Asp.NET Core data protection using blob storage and key vault

Question

The SAS has expired which has taken everything down.

How do I get it to work again?

I go to the storage account and generate new SAS

Then I copy the SAS token and prepend a ? and then use it like this

                services.AddDataProtection()
                    .PersistKeysToAzureBlobStorage(new Uri(aspNetCoreDataProtectionOptions.BlobUri + aspNetCoreDataProtectionOptions.SasToken))
                    .ProtectKeysWithAzureKeyVault(new Uri(aspNetCoreDataProtectionOptions.KeyIdentifier), new DefaultAzureCredential())
                    .SetApplicationName(applicationName /*trimmedContentRootPath*/)
                    ;

(Can't get out of this code box.)

Now my application won't start up because:

RequestFailedException: This request is not authorized to perform this operation using this resource type. RequestId:4839642c-a01e-00b0-657a-241ec4000000 Time:2024-10-22T12:01:00.2244829Z Status: 403 (This request is not authorized to perform this operation using this resource type.) ErrorCode: AuthorizationResourceTypeMismatch Content: 

Answer 1

The error message gets removed from my post. Here it is:

RequestFailedException: This request is not authorized to perform this operation using this resource type. RequestId:4839642c-a01e-00b0-657a-241ec4000000 Time:2024-10-22T12:01:00.2244829Z Status: 403 (This request is not authorized to perform this operation using this resource type.) ErrorCode: AuthorizationResourceTypeMismatch Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationResourceTypeMismatch</Code>

Answer 2

Key vault -> access policies -> choose the managed identity of the app and add all permissions.

Answer 3

Hi Richard Barraclough, 

Welcome to Microsoft Q&A, thanks for posting your query.

The error you are facing "AuthorizationResourceTypeMismatch" is due to your SAS token is not having the correct permissions or resource type that needed for the protection service to interact with the blob storage. Here are the steps to follow to generate a valid SAS token.

Check Permissions:

Navigate to the Shared access signature settings of the storage account as shown in your screenshot.

Verify the allowed permissions include Read, Write, Delete, List and Create. These are important for managing Data Protection keys in Blob Storage.

Correct Resource Types:

Under Allowed Resource types, select Service, Container and Object. This is important, as missing any of these can prevent access for specific level.

Regenerate the SAS token:

Set an appropriate expiry date to avoid frequent interruption. After configuring the permissions and resource types, click Generate SAS and connection string. Copy the generated SAS token and add a "?" at the beginning.

Update the Application Configuration:

Replace the expired SAS token in your code with the new one, in the following format:

services.AddDataProtection()
        .PersistKeysToAzureBlobStorage(new Uri(aspNetCoreDataProtectionOptions.BlobUri + "?" + aspNetCoreDataProtectionOptions.SasToken))
        .ProtectKeysWithAzureKeyVault(new Uri(aspNetCoreDataProtectionOptions.KeyIdentifier), new DefaultAzureCredential())
        .SetApplicationName(applicationName);

This configuration will enable your application to access blob storage using the updated SAS token.

Test the Application:

Restart the application and check if it is starts up successfully without the authorization error.

Consider using managed identity. This approach simplifies authentication, reduce dependency on SAS tokens, and this eliminates the need for regular SAS token renewals, making your setup more secure.

Please let us know if you have any further queries. I’m happy to assist you further. 

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.