This post offers the most applicable fixes to the error, Status 403: This request is not authorized to perform this operation using this permission that may occur when performing certain tasks with Azure Storage Explorer, Azure Data Factory (ADF), and/or Azure Databricks.
StatusDescription=This request is not authorized to perform this operation using this permission.
Status 403: This request is not authorized to perform this operation using this permission
If you get the Status 403: This request is not authorized to perform this operation using this permission that may occur when working with Azure Storage Explorer, Azure Data Factory (ADF), or Azure Databricks, to resolve the issue depending on your case scenario, do the following:
1] Make sure to assign the Blob Storage Contributor Role to the service principal in the scope of the ADLS Gen 2 storage account. Due to an issue with the ABFS driver, this error would occur even if the ACLs were perfectly granted. The Service Principal is required to be added to the storage account contributor IAM permission on the
Azure Data Lake Storage Generation 2 (ADLS Gen 2) account as a result of this issue. The problem has since been resolved in HADOOP-15969, and the fix is now included in Databricks runtime 5.x. If you get the ACLs right, you don’t need to grant the Service Principal any IAM permissions on the ADLS Gen 2 account.
2] You need to verify the access permissions for the ADF and user type. Note:
Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
3] Check the Storage account firewall. Temporarily disable it and see if that helps.
4] Make sure the AzCopy version number is 10.4 or higher. You can subscribe to updates on the AzCopy releases pages. You’ll be notified when all releases ship and you can check the release notes published there. Also, make sure you are running Azure Storage Explorer version 1.14 or higher.
I hope this helps!
What is BlobServiceClient?
The BlobServiceClient allows you to manipulate Azure Storage service resources and blob containers. The storage account provides the top-level namespace for the Blob service. You can create a new BlobBaseClient object by appending blobName to the end of Uri. The new BlobBaseClient uses the same request policy pipeline as the BlobContainerClient.
What is user delegation SAS?
You can secure a shared access signature (SAS) token for access to a container, directory, or blob by using either Azure Active Directory (Azure AD) credentials or an account key. A SAS that’s secured with Azure AD credentials is called a user delegation SAS. In Active Directory you can delegate control by following these steps:
- Right-click the OU to add computers, and then click Delegate Control.
- In the Delegation of Control Wizard, click Next.
- Click Add to add a user or group to the Selected users and groups list, and then click Next.
How do I delegate a user in SAP?
To delegate a user in SAP, follow these steps:
- Choose My Settings Delegation.
- Enable delegation of the desired item type by selecting its checkbox in the Enabled column.
- In the row corresponding to the desired item type, enter the name of the desired user into the field in the Delegate To column or select from the list of names.
- Save your changes.
How do I clear my Azure cache?
To flush the local Azure cache logs, stop and restart the app. This action clears the old cache. To clear your Azure storage, run the following commands one after the other:
AzureStorageEmulator.exe start AzureStorageEmulator.exe stop AzureStorageEmulator.exe status AzureStorageEmulator.exe clear