Getting a 403 error when connecting to a blob container in Azure

Question

Getting a 403 error when connecting to a blob container in Azure

MrFlinstone 686

0

I have generated a SAS token from azure with the intention of using it to access a container within the storage account. I have left all the permissions, got every one of them ticked. The token got generated and I am using the code snippet below.

$TLS12Protocol = [System.Net.SecurityProtocolType] 'Ssl3 , Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $TLS12Protocol
$ctx = New-AzStorageContext -StorageAccountName "my-storage-account"  -sastoken "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
get-azstoragecontainer -container "my-container" -Context $ctx -Debug

I get the error below, and I'm unsure as to what I'm missing.

x-ms-version:2021-06-08
Accept:application/xml
User-Agent:AzurePowershell/v1.0.0,azsdk-net-Storage.Blobs/12.12.0 (.NET Framework 4.8.4515.0; Microsoft Windows 10.0.19044 )
x-ms-client-request-id:abb66a91-xxxx-43e9-9391-xxxxxxxx
x-ms-return-client-request-id:true
client assembly: Azure.Storage.Blobs
DEBUG: Response [abb66a91-xxxx-43e9-9391-xxxxxxxx] 200 OK (00.1s)
x-ms-request-id:88fd2933-101e-0062-749d-35abda000000
x-ms-client-request-id:abb66a91-xxxx-43e9-9391-xxxxxxxx
x-ms-version:2021-06-08
x-ms-meta-hdi_version:REDACTED
x-ms-lease-status:unlocked
x-ms-lease-state:available
x-ms-has-immutability-policy:false
x-ms-has-legal-hold:false
x-ms-immutable-storage-with-versioning-enabled:REDACTED
x-ms-default-encryption-scope:$account-encryption-key
x-ms-deny-encryption-scope-override:false
Content-Length:0
Date:Tue, 31 Jan 2023 09:54:59 GMT
ETag:"0x8DA81EFF05B25D0"
Last-Modified:Fri, 19 Oct 2022 19:34:35 GMT
Server:Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0

DEBUG: Request [dt45454-3b50-4ede-a572-dtrtrt] GET https://xxxxxxx.blob.core.windows.net/my-container?sv=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

x-ms-version:2021-06-08
Accept:application/xml
User-Agent:AzurePowershell/v1.0.0,azsdk-net-Storage.Blobs/12.12.0 (.NET Framework 4.8.4515.0; Microsoft Windows 10.0.19044 )
x-ms-client-request-id:dt45454-3b50-4ede-a572-dtrtrt
x-ms-return-client-request-id:true
client assembly: Azure.Storage.Blobs
DEBUG: Error response [dt45454-3b50-4ede-a572-dtrtrt] 403 This request is not authorized to perform this operation. (00.0s)
x-ms-request-id:fdsf7823f-101e-0062-079d-35abda1111

Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator

2023-02-28T09:34:05.5166667+00:00

@MrFlinstone Just checking in to see if the above answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator

2023-03-06T07:40:20.6333333+00:00

@MrFlinstone Just checking in to see if the above answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

1 answer

Your answer

Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator

2023-02-28T09:34:05.5166667+00:00

@MrFlinstone Just checking in to see if the above answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator

2023-03-06T07:40:20.6333333+00:00

@MrFlinstone Just checking in to see if the above answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Answer 1

Ramya Harinarthini_MSFT 5,366 Microsoft Employee Moderator

@MrFlinstone Welcome to Microsoft Q&A, thank you for posting your here!!

Could you please validate if your storage account is enabled with Firewall?

Steps: -
Azure Portal -> Storage Account -> Networking -> Check Allow Access From (All Networks / Selected Networks)
If it is "Selected Networks" - It means the storage account is firewall enabled.

User's image

If the storage account is firewall enabled, check if your client IP is whitelisted from here you are trying to access Storage container.

If you have enabled private endpoints, you will need to ensure that your DNS is also properly configured.

Please check this article to troubleshoot Private Endpoints scenarios: https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-connectivity-to-blob-storage-using-azure-storage/ba-p/2173908

Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

MrFlinstone 686 Reputation points

2023-02-01T09:02:50.4366667+00:00

Please note that the option selected is Enable from all networks and Microsoft network routing as shown on your earlier answer. It still giving me a 403 error.

Where can I get some more detailed logs as to why I am getting a 403 error ?
Ramya Harinarthini_MSFT 5,366 Reputation points Microsoft Employee Moderator

2023-02-01T15:16:12.33+00:00
@MrFlinstone

Are you generating SAS token on Storage account or on Container level?

If you have generated the SAS on Storage account level by checking allowed resource types as service, container, object then you would successfully get the container details from the PowerShell command that you are using.

I have tried it in my test Subscription and generated sas on account level and was able to get the container details from the below commands.

$ctx = New-AzStorageContext -StorageAccountName "replicationtest123" -sastoken "?sv=&ss=&srt=&sp=&se=&st=&spr=https&sig=" get-azstoragecontainer -container "hnsonerror" -Context $ctx

Name                 PublicAccess         LastModified                   IsDeleted VersionId

----                 ------------         ------------                   --------- ---------

hnsonerror                        11/24/2022 10:24:00 AM +00:00

If you are trying to generate the SAS on container level it will fail with 403 error.

$ctx = New-AzStorageContext -StorageAccountName "replicationtest123" -sastoken "sp=&st=&se=&spr=https&sv=sr=c&sig="                     get-azstoragecontainer -container "hnsonerror" -Context $ctx

Get-AzStorageContainer: This request is not authorized to perform this operation.

RequestId: e4201221-f01e-001d-204c-36682f000000

Time:2023-02-01T14:51:50.3664869Z

Status: 403 (This request is not authorized to perform this operation.)

ErrorCode: AuthorizationFailure

Content:

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.

RequestId: e4201221-f01e-001d-204c-36682f000000

Time:2023-02-01T14:51:50.3664869Z</Message></Error>

Headers:

Server: Windows-Azure-Blob/1.0,Microsoft-HTTPAPI/2.0

x-ms-request-id: e4201221-f01e-001d-204c-36682f000000

x-ms-client-request-id: 8f97876d-fea8-4096-a1df-80a90c0df81b

x-ms-version: 2021-10-04

x-ms-error-code: AuthorizationFailure

Date: Wed, 01 Feb 2023 14:51:49 GMT

Content-Length: 246

Content-Type: application/xml

Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Getting a 403 error when connecting to a blob container in Azure

1 answer

Your answer