Can't call GetPermissionsAsync on newly created container when using TokenCredential

Question

Can't call GetPermissionsAsync on newly created container when using TokenCredential

markheath opened this issue 3 years ago · comments

Mark Heath commented 3 years ago

Which service(blob, file, queue, table) does this issue concern?

Blob

Which version of the SDK was used?

11.2.3

Which platform are you using? (ex: .NET Core 2.1)

.NET Core 3.1

What problem was encountered?

When you create a new container with CloudBlobContainer.CreateIfNotExistsAsync() and then immediately follow that up with CloudBlobContainer.GetPermissionsAsync(), the GetPermissionsAsync method will throw a StorageException with a 404 status code ("The specified resource does not exist."). However, the container does exist (have verified in StorageExplorer)

How can we reproduce the problem in the simplest way?

This only happens if you are using a StorageCredentials built from a TokenCredential
e.g. new CloudStorageAccount(storageCredentials, accountName, endpointSuffix, true);
If you do the same thing with a regular storage account connection string that includes the storage key, it works fine

Have you found a mitigation/solution?

No - have tried sleeping to see if the permissions can be accessed after some time has elapsed, but does not resolve the issue. Have also tried calling GetContainerReference again after the CreateIfNotExistsAsync call but that doesn't help.

Mark Heath · Answer 1 · Fri May 28 2021 21:21:22 GMT+0800 (China Standard Time)

Had a chance to try the same thing with the V12 SDK. Same issue - can't get permissions on a newly created container if you are using Token credentials. Here's some sample code to repro:

var accountName = "someaccount";
var blobEndpoint = $"https://{accountName}.blob.core.windows.net";
var credential = new DefaultAzureCredential(); 
var blobServiceClient = new BlobServiceClient(new Uri(blobEndpoint), credential);

var containerName = "mark-temp1";
await blobServiceClient.CreateBlobContainerAsync(containerName, PublicAccessType.None);
var containerClient = blobServiceClient.GetBlobContainerClient(containerName);
var policy = await containerClient.GetAccessPolicyAsync(); // will throw 404: The specified resource does not exist

Georgii Aristov · Answer 2 · Tue Oct 12 2021 23:12:34 GMT+0800 (China Standard Time)

Any updates on this? The issue can be reproduced with 12.10.0 SDK, calls to SetAccessPolicyAsync/GetAccessPolicyAsync using MSI return 404