Blob Update with 'Storage Blob Data Contributor' permissions on storage account fails

[mhennecke]

Describe the bug

Updating properties of a blob via a service principal which has 'Storage Blob Data Contributor' on storage account level fails with:
az storage blob update: error: Storage account '{}' not found.

After adding 'Reader' permissions on storage account level for the service principal, the command fails with:

az storage blob update: error: Azure Error: AuthorizationFailed
Message: The client '{}' with object id '{}' does not have 
authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/{}/resourceGroups/{}/providers/Microsoft.Storage/storageAccounts/{}' or the scope is invalid. If access was recently granted, please refresh your credentials.

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

• Grant 'Storage Blob Data Contributor' for a service principal on respective storage account
• Additionally, grant 'Reader' permission for the service principal on respective storage account to get the second authorization error
• az login --service-principal -u {} -p {} --tenant {}
• az storage blob update --account-name {} --container-name {} --auth-mode login --name {} --content-cache-control {}

Expected Behavior

Blob update is performed as requested

Additional Information

With activated --debug output, it can be seen, that the operation fails at the step where the listKeys API is called with a 403 response:

urllib3.connectionpool : https://management.azure.com:443 "POST /subscriptions/{}/resourceGroups/{}/providers/Microsoft.Storage/storageAccounts/{}/listKeys?api-version=2019-04-01 HTTP/1.1" 403 518

My guess: az cli tries to use an account key instead of the requested login method.

I assume, that the --auth-mode login is not used properly.

Listing blobs with the same --auth-mode, service principal, storage account and container works as expected.

Environment Summary

Linux-4.4.0-18362-Microsoft-x86_64-with-debian-buster-sid
Python 3.6.5
Shell: bash

azure-cli 2.0.69 *

[haroldrandom]

@Juliehzl Please help here

[mhennecke]

Please check the two logfiles with debug output. The case where there is only "Storage Blob Data Contributor" role given on blob container level shows a call to /storageAccounts with an empty response.

11415_with_reader_role_on_sa_and_with_storage_blob_data_contributor_on_container.log
11415_without_reader_role_on_sa_but_with_storage_blob_data_contributor_on_container.log

[Juliehzl]

@mhennecke Thanks for your information! I have fixed it in my PR and it will be released in next version.