Storage error about Permissions mismatch

from bc2adls.

Comments (8)

PaulFurlet commented on September 17, 2024 1

It worked and I can continue further.
Thank you!

from bc2adls.

DuttaSoumya commented on September 17, 2024

Thanks for writing to us. The ContainerExists calls the ADLSEHttp.InvokeRestApi function. So please put a breakpoint on this line, and then gather the URL, Headers that are used in the Http REST API call. (You may be required to uncomment the [NonDebuggable] attribute in the AddAuthorization function in the same codeunit.) Then try to see if you can make the same Https request through Postman / .NET console app and check if you are getting the same error.

For your information, this is the call that is invoked from BC to ADLS: Get Container Metadata.

You may also re-try after creating a fresh secret for the Azure App Registration and enter it on Client secret field of BC.

Regards,
The bc2adls team

from bc2adls.

PaulFurlet commented on September 17, 2024

Hi.
in the InvokeRestAPI URL is the following: https://fpltest03.blob.core.windows.net/bc2adlscont?restype=container&comp=metadata
in the AddAuthorization the function AcquireTokenAOAuth2 is called, where:
URI is https://login.microsoftonline.com/fafe0a34-[redacted, correct]/oauth2/token
RequestBody is resource=https%3A%2F%2Fstorage.azure.com%2F&scope=https%3A%2F%2Fstorage.azure.com%2Fuser_impersonation&client_id=b84a77ba-[redacted, correct]&client_secret=[redacted, correct]&client_info=1&grant_type=client_credentials
as the result, AccessToken is obtained successfully
So, Headers look legit
Authorization: Bearer [redacted, generated AccessToken]
x-ms-version: 2020-10-02
x-ms-date: Thu, 18 Aug 2022 22:01:27 GMT
but the result of Client.Get is the following:

'AuthorizationPermissionMismatchThis request is not authorized to perform this operation using this permission.
RequestId:128a8d2d-f01e-005d-554b-b3ea7a000000
Time:2022-08-18T21:46:17.8032396Z'

Postman returns the same:

from bc2adls.

DuttaSoumya commented on September 17, 2024

Dear @PaulFurlet,

The .NET code which makes a similar call fails using the Blob REST API- so this should be escalated as a support request to the Azure Data Lake team, as the authentication mechanism that you specify seems to be correct- and an error in authentication is out of scope for this project.

HOWEVER, it may be that the real cause is that you do not have the role Storage Blob Data Contributor assigned to your application bc2adls. From the screenshots I can see the role having been assigned to p f <admin@fpltest01...> but not to the bc2adls app registration. If you follow the instructions closely, the role Storage Blob Data Contributor is assigned to the app registration (see the setting 3), and not to any "real" AAD user.

Best regards,
The bc2adls team.

from bc2adls.

PaulFurlet commented on September 17, 2024

Hello @DuttaSoumya
Thank you for your explanation, but I cannot select any application on assigning role.
I have only user or managed identity as options to choose from (I do not have any managed indentity and only one user). So I selected and added the only available variant.
That's why I am wondering what could I miss that I cannot specify registered app as role executor for the storage account?

from bc2adls.

DuttaSoumya commented on September 17, 2024

Hi @PaulFurlet,

You should be able to see the App Registration name in the list for Select members when you have selected Assign access to as User, group, or service principal.

Once selected, the Access Control (IAM) pane for the storage account should show something like this- note the Type is App, not User.

But is seems you are unable to see the App Registration as a user. Please check that the list of Enterprise Applications in Azure has your App Registration, like so,

Take a note that the Application Id should match the field with the same name on the App registration.

I would urge you to please re-try Step 1. Create an Azure Service Principal or just do the tutorial Register an application with Microsoft identity platform and then check if the newly registered application shows up as a user in the Access Control (IAM) pane.

Best regards,
The bc2adls team.

from bc2adls.

PaulFurlet commented on September 17, 2024

Hi @DuttaSoumya,
Thank you for your hints. But I still do not see any clue of application in the list. There is Enterprise Application with my Application Id created automatically.
Assuming, even demo account should be able to perform setup, here are the steps I do for the new registration [I removed everything beforehand, this is demo account anyways, added new user storageacc with simple User permissions]
just like specified in the instructions:

Registering new application
creating Application Secret
{not described in instructions} adding Azure Storage user_impersonation to API permissions
new Enterprise Application created automatically, no manual provisioning applied
new Resource Group (I removed all other)
new Storage Account
enabled hierarchical namespace
trying to add role assignment for the Storage Account - no luck to see any app in the list