Share via

Authentication issue with Azure Storage when running app in Azure Container App

Amit Kumar 0 Reputation points
2025-02-18T08:35:12.47+00:00
  • Package Name: azure-storage-blob
  • Package Version: 12.24.1
  • Operating System: Ubuntu
  • Python Version: 3.12

Describe the bug

When running a container app in Azure Container Apps, the code in the docker image tries to connect with azure-storage but it can't authenticate with azure storage and throws the error

Content:

The error is happening when running the app in container apps but when I run the same image in a local environment or any other VM, everything works fine. And because it happens with container apps, I can't investigate the header or other things because azure container stops as soon as it crashes.

To Reproduce

Steps to reproduce the behavior:

  1. I am not sure how it can be reproduced as I tried various ways to achieve it locally but it works fine.

Expected behavior

There should be no authentication issue.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
543 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ArkoSen-6842 225 Reputation points
    2025-02-19T05:43:23.8533333+00:00

    Hello Amit Kumar, I understand that your application fails to authenticate with Azure Storage when running inside Azure Container Apps, even though the same image works fine on local machines and VMs. Most probably the authentication method used in your container app is not correctly configured or lacks the necessary permissions.

    There are two ways to fix this.

    Option 1 which I already suggested in comments is to enable managed identity on your container app.

    enter image description here

    Assign necessary permissions like acr pull and Storage Blob data contributor role. You can do this from the portal as well

    enter image description here

    enter image description here

    Once assigned you can verify it from portal or CLI (Note: Permissions may take up to 15 minutes to propagate.)

    enter image description here

    Modify your code to explicitly use managed identity. 

    
from azure.identity import ManagedIdentityCredential

from azure.storage.blob import BlobServiceClient

# Define Storage Account Name

STORAGE_ACCOUNT_NAME = "arkstorageacct"

BLOB_CONTAINER_NAME = "arkcontainer"

# Use Managed Identity for authentication

credential = ManagedIdentityCredential()

    enter image description here

    enter image description here

    Few additional noteworthy checks I would like to suggest such as if your storage account has firewall rules, it might be blocking access from Azure Container Apps. Cross check that once.

    Option 2

    You can also try using default azure credential with client id.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.