Azure private endpoints 403 authorization issue
What could cause 403 issue when accessing storage account via private endpoints. I am 10000% sure I have added correct permission and I have correctly created endpoints...
Is there anything else that could cause 403 beside roles and incorrect endpoints?
Is there anything else that could cause 403 beside roles and incorrect endpoints?
If you are trying to access the storage account via a private endpoint, make sure to check the connectivity. Verify whether the storage account is reachable from the VM using the nslookup command.
nslookup <blob endpoint url>
Test the connection to the Blob endpoint using the below cmdlet:
Test-NetConnection -ComputerName "venkatstoragedemo.blob.core.windows.net" -Port 443
Output:
If you are able to resolve the private endpoint IP and the test passes, it means the Blob storage is reachable from the VM, and the issue is not network-related.
However, if the connection test fails, ensure that the Private DNS and Virtual Network Link configurations are correctly set up.
Check that if the user or service principal has the required permissions to access the Blob storage using the following command:
az role assignment list --assignee <User-ID> --scope "/subscriptions/<SUB_ID>/resourceGroups/Venkat-RG/providers/Microsoft.Storage/storageAccounts/venkatstoragedemo" -o table
Output:
If the output displays the required role, then access to the Blob storage should work as expected.
If not, verify that the user or service principal has the necessary RBAC roles assigned.
- Storage Blob Data Reader (for read-only access)
- Storage Blob Data Contributor (for read/write access)
- Storage Blob Data Owner (for full control)
