Azure Data Lake: This request is not authorized to perform this operation
This question is not a duplicate of This request is not authorized to perform this operation. Azure blobClient
I want to access an Azure Data Lake from an Azure Function. I use Managed Identity and have assigned an "Owner" role for this function in my Data Lake IAM tab. Everything works but only, when I allow "All networks" in my data lake. As soon as I switch to "Selected networks", I get "This request is not authorized to perform this operation" even though I added all outbound IP addresses of my Azure Function to the firewall rules of my data lake.
I added a call to https://api.ipify.org in my Azure Function to see its public IP address. I also use socket.gethostbyname() to get the resolved IP address of the host name of the data lake (just to check if this potentially gets resolved to a private IP within Microsoft's data center but it's not, it's a public IP)
The outbound IP of my function also appears in my Firewall rules:
and still I get
Error] Executed 'Functions.json-deserialize-eventhub' (Failed, Id=10554e46-2f5e-42a7-a9f7-a95dad1b4e30, Duration=1063ms)Result: FailureException: HttpResponseError: This request is not authorized to perform this operation.RequestId:84928ea9-201e-0092-5a97-d46e78000000Time:2020-12-17T17:07:38.2792923ZErrorCode:AuthorizationFailureError:NoneStack: File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py", line 355, in _handle__invocation_requestcall_result = await self._loop.run_in_executor(File "/usr/local/lib/python3.8/concurrent/futures/thread.py", line 57, in runresult = self.fn(*self.args, **self.kwargs)File "/azure-functions-host/workers/python/3.8/LINUX/X64/azure_functions_worker/dispatcher.py", line 542, in __run_sync_funcreturn func(**params)File "/home/site/wwwroot/json-deserialize-eventhub/init.py", line 38, in maindlc.append_object(obj_converted, data_lake_target_url)File "/home/site/wwwroot/shared/datalake.py", line 41, in append_objectfor container in file_system_containers:File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/core/paging.py", line 129, in __next__return next(self._page_iterator)File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/core/paging.py", line 76, in __next__self._response = self._get_next(self.continuation_token)File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/storage/blob/_models.py", line 401, in _get_next_cbprocess_storage_error(error)File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/storage/blob/_shared/response_handlers.py", line 147, in process_storage_errorraise error
The code itself is simplistic, I basically just use the DataLakeServiceClient from the azure.storage.filedatalake module to communicate with the data lake.
Why does this not work? How can I allow my function to write/read data? VNet integration is not an option at the moment.
There is a special case when you configure storage accounts to allow access from specific public internet IP address ranges.
Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you cannot restrict access to specific Azure services based on their public outbound IP address range.
I also see there is a private IP 172.16.0.5 in your screenshots. You could create the same Function APP in another Azure function in the different region from the Azure Data Lake region to verify this.
- How can I define compile time constants in bicep configuration language?
- Outlook calendar don't render with FullCalendar
- Azure functions decoding error for IotHub device connection state message schema
- How do I set scope in Azure API Manager (APIM) when using D_application_id
- How to mount multiple disks in a loop using ansible
- How can I get sub value in nested json via KQL?
- Azure .NET SDK: Scale Azure SQL databases through SDK
- How can I invoke Azure Trusted Signing from a Linux OS?
- How to transfer "Set Variable" activity output into Json file using "Copy Data" activity or any other options?
- Verify Microsoft Access token on my ASP.NET Core Web API
- I'm trying to install the package from a private Azure DevOps repository using the pip install command, but I'm encountering an error
- Unable to define the sites for an App Registration for SahrePoint with Site.Selected
- Check if the resource exists before using data
- Not able to see azure 'LifecyclePolicyCompleted event' log
- Direct Web Push gives Error when used from Notification Hub
- Azure Remove User Consent to API
- Flutter-Azure Deviops pipelineThe discrepancy between the number of tests reported as passed or failed in the pipeline output and the test report
- App_location on deployment of a static webapp
- MSINotEnabled - Can't use KeyVault Reference in Azure Function
- Reading values from a key value based file and passing these values to azure devops template
- Deleting an Azure Loadbalancer Frontend IP configuration from python?
- How to retrieve the front door id from a Microsoft CDN (classic)
- What is HEAD operation in CosmosDB reported in Azure Monitoring
- Deploying a Python App to Azure App Service with Github Actions
- How to Query User Access Logs for Azure Front Door
- How can I add email recipients to a Graph API request programmatically?
- How to create Azure Devops Service Connection Docker Registry Type Other
- Problem with CORS policy in React front end with FastAPI on the back trying to use Microsoft Single Sign-on
- Azure Document Intelligence Custom Classification Python API
- Azure Function App unaccounted for time in Application Insights Timeline