I'm trying to put an application to production on Azure. This application consists of a webapp (running a Docker container) that is supposed to communicate with an Azure Storage Account (blob).
After adding all outbound IP Adresses of the web app to the firewall settings of my storage account, I still have no permission to access the blobs. The error is the following:
"This request is not authorized to perform this operation."
However, when I run my app in local and add my local IP to these same firewall settings, it works. When I do not add it to the firewall settings, I get the same error. I therefore believe my storage account does not allow traffic coming from my webapp whilst it should.
Any help would be deeply appreciated.
Thanks,
Clank
You can make use of Managed identity to provide access to storage blob from web app.
You need to assign 'Storage Blob Data contributor' access to webapp. You can follow below steps for the same.
Storage Account -> Access Control (IAM) -> Grant Access to this resource -> 'Storage Blob Data Contributor' -> Select resource (web app)
Related
I am trying to redeploy an Azure Cloud Service (classic) to an "extended support" one since the former is being deprecated. Following this guide and the prerequisites I have created a virtual network and new storage account. I set up a bunch of permissions and the Connectivity Check for my storage account indicates no problems. However when I try to create and deploy a new Cloud Service (Extended Support) using my (updated) .cscfg, .csdef and .cspkg files I get this error:
Error:AuthorizationFailure, message:This request is not authorized to perform this operation. (Code: PackageUriForbidden)
I've tried setting the container and blob access to public for the deploy files, I have added Network Contributor and Storage Blob Data Contributor to both the subscription and the cloud storage resources for my user account. What am I missing?
I tried deploying cloud services extended support via Azure Portal and it got deployed successfully.
Refer below :-
I have uploaded all my cloud services packages in my storage account and used those packages from my storage blobs and created the Cloud service ES instance.
I enabled connection from all networks for my storage account, Thus I did not receive any authorization error :-
It looks like your Storage account has Firewall and V-Net enabled for the selected Networks. Or There’s an IP Address added to restrict storage account.
I created a Create a Service endpoint in my V-Net to allow Microsoft.storage like below :-
Added this V-Net in the selected Networks in Storage account’s Firewall :-
Checked this in order to allow azure services to access storage account like below :-
Now, when I try to deploy another cloud service with the same storage account having firewall and V-Net enabled, I get the same error as yours refer below :-
I allowed my client machine’s IP in the storage account and was able to add the packages without any error while deploying the Cloud Service:-
I'm nearly done migrating our cloud service (classic) deployments to cloud service (extended support). I'm working now on updating deployment pipelines. My package blob is located in a storage account. I create a SAS for the blob and use an API call to management.azure.com to create/update the deployment, passing ARM template as the body of the request.
This works correctly as long as the storage account with the package blob has its network set to "allow access from all networks". I want to restrict this access. I set the allow access from:
specific IP addresses of our devops servers
our own IP addresses
private vnet/subnets for the cloud service
I also tick the "Allow Azure services on the trusted services list to access this storage account" checkbox.
Yet, API call fails with error message indicating access is not allowed to the blob. When I change the storage account network configuration to "allow access from all networks", everything works correctly.
With lots of searches, I found only one hit explaining the same problem - https://github.com/Azure/azure-powershell/issues/20299 - yet no solution has been suggested other than allowing access from all networks.
I must be missing some trick - but what is it? How can I restrict access to the storage account?
As per the requirements, I need to Enable Firewall with Selected Network ON for Azure Storage Accounts. But when I do the same along with adding all required IPs, Azure Function App and Azure Data Factory is going down.
Currently the VNET is unavailable and cannot be created. Managed Identity is not an option as Contributor role unavailable.
Is there a way to to configure the Data Factory and Function Apps after enabling FireWall with selected networks for Azure KeyVault and Azure Storage Accounts.
Please find the below steps helps to work around:
Is there a way to to configure the Data Factory and Function Apps after enabling FireWall with selected networks for Azure KeyVault and Azure Storage Accounts.
When Network rules like specified IP Addresses, IP Ranges, subnets are configured to the storage accounts, then that storage accounts can only be accessed by applications that request data over the specified set of networks or through the specified set of Azure resources.
Also, the option Allow Trusted Services is set to ON while enabling the firewall for a storage account, which allows connectivity from Azure trusted services like Data Factory, Azure functions, etc.
Visit this documentation to know the list of trusted services allowed to access a key vault in Azure.
You have to create the VNet, attach to the Azure Function App which helps to connect to the Storage Account.
Currently the VNET is unavailable and cannot be created. Managed Identity is not an option as Contributor role unavailable.
To enable a service endpoint for a subnet/IP Addresses attached to Storage account, you can have custom role like Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action.
Refer to MSFT Docs1 and here for more information.
I have a App Service with a managed identity assigned to it to simplify connections to azure resources. I want to use DataProtection where the app stores the xml-keys in an Azure Storage Account(blob) to persist them between deploys.
Whenever I start the app I get a authentication error:
Microsoft.Azure.Storage.StorageException: This request is not authorized to perform this operation.
at Microsoft.Azure.Storage.Core.Executor.Executor.ExecuteAsync[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext, CancellationToken token)
at Microsoft.Azure.Storage.Core.Executor.Executor.<>c__DisplayClass0_0`1.<ExecuteSync>b__0()
at Microsoft.Azure.Storage.Core.Util.CommonUtility.RunWithoutSynchronizationContext[T](Func`1 actionToRun)
I have assigned several different RBAC roles to the App Service without any succes, including:
Storage Data Owner
Storage Data Contributor
Storage Data Reader
Owner
The Storage Account is connected to a VNET and not open to the internet. THe App service is not connected to the same VNET.
I have then tried to whitelist the App services many outgoing IP-adresses in the Storage Accounts Network-section, which states "Add IP ranges to allow access from the internet or your on-premises networks."
Also have "Allow Azure services on the trusted services list to access this storage account" activated.
Any ideas whats missing? This is happening only when in the app service, from my debug-localhost I can connect, so seems related to azure networking somehow.
According to the description in your post, I can be pretty sure that your identity configuration in the portal is correct, and your code is also completely correct.
The only problem is that your app services cannot access vnet. The simple description is that the azure storage account is connected to the vnet, which is equivalent to being isolated by the vnet protection. The app service needs to access the storage account, and it must first connect to the vnet.
I have a account in Azure portal. When I try to access to the specific storage account, its says "Access denied" and unable to open the blob container.
But I have created the storage account using the service principal which got all access.
Now I want to view the storage account using my Azure user account.
Is there way to provide permissions using service principal?
According to your description, it seems that the special storage account that with firewall set or in the Virtual Networks.
If "Allow access from All networks " is possible, you could choose that or you could add your localhost public ip to allow access it from the internet . For more information, please refer to the screenshot.