Azure Function Storage Authorization Failure

Singh, Gaurav 5 Reputation points
2023-02-05T11:44:07.4233333+00:00

Hello,

I am testing Azure Functions to execute a PowerShell script
The AZ Function performs storage operations (copy/move/delete).
The service principal is used for auth of services (AZ Function/Storage)
The Storage firewall is enabled, Az Function Public IPs are whitelisted on the storage firewall and working well with Environment-A

The Azure Function executes well in one of the Environment-A, but the problem occurs in Environment-B.
The configuration is similar and in place,

User's image

Troubleshooting:
As the Storage firewall is enabled in Environment-A and Environment-B,
We changed the Firewall to allow all networks and it worked as Environment-A,
and when selecting the option "Enabled from selected VNET and IPs" we are facing the issue as the image attached, the AZ Function IPs are whitelisted.

Thanks
Gaurav

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,875 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,519 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Sreeju Nair 12,661 Reputation points
    2023-02-05T12:55:52.5233333+00:00

    Based on the error message, it seems the issue is with the authorization. I believe there is a problem in the service principal configuration, can you double check that part and post results here.


  2. SaiKishor-MSFT 17,336 Reputation points
    2023-02-06T22:04:56.1666667+00:00

    @Singh, Gaurav

    This error message indicates that the Azure Function is not authorized to access the storage account. This could be because the Azure Function's managed identity is not granted the required permissions on the storage account.

    To fix this issue, you can grant the Azure Function's managed identity the required permissions on the storage account using the Azure portal or Azure PowerShell.

    1. In the Azure portal, navigate to the storage account, and click on "Access control (IAM)" in the left-hand menu.
    2. Click on the "Add role assignment" button, and select the "Storage Blob Data Contributor" role from the drop-down list.
    3. In the "Assign access to" field, select the Azure Function's managed identity from the drop-down list.
    4. Click on the "Save" button to save the changes.

    Alternatively, you can use the following Azure PowerShell cmdlets to grant the Azure Function's managed identity the required permissions on the storage account:

    $storageAccount = Get-AzStorageAccount -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" $functionApp = Get-AzFunctionApp -ResourceGroupName "myresourcegroup" -Name "myfunctionapp" $roleAssignment = New-AzRoleAssignment -ObjectId $functionApp.Identity.PrincipalId -RoleDefinitionName "Storage Blob Data Contributor" -Scope $storageAccount.Id
    
    

    After granting the required permissions, try accessing the storage account again from the Azure Function to see if the issue is resolved.

    Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.


  3. SaiKishor-MSFT 17,336 Reputation points
    2023-02-23T19:31:03.3+00:00

    @Singh, Gaurav After some research, I was able to confirm that Azure Functions uses private IPs when traversing the same region within Azure and uses Public IPs when traversing inter-region. Therefore, using Public IPs to control access will not work at this time.

    Alternate solutions would be-

    1. Allow all traffic via Firewall
    2. Follow steps to Connect your Function App to your VNET

    Hope this helps. Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.