Allow DevOps access to restricted storage account

Question

Allow DevOps access to restricted storage account

Anonymous

We have a storage account that has "Enabled from selected virtual networks and IP addresses", because our security department disallows it from being accessible from the whole internet.

We have a devops deployment that's run on an Azure Pipeline (and we don't want to get a hosted agent).

This deployment fails because of a 403 Forbidden: Creation of storage file share failed with: 'The remote server returned an error: (403) Forbidden.' This occurs because the Azure Pipeline VM that does the deployment, has no access to the storage account. I tried to whitelist the public IP of the Azure Pipeline VM at the start of the deployment. That doesn't solve the problem, because the Azure Pipeline is using the private MS datacenter IP instead of its public IP and you cannot whitelist a private IP unfortunately.

How to temporarily allow the DevOps Azure Pipeline access to a restricted storage account?

5 answers

Your answer

Answer 1

Anonymous

Thanks for your reply, but unfortunately that doesn't work, because when DevOps and the Storage account are in the same region (as they are in our case), MS uses a private IP to connect internally instead of going through the internet. And you cannot whitelist a private IP.

See also: https://github.com/MicrosoftDocs/azure-devops-docs/issues/8713

SaiKishor-MSFT 17,331 Reputation points

2022-09-30T22:48:57.59+00:00

@Anonymous Let me look into this to see what options we have to allow this access. I will check and update you soon. Thanks!
SaiKishor-MSFT 17,331 Reputation points

2022-10-03T21:14:47.53+00:00

@Anonymous At this point, here is the information that I have- https://github.com/MicrosoftDocs/azure-docs/issues/19456 which says that Azure Devops is not considered a trusted service which probably why you are facing this issue. Let me reach out to our internal team regarding this and get back to you soon. Thank you!
Dan Petitt 20 Reputation points

2023-09-28T16:16:20.2866667+00:00

Any news on this; its a bit daft that we cant whitelist DevOps or its not trusted. Either way there is no solution to using Storage Accounts from within DevOps Pipelines

Answer 2

Carlos Solís Salazar 18,171 MVP

Hi @Anonymous

Thank you for asking this question on the **Microsoft Q&A Platform. **

Please check these documents: Allowed address lists and network connections and get IP addresses of Azure Pipelines to use in production.

Hope this helps!

----------

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
NOTE: To answer you as quickly as possible, please mention me in your reply.

Answer 3

Hey @Anonymous

Have you tried to set 'WEBSITE_CONTENTOVERVNET' to 1 in app settings?

https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#website_contentovervnet

Also please check the deployment history to make sure the error is related to the agent or Microsoft services when creating the logic app.

My issue was the file share was created by Microsoft Logic App itself, but the network seems to go through the public network.

After setting 'WEBSITE_CONTENTOVERVNET' to 1, the error is resolved.

Answer 4

Kallen Roman 1

I have the same question.

We don't have access from the Azure DevOps Pipeline to restricted storage account.
Is there a solution now?

Goyal, Saurabh 0 Reputation points

2024-08-14T21:03:07.0033333+00:00

I have the same issue, did you figure out the solution ?

Answer 5

Goyal, Saurabh 0

I have the same issue, did anyone figure out the solution ?

Share via

Allow DevOps access to restricted storage account

5 answers

Your answer