Unable to programmatically get the keys for Azure Storage Account

Asked 1/8, 2017 at 22:11 Answered 18/5, 2022 at 17:55

Solved azure azure-java-sdk azure-storage-account

I am trying to get the keys for all the Storage Accounts in my subscription. But I am getting this exception on one of the Storage Account using Azure Java SDK.

com.microsoft.azure.CloudException: Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client '5c79ee27-#########-######91f8e3' with object id '5c79ee27-###########-#####91f8e3' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/758ad253-#######f07/resourceGroups/spcwestus/providers/Microsoft.Storage/storageAccounts/grsstorag'."}}: The client '5c79ee27-###########-#####91f8e3' with object id '5c79ee27-###########-#####91f8e3' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/758ad253-#######f07/resourceGroups/spcwestus/providers/Microsoft.Storage/storageAccounts/grsstorag'.

For most of the Storage Accounts I manage to get the keys. But for some of them the same error gets repeated. What does this mean?

Curagh answered 1/8, 2017 at 22:11 Comment(1)

Are you able to resolve the error now? – Pirali 3/8, 2017 at 0:2

From the error you encountered, the server responded to your requests with HTTP 403 status code indicates that your request is Forbidden by the server.

HTTP 403 Status Code

A server that receives valid credentials that are not adequate to gain access ought to respond with the 403 (Forbidden) status code
(Section 6.5.3 of [RFC7231]).

This is most probably caused by some Role-Based Access Controls that are in place to prevent your account to perform the list storage account key actions for certain storage accounts based on your assigned role.

You can use the Azure PowerShell cmdlet below to verify whether the role assigned to your specific object under the specific scope has the permission to list the storage account keys.

Get-AzureRmRoleAssignment -Scope "/subscriptions/758ad253-#######f07/resourceGroups/spcwestus/providers/Microsoft.Storage/storageAccounts/grsstorag" -ObjectId 5c79ee27-###########-#####91f8e3

More information please refer to the link below:

Use Role-Based Access Control to manage access to your Azure subscription resources

Pirali answered 1/8, 2017 at 22:49 Comment(4)

To whom who downvote my answer, do you have any strong justification to your cast of downvote? Please be responsible for your action, I can accept criticism and feedback but not to irresponsible downvote! Probably you should provide a better answer before you do so. – Pirali 2/8, 2017 at 2:21

I did not down vote it but if I were to answer this question, I would have provided a more detailed answer. For example, I would have included the roles that by default have permission to list keys for a storage account and give more context behind listKeys action. – Tobacco 2/8, 2017 at 6:27

@GauravMantri Thanks very much for your constructive feedback. I agree with you and is actually looking to provide a more detailed answer like what you have suggested – Pirali 2/8, 2017 at 6:30

Just managed to solve it. The resource group had a "Reader" access role for the application accessing Azure. The reader role has no authority to read the secret keys. I changed the access role to contributor for the resource group and it started working. – Curagh 3/8, 2017 at 1:48

Maybe as addition above. Azure has the Storage Account Key Operator Service Role which is describes at the following:

Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts

Granting you this role should allow to list the keys.

Laryngology answered 18/5, 2022 at 17:55 Comment(0)

Recommended topics

Hot tags