Azure Go SDK
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container
Which platform are you using? (ex: Windows, Linux, Debian)
Running a job in AKS on a Linux docker container
What problem was encountered?
I was submitting a request to the SDK and it returned a 403 error
RESPONSE 403: 403 This request is not authorized to perform this operation.
ERROR CODE: AuthorizationFailure
It took me some time to figure out the problem because the error did not articulate exactly what was wrong, which was that I had not given access to the managed identity that represents the job's service acount on azure.
How can we reproduce the problem in the simplest way?
create a storage account
create a managed identity - but do not give it access to the storage account
create an AKS cluster
make sure that the AKS cluster has access to the storage account through a common vnet
create a namespace on the cluster
create a service account on the cluster
federate the service account to the Azure managed identity
create a job to run on the AKS cluster that uses a linux container runnig software written in go that will create a new Azure storage container in the storage account you created in the first step
run the job
Have you found a mitigation/solution?
I cannot change error messages - only you can.
I suggest something a bit more meaningful like
the identity (ObjectID: ########-####-####-####-############) used for this request does not have authorization to perform this action
the phrase This request is not authorized to perform this operation. does not seem right - because one does not authorize requests - one authorizes an identity to make requests
Which version of the SDK was used?
Azure Go SDK github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/container
Which platform are you using? (ex: Windows, Linux, Debian)
Running a job in AKS on a Linux docker container
What problem was encountered?
I was submitting a request to the SDK and it returned a 403 error
RESPONSE 403: 403 This request is not authorized to perform this operation. ERROR CODE: AuthorizationFailure
It took me some time to figure out the problem because the error did not articulate exactly what was wrong, which was that I had not given access to the managed identity that represents the job's service acount on azure.
How can we reproduce the problem in the simplest way?
create a storage account create a managed identity - but do not give it access to the storage account create an AKS cluster make sure that the AKS cluster has access to the storage account through a common vnet create a namespace on the cluster create a service account on the cluster federate the service account to the Azure managed identity create a job to run on the AKS cluster that uses a linux container runnig software written in go that will create a new Azure storage container in the storage account you created in the first step run the job
Have you found a mitigation/solution?
I cannot change error messages - only you can.
I suggest something a bit more meaningful like
the identity (ObjectID: ########-####-####-####-############) used for this request does not have authorization to perform this actionthe phrase
This request is not authorized to perform this operation.does not seem right - because one does not authorize requests - one authorizes an identity to make requests