Search code examples
azure-managed-identityazure-durable-functions

Durable Function error "This request is not authorized to perform this operation"

I followed quickstart-python-vscode and deployed an example Durable Functions app.

I cannot call the published function, there are the following errors in the Func App log:

[Information] func1-control-00: CreateLeaseIfNotExistAsync - leaseContainerName: func1-leases, leaseType: ownership, partitionId: func1-control-00
[Error] An error occurred while processing messages on func1-workitems: 
        DurableTask.AzureStorage.Storage.DurableTaskStorageException: This request is not authorized to perform this operation.
 ---> Microsoft.WindowsAzure.Storage.StorageException: This request is not authorized to perform this operation.
   at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteAsyncInternal[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext, CancellationToken token)
   at Microsoft.WindowsAzure.Storage.Queue.CloudQueue.CreateIfNotExistsAsync(QueueRequestOptions options, OperationContext operationContext, CancellationToken cancellationToken)
   at DurableTask.AzureStorage.TimeoutHandler.ExecuteWithTimeout[T](String operationName, String account, AzureStorageOrchestrationServiceSettings settings, Func`3 operation, AzureStorageOrchestrationServiceStats stats, String clientRequestId) in /_/src/DurableTask.AzureStorage/TimeoutHandler.cs:line 133
   at DurableTask.AzureStorage.Storage.AzureStorageClient.MakeStorageRequest[T](Func`3 storageRequest, String accountName, String operationName, String clientRequestId, Boolean force) in /_/src/DurableTask.AzureStorage/Storage/AzureStorageClient.cs:line 137
Solution

  • Durable Functions use three components of Azure Storage - Containers, Queues and Tables (see durable-functions-azure-storage-provider for more information).

    If shared keys for Storage are disabled and the Function App is configured to use a user assigned managed identity, you need to follow durable-functions-configure-managed-identity#identity-based-connections-for-app-deployed-to-azure:

    1. Assign the following access roles to the managed identity:
      • Storage Queue Data Contributor
      • Storage Blob Data Contributor
      • Storage Table Data Contributor
    2. Add the following settings to the Func App environment variables:
      • AzureWebJobsStorage__accountName
      • AzureWebJobsStorage__clientId
      • AzureWebJobsStorage__credential

    In my case, one more step was required because of the locked down network configuration.

    The Storage service uses separate endpoints for each component (e.g. <account_name>.queue.core.windows.net:443 for Queue). Initially there was only a private connection for the blob endpoint and indeed the DF app was able to create its lease containers.

    Similar private connections had to be created for the queue and table endpoints.