I'm facing issues accessing Azure Blob Storage via a private endpoint using a SAS token within an Azure DevOps pipeline. Despite configuring the private endpoint, the SAS token, and the pipeline correctly, I encounter AuthorizationFailure errors when the pipeline tries to perform blob operations like reading and writing. The error message:
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.
RequestId:70336d7b-201e-005c-179d-938271000000
Time:2024-04-21T03:36:35.5944080Z
ErrorCode:AuthorizationFailure
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation. RequestId:70336d7b-201e-005c-179d-938271000000 Time:2024-04-21T03:36:35.5944080Z</Message></Error>
The code:
from azure.storage.blob import BlobServiceClient, generate_account_sas, ResourceTypes, AccountSasPermissions
from datetime import datetime, timedelta
import pandas as pd
from io import BytesIO
ACCOUNT_NAME = "****"
CONTAINER_NAME = "****"
account_url = f"https://{ACCOUNT_NAME}.blob.core.windows.net"
account_key = '****'
sas_token = generate_account_sas(
account_name=ACCOUNT_NAME,
account_key=account_key,
resource_types=ResourceTypes(container=True, object=True),
permission=AccountSasPermissions(read=True, write=True, list=True),
expiry=datetime.utcnow() + timedelta(hours=1)
)
I think the problem is that my Blob is "Private" and firewall blocked for everyone. I have an private end point, but how to use it into the Azure Pipeline, is it possible?
If you want to utilize the Private Endpoint from your azure pipeline, you will have to create a self-hosted agent that is connected to the same VNET (or a peered vnet) as the Blob Private Endpoint. Microsoft hosted agents simply can not access private endpoints.