Managed Identity connection to storage I have no direct access to
Situation: I have a LogicApp that is triggered by changes in blob storage. I have tested it on my Azure storage, I am satisfied with the workflow and now I want to change the connection so that it is triggered again by changes in Blob storage, but now it should be client storage. I am using Azure Portal for this.
The values I do have:
- subscription name
- subscription id
- resource group name
- storage name
- container name
Also, I have communicated with the client and my LogicApp with my subscription has been granted access to their side (I don't know if the access is for storage or for Managed Identity). Another thing- I have found guides online on how to create Managed Identity for my LogicApp (Identity->Permissions->Azure role assignments->Add role assignment), however, this does not work on my side since I do not have access to this action within my project.
When trying to add a Managed Identity connection to the Blob trigger, it only asks for a name (which can be any string as it is only a name for a local workflow if I understand correctly) And no other values. This makes me curious how does it work? Where does it take the right values so I could connect to the right destination? (https://i.sstatic.net/2MgLM.png)
I tried to play around in code view under parameters section by adding the client values I have, but still no luck. I get an error message saying: "Failed to save logic app LogicApp-Main. The client 'Me' with object id 'My_Id-^^^-f275' has permission to perform action 'Microsoft.Logic/workflows/write' on scope '/subscriptions/My_Subscription_Id-^^^-3a27/resourceGroups/My_rg_name/providers/Microsoft.Logic/workflows/LogicApp-Main'; however, it does not have permission to perform action 'join/action' on the linked scope(s) '/subscriptions/CLient_Subscription_Id-^^^-08da/resourceGroups/Client_rg_Name/providers/Microsoft.Web/connections/azureblob-1' or the linked scope(s) are invalid." (https://i.sstatic.net/vaIzC.png)
So the question:
- What Am I doing wrong?
- How to achieve my goal?
If you want to change connection to client storage, then you definitely need required permission either from your side or client side to establish connection. So, make sure that the client access has been given has the permissions you need to access the client's blob storage.
To change connection, you can use any one of below shown authentication type.
You can use logic App managed identity type for that you need to add system assigned managed identity and then need to add role assignments in logic App to the client storage. But as you mentioned you don't have permission to add role so you can check with the one who can add that role permission on behalf you.
If your unable to do this from your side then do it from your client side by requesting for Either Storage account access key or Shared access signature.
To establish connection, you can use Access key as an authentication type. Then you only need your client Storage account name and storage account access key.
As Sharing access key is not permittable then you can request for Share access signature.
As mentioned in above image SAS grant access to a resource for a specified period of time. So, once check with your client if they granted access what type of access they provided and are they enough permissions to establish connection.
With out enough permissions you can't establish the connection and that is your issue so check with the possibility of sharing Access key or SAS.
- Azure Storage accounts container public access level has dissabled
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- How do I open Azure Storage Explorer at a particular subfolder programatically?
- will looping GetBlobsAsync() but doing nothing in the loop body read the contents of the blob
- Using Python, how to update an excel sheet on Azure Blob Storage while maintaining existing data in the sheet?
- Trying to acquire a lease on a new blockblob gets me a 404
- How to get the count of files inside a certain folder of container in Azure Blob storage in C#
- BlobServiceClient singleton?
- Scanning for malware in files uploaded to Azure
- Azure blob, controlling filename on download
- K6 - Azure Blob Storage Authentication
- AttributeError: 'BlobServiceClient' object has no attribute '_to_rest_object'
- Anonymous blob download returns 403 Forbidden
- How to check if an Azure storage queue has messages
- How to serve an image from Azure Blob storage as if it was hosted in my web app
- How can I get the path to an Azure Storage account's Container in ARM template
- How to Minimize Egress Costs in Azure for Public Open Data Sharing
- Azure sql database export to storage blob failed
- Azure HttpTrigger function with Blob() output issue with .NET 8.0 upgrade
- Azure SAS token always not authenticated when use by not whitelist IP
- Generating SAS URL for Azure Blob Container with Proper Permissions
- "The requested content does not exist" on routes other than / - React app as Static Website
- ADLS Rest API - Getting directory list using a SAS token from directory not container?
- How to change the Lease state of Azure Blob to Available
- Error uploading file to Azure Blob Storage: Server failed to authenticate the request
- Download blob using PHP using shared access key
- Generating ZIP files in azure blob storage
- Azure SDK for CPP DownloadTo function very slow
- Upload files from FastAPI to Azure Blob Storage
- Set name and/or container name dynamically when using BlobOutputAttribute