search

Azure / azure-rest-api-specs

The source for REST API specifications for Microsoft Azure.
MIT License
2.61k stars 5.02k forks source link

Storage: Using AAD Auth to update ACL for an existing container ends up with 404 #21347

Open magodo opened 1 year ago

magodo commented 1 year ago

I have a storage account and container created:

The storage account:

GET https://management.azure.com/subscriptions/xxxx/resourceGroups/magodo-issue19055/providers/Microsoft.Storage/storageAccounts/samplest00002?api-version=2021-09-01

{
    "identity": {
        "principalId": "9a4d1211-83ae-4745-a81d-ca26191a9b2f",
        "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
        "type": "SystemAssigned"
    },
    "sku": {
        "name": "Standard_LRS",
        "tier": "Standard"
    },
    "kind": "StorageV2",
    "id": "/subscriptions/****/resourceGroups/magodo-issue19055/providers/Microsoft.Storage/storageAccounts/samplest00002",
    "name": "samplest00002",
    "type": "Microsoft.Storage/storageAccounts",
    "location": "westeurope",
    "tags": {},
    "properties": {
        "defaultToOAuthAuthentication": false,
        "publicNetworkAccess": "Enabled",
        "keyCreationTime": {
            "key1": "2022-10-31T06:06:23.8000765Z",
            "key2": "2022-10-31T06:06:23.8000765Z"
        },
        "allowCrossTenantReplication": true,
        "privateEndpointConnections": [],
        "isNfsV3Enabled": false,
        "minimumTlsVersion": "TLS1_2",
        "allowBlobPublicAccess": true,
        "allowSharedKeyAccess": false,
        "isHnsEnabled": false,
        "networkAcls": {
            "resourceAccessRules": [],
            "bypass": "None",
            "virtualNetworkRules": [],
            "ipRules": [],
            "defaultAction": "Allow"
        },
        "supportsHttpsTrafficOnly": true,
        "encryption": {
            "services": {
                "file": {
                    "keyType": "Account",
                    "enabled": true,
                    "lastEnabledTime": "2022-10-31T06:06:23.8000765Z"
                },
                "blob": {
                    "keyType": "Account",
                    "enabled": true,
                    "lastEnabledTime": "2022-10-31T06:06:23.8000765Z"
                }
            },
            "keySource": "Microsoft.Storage"
        },
        "accessTier": "Hot",
        "provisioningState": "Succeeded",
        "creationTime": "2022-10-31T06:06:23.6594191Z",
        "primaryEndpoints": {
            "dfs": "https://samplest00002.dfs.core.windows.net/",
            "web": "https://samplest00002.z6.web.core.windows.net/",
            "blob": "https://samplest00002.blob.core.windows.net/",
            "queue": "https://samplest00002.queue.core.windows.net/",
            "table": "https://samplest00002.table.core.windows.net/",
            "file": "https://samplest00002.file.core.windows.net/"
        },
        "primaryLocation": "westeurope",
        "statusOfPrimary": "available"
    }
}

Note that "allowSharedKeyAccess": false.

The container:

GET https://samplest00002.blob.core.windows.net/container?restype=container

(IN HEADER)
...
x-ms-blob-public-access:        container
...

Then if I try to update the x-ms-blob-public-access, it failed:

PUT https://samplest00002.blob.core.windows.net/container?comp=acl&restype=container

Response:

404

b'\xef\xbb\xbf<?xml version="1.0" encoding="utf-8"?><Error><Code>ResourceNotFound</Code><Message>The specified resource does not exist.\nRequestId:cac0854a-901e-001d-1df3-ec7076000000\nTime:2022-10-31T06:40:30.0990237Z</Message></Error>'

If I modified the storage account to allow shared key access, and use the shared key as auth method for the above PUT request, it succeeded.

BTW, my account has both "Owner" role and Storage Blob Data Contributor role assigned.

magodo commented 1 year ago

Per https://learn.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations, GET/SET container ACL operations are not yet supporting the AAD auth.

ghost commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

Issue Details
I have a storage account and container created: The storage account: ```shell GET https://management.azure.com/subscriptions/xxxx/resourceGroups/magodo-issue19055/providers/Microsoft.Storage/storageAccounts/samplest00002?api-version=2021-09-01 { "identity": { "principalId": "9a4d1211-83ae-4745-a81d-ca26191a9b2f", "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", "type": "SystemAssigned" }, "sku": { "name": "Standard_LRS", "tier": "Standard" }, "kind": "StorageV2", "id": "/subscriptions/****/resourceGroups/magodo-issue19055/providers/Microsoft.Storage/storageAccounts/samplest00002", "name": "samplest00002", "type": "Microsoft.Storage/storageAccounts", "location": "westeurope", "tags": {}, "properties": { "defaultToOAuthAuthentication": false, "publicNetworkAccess": "Enabled", "keyCreationTime": { "key1": "2022-10-31T06:06:23.8000765Z", "key2": "2022-10-31T06:06:23.8000765Z" }, "allowCrossTenantReplication": true, "privateEndpointConnections": [], "isNfsV3Enabled": false, "minimumTlsVersion": "TLS1_2", "allowBlobPublicAccess": true, "allowSharedKeyAccess": false, "isHnsEnabled": false, "networkAcls": { "resourceAccessRules": [], "bypass": "None", "virtualNetworkRules": [], "ipRules": [], "defaultAction": "Allow" }, "supportsHttpsTrafficOnly": true, "encryption": { "services": { "file": { "keyType": "Account", "enabled": true, "lastEnabledTime": "2022-10-31T06:06:23.8000765Z" }, "blob": { "keyType": "Account", "enabled": true, "lastEnabledTime": "2022-10-31T06:06:23.8000765Z" } }, "keySource": "Microsoft.Storage" }, "accessTier": "Hot", "provisioningState": "Succeeded", "creationTime": "2022-10-31T06:06:23.6594191Z", "primaryEndpoints": { "dfs": "https://samplest00002.dfs.core.windows.net/", "web": "https://samplest00002.z6.web.core.windows.net/", "blob": "https://samplest00002.blob.core.windows.net/", "queue": "https://samplest00002.queue.core.windows.net/", "table": "https://samplest00002.table.core.windows.net/", "file": "https://samplest00002.file.core.windows.net/" }, "primaryLocation": "westeurope", "statusOfPrimary": "available" } } ``` Note that `"allowSharedKeyAccess": false`. The container: ```shell GET https://samplest00002.blob.core.windows.net/container?restype=container (IN HEADER) ... x-ms-blob-public-access: container ... ``` Then if I try to update the `x-ms-blob-public-access`, it failed: ```shell PUT https://samplest00002.blob.core.windows.net/container?comp=acl&restype=container ``` Response: ```shell 404 b'\xef\xbb\xbfResourceNotFoundThe specified resource does not exist.\nRequestId:cac0854a-901e-001d-1df3-ec7076000000\nTime:2022-10-31T06:40:30.0990237Z' ``` If I modified the storage account to allow shared key access, and use the shared key as auth method for the above PUT request, it succeeded. BTW, my account has both "Owner" role and `Storage Blob Data Contributor` role assigned.
Author: magodo
Assignees: -
Labels: `Storage`, `Service Attention`, `needs-triage`
Milestone: -