This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 67%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
I have an AKS cluster that runs a Python application on a pod. The code attempts to list files in a storage container via the Azure SDK. It fails due to lack of permissions and I cannot figure out how to make it work.
I am well-versed in AWS but new to Azure, so please forgive me if I have this wrong. My understanding is that the AKS cluster has a managed identity. So I have assigned roles to that identity with various scopes (tried, subscription, resource group, storage account, etc.). My thought was if I do this, and use ManagedIdentityCredential in my code, it should "see" the files automatically. And it fails. I've tried everything, assigned dozens of roles and scopes. It I just get:
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation using this permission.
If I try this from a VM, all is fine. It is like the pod doesn't know how to read the identity. In AWS, I would assign an IAM role to my EKS worker nodes and any pod running AWS SDK code would just "See" it and work. I'm trying to emulate that here. I've spent many hours googling this, going in hallucinated circles via AI and trying everything. I just don't get it. Will be glad to post any logs/output/additional information!
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 73%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi Tom,
Just checking in to see if the below answer provided by Manu Philip helped.
If this answers your query, do click Accept Answer and Upvote for was this answer helpful. And, if you have any further query do let us know.
Hi Tom
When you wanted to use Managed Identity to connect to Azure Storage, make sure that your cluster is configured to use Managed Identity and linked to your storage account.
An example given below:
az aks create --resource-group <rg-name> --name <aks-name> --enable-managed-identity
Azure Storage account should have the access from the Managed Identity associated with your AKS cluster.
Following is the sample command to use
az role assignment create --assignee <principal-object-id> --role "Storage Blob Data Contributor" --scope /subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Storage/storageAccounts/<storage-account-name>
An example as below:
Hope this helps.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi Tom,
Just checking in to see if the below answer provided by Manu Philip helped.
If this answers your query, do click Accept Answer and Upvote for was this answer helpful. And, if you have any further queries do let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
There is no default managed identity, you need to setup
https://learn.microsoft.com/en-us/azure/aks/use-managed-identity