Azure Storage - Allowed Microsoft Service when Firewall is set
I am trying to connect a public logic app (not ISE environment) to a storage account that is restricted to a Vnet. According to the Storage account documentation access should be possible using a system managed identity.
However I just tried in 3 different subscriptions and the result is always the same:
{
"status": 403,
"message": "This request is not authorized to perform this operation.\r\nclientRequestId: 2ada961e-e4c5-4dae-81a2-520397f277a6",
"error": {
"message": "This request is not authorized to perform this operation."
},
"source": "azureblob-we.azconn-we-01.p.azurewebsites.net"
}
Already provided access with different IAM roles, including owner. This feels like the service that should be allowed according to the documentation is not being allowed.
The Allow trusted Microsoft services... setting also allows a particular instance of the below services to access the storage account, if you explicitly assign an RBAC role to the system-assigned managed identity for that resource instance. In this case, the scope of access for the instance corresponds to the RBAC role assigned to the managed identity.
Azure Logic Apps Microsoft.Logic/workflows Enables logic apps to access storage accounts
[https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#exceptions][1]
What am I doing wrong?
Added screenshots:
https://i.sstatic.net/CfwJK.png
https://i.sstatic.net/tW7k9.png
https://i.sstatic.net/Lxyqd.png
https://i.sstatic.net/Sp7ZV.png
For authenticating access to Azure resources by using managed identities in Azure Logic Apps, you could follow the document. Azure Logic Apps should be registered in the same subscription as your storage account. If you want to access the blob in an Azure Storage container. You could add the Storage Blob Data Contributor(Use to grant read/write/delete permissions to Blob storage resources) role for the Logic App system identity in the storage account.
Update
From your screenshot, I found that you have not used a system-managed identity to design the Create blob logic but using an API connection.
For validating connecting a public logic app to a storage account with Allow trusted Microsoft services... setting enabled. You can design your logic using the managed identity with a trigger or action through the Azure portal. To specify the managed identity in a trigger or action's underlying JSON definition, see Managed identity authentication.
output
For more details, please read these steps in Authenticate access with managed identity.
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- will looping GetBlobsAsync() but doing nothing in the loop body read the contents of the blob
- Trying to acquire a lease on a new blockblob gets me a 404
- How to get the count of files inside a certain folder of container in Azure Blob storage in C#
- Querying azure table storage for null values
- Visual Studio Code: Could not find $web blob container for storage account
- How to monitor IOPS and throughput in a Azure per File Share for Standard Disk
- How can I get the path to an Azure Storage account's Container in ARM template
- New-AzResourceGroupDeployment: 5:01:43 PM - The deployment 'BlockBlobStorageDeployment' failed with error(s)
- New-AzResourceGroupDeployment: 4:21:36 PM - The deployment 'FileStorageDeployment' failed with error(s). Showing 1 out of 1 error(s)
- How to Minimize Egress Costs in Azure for Public Open Data Sharing
- Azure SAS token always not authenticated when use by not whitelist IP
- 400 XML specified is not syntactically valid
- Azure ShareClient: This request is not authorized to perform this operation
- Generating SAS account token in powershell
- When generating a ADLS SAS token, specifying the path causes an authorization failure
- ADLS Rest API - Getting directory list using a SAS token from directory not container?
- Microsoft.Bot.Builder.Azure doesn't contain type or namespace 'AzureTableStorage'
- Read image path from file share and store in table storage Azure
- Running .NET 6 project in Docker throws Globalization.CultureNotFoundException
- How to change the Lease state of Azure Blob to Available
- Azure Run Command Error: The string is missing the terminator: "
- Secure access to Azure storage account from only app service, database server and specific Internet address
- Azure Storage Monitoring Total capacity problem
- How to connect an Azure Share to a Windows Drive Letter
- Error when python program reads a file from an Azure fileshare: "Signature did not match. String to sign used was r..."
- Connecting to an Azure Virtual Network from PC
- Azure-sdk-for-cpp parallelism
- Statistics on Hot, Cool, and Archive Azure Storage
- How can I use Azurite in a command line application?