Azure Blob Storage input fails with AuthorizationPermissionMismatch when using Storage Blob Data Reader RBAC role

Description

The azure-blob-storage Filebeat input fails with an AuthorizationPermissionMismatch error when authenticating via Entra ID (OAuth2) with the Storage Blob Data Reader or Storage Blob Data Contributor RBAC role assigned at the storage account level. Ingestion works correctly with the Storage Blob Data Owner role.

Root Cause

The blob listing call in scheduler.go includes Tags: true in the ListBlobsInclude options. This causes the Azure List Blobs API to require the Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read DataAction, which is not granted by the Storage Blob Data Reader or Storage Blob Data Contributor roles. Only Storage Blob Data Owner and Storage Actions Blob Data Operator roles include this permission.

The blob index tags fetched by this option are never consumed by the input — no code references the .Tags field on listed blob items. The flag has been present since the input was first introduced, but was not an issue previously because only Shared Key and Connection String authentication were supported, both of which bypass RBAC entirely. The problem became visible after Entra ID (OAuth2) support was added in #40879.

Steps to Reproduce

1. Create a service principal with the Storage Blob Data Reader role scoped to a storage account
2. Configure the azure-blob-storage input with OAuth2 authentication using the service principal credentials
3. Run Filebeat

Expected Behavior

The input should successfully list and read blobs using the Storage Blob Data Reader role, which is the recommended least-privilege role for read-only access to blob data.

Actual Behavior

The input fails immediately with:

RESPONSE 403: 403 This request is not authorized to perform this operation using this permission.
ERROR CODE: AuthorizationPermissionMismatch

Note on Testing

When Entra ID (OAuth2) support was originally added in #40879, testing was performed using a service principal with the Storage Blob Data Owner role. Once validated, the role was downgraded to Storage Blob Data Reader to verify least-privilege compatibility. However, Azure RBAC role changes can take up to 10 minutes to propagate across the platform — during this window, the previously assigned Owner permissions remain silently in effect. Because the tests were short-lived and completed within this propagation window, they passed successfully, giving the false impression that the input worked with the Data Reader role. The underlying Tags: true flag in the blob listing call — which requires the blobs/tags/read DataAction only granted by the Owner role — was never exercised without Owner-level permissions, and the issue went undetected until a user reported the AuthorizationPermissionMismatch error in a production environment with a clean Data Reader role assignment.

Affected Versions

All versions since Entra ID (OAuth2) support was added (8.x+).