Can you use ShareServiceClient without using token_intent="backup" to access azure file share

Question

I have the code below. The goal of the greater function is just files off the file share location to an external blob storage. The function works completely fine when I use a hard coded key so I know my environment variables are fine. The issue doesn't really start until I have to use the token_intent, i get a mismatched permission error that I have no way to resolve.

My question is if there is any way around this token_intent configuration, I have tried using =None but that does not work. The internet and chatgpt have suggested trying other key words in place of "backup", such as storage, but best I can tell that is not a viable solution for this task.

class Connection:
    def __init__(self):
        azure_credential=DefaultAzureCredential()
        self.fileshare_service_client = ShareServiceClient(account_url=AZURE_FILE_STORAGE_URL, credential=azure_credential, token_intent='backup')
        self.file_path = AZURE_FOLDER_PATH

Answer 1

@Kevin Brown Thanks for posting your query on Microsoft Q&A.

token_intent is Required when using TokenCredential for authentication and can be ignored for other forms of authentication. It specifies the intent for all requests when using TokenCredential authentication.

Please try the following troubleshooting steps:

1. What version of azure-storage-file-share are you using? see CHANGELOG and get to the latest released version or at least 12.12.0 to use a TokenCredential with the Files service.
2. token_intent - backup: Specifies requests are intended for backup/admin type operations, meaning that all file/directory ACLs are bypassed, and full permissions are granted. User must also have required RBAC permission.
   Note that file-share has its own set of RBAC roles.
   Please check these RBAC roles (search for file share in the doc) and ensure you have the right roles assigned.

Since you are facing mismatched permission errors, it is important to ensure that the Microsoft Entra security principle you are using has the appropriate roles and permissions assigned to access the Azure file share. You may need to review the permissions granted to the security principal and ensure they align with the operations you intend to perform.

Refer to these threads on steps to follow for roles and permissions in case of mismatched permission errors:

• https://learn.microsoft.com/en-us/answers/questions/1428896/authorizationpermissionmismatch-when-trying-to-upl
• https://learn.microsoft.com/en-us/answers/questions/1469231/authorizationpermissionmismatch-for-access-to-azur

Additional reading:

• https://github.com/Azure/azure-sdk-for-python/issues/35755
• https://learn.microsoft.com/en-us/azure/storage/files/storage-python-how-to-use-file-storage#set-up-a-connection-to-azure-files
• https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files/security/files-troubleshoot-smb-authentication?tabs=azure-portal

Let me know if you have any questions or updates to share.