Azure Blob - Using InteractiveBrowserCredential as an alternative to ClientSecretCredential -> AuthorizationPermissionMismatch

[Krande]

Packages

• azure-storage-blob:
• 12.5.0:
• azure-identity:
• 1.5.0b1:

OS

• Windows 10:
• Python 3.8.3:

The issue
So this might not be an issue but perhaps a case of me misunderstanding some of the basic concepts. Nevertheless I am having a hard time understanding how to (if at all possible) use the InteractiveBrowserCredential class as an alternative to the ClientSecretCredential class when downloading from my azure storage blob (which has a private access level). The ClientSecretCredential (based on this) works as intended, but whenever I try to use the InteractiveBrowserCredential the following error occurs:

azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.
RequestId:efa92bbe-c01e-0059-6ef1-a1e0db000000
Time:2020-10-14T06:17:37.7546405Z
ErrorCode:AuthorizationPermissionMismatch
Error:None

A Reproducible example

from azure.identity import InteractiveBrowserCredential, ClientSecretCredential
from azure.storage.blob import BlobServiceClient

tenant_id = #yourinput
client_id = #yourinput
client_secret = #yourinput
account_name = #yourinput
blob_name = #yourinput
container_name = #yourinput
destination_file = #yourinput

# This works
token_credential = ClientSecretCredential(tenant_id, client_id, client_secret)

# This does not work
token_credential_alt = InteractiveBrowserCredential(client_id=client_id, tenant_id=tenant_id)
record = token_credential_alt.authenticate(scopes=[f'https://{account_name}.blob.core.windows.net/.default'])

blob_service_client = BlobServiceClient(
    account_url=f'https://{account_name}.blob.core.windows.net',
    credential=token_credential_alt
)

blob = blob_service_client.get_blob_client(container=container_name, blob=blob_name)

with open(destination_file, "wb") as my_blob:
    blob_data = blob.download_blob()
    blob_data.readinto(my_blob)

I am a bit unsure of what exactly is the correct input for scopes in the authenticate()method. I do believe my app registration is OK (given that it works using the ClientSecretCredential class.

I have tried to find related issues that could help me with this, but the closest ones I could find #13826 and #13834 does not seem to offer any specific reproducible examples (which a novice like myself is in dire need of!).

Please let me know if you need any more information regarding this issue?

Best Regards
Kristoffer

[chlowell]

InteractiveBrowserCredential authenticates a user while ClientSecretCredential authenticates a service principal. These different identities may have different permissions and therefore aren't substitutes for each other in accessing a particular resource. So in this case I suppose the user you're authenticating isn't authorized to access that blob. I'm not so familiar with storage access control, but I think the user would need at least the Storage Blob Data Reader role.

Also, in your example it isn't necessary to call InteractiveBrowserCredential.authenticate. BlobServiceClient will authenticate as needed with the credential it's given.

[Krande]

Aha, thank you very much for clarifying the principle differences! You are absolutely correct! By giving a group of users Reader and Storage Blob Data Reader roles to a specific private container I was able to access the blobs by simply using

blob_service_client = BlobServiceClient(
    account_url=f'https://{account_name}.blob.core.windows.net',
    credential=InteractiveBrowserCredential()
)

I'll close this issue now.

Best Regards
Kristoffer