DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’» is a community of 968,547 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Cover image for 403 while being Owner
Antoine
Antoine

Posted on

403 while being Owner

Photo by Kyle Glenn on Unsplash

Our project is using Token provided by Microsoft.Azure.Services.AppAuthentication, like in this example.

For example, if you want to access KeyVault and database

using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
using System.Data.SqlClient

// Use AzureServiceTokenProvider’s built-in callback for KeyVaultClient
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

// Request an access token for SqlConnection
sqlConnection = new SqlConnection(YourConnectionString)) 
{ 
    sqlConnection.AccessToken = azureServiceTokenProvider.GetAccessTokenAsync("https://database.windows.net"); 
    sqlConnection.Open(); 
}
Enter fullscreen mode Exit fullscreen mode

Note: the token is cached across AzureServiceTokenProvider instance as you can see.

In the example, we use the scope "https://database.windows.net". For Storage, we can use "https://storage.windows.net".
Everything went fine as long as we use Container, but we get 403 response when we download blob content.

403 ? even if i have the Owner role ! how is it possible ?

The answer is in this blog post. There are role for Content Plane (Owner / Contributor etc ..), and for Data Plane (Storage Blob Data Contributor / Storage Queue Data Reader). Once set, manipulation blob or queue was possible.

Hope this help !

Latest comments (0)

🌚 Friends don't let friends browse without dark mode.

Good news! You can update to dark mode in your DEV settings.