Event Grid - Deliver events using private link service - AuthorizationFailure

Thomas Adams 36 Reputation points
2023-02-07T12:08:03.4233333+00:00

Hello,

We are trying to setup event grid to deliver events to azure storage queue following this documentation https://learn.microsoft.com/en-us/azure/event-grid/consume-private-endpoints

We are using a system topic that publishes BlobCreatedEvents to a subscriber which is the azure storage queue. When a new event is published, we are receiving the following error message in the AegDeliveryFailureLogs.

deliveryResponse=Unauthorized, errorCode=AuthorizationFailure, QueueErrorCode=AuthorizationFailure, , httpStatusCode=InternalServerError, errorType=UnexpectedError, errorMessage=An unexpected error has occurred. Please report the x-ms-request-id header value to our forums for assistance or raise a support ticket., errorMessage=This request is not authorized to perform this operation.
RequestId:90f902da-e003-0009-22e2-3a6991000000
Time:2023-02-07T10:55:22.1717613Z
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure   Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:90f902da-e003-0009-22e2-3a6991000000
Time:2023-02-07T10:55:22.1717613Z</Message></Error>   Headers:
Date: Tue, 07 Feb 2023 10:55:21 GMT
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 90f902da-e003-0009-22e2-3a6991000000
x-ms-error-code: AuthorizationFailure
Content-Length: 246
Content-Type: application/xml

The network settings for the storage account where the queue resides is set to Enabled from selected virtual networks and IP addresses with the following option ticked Allow Azure services on the trusted services list to access this storage account.

Which according to the documentation, should allow Event Grid to publish to storage queues.

If we alter the network settings for the storage account where the queue resides to Enabled from all networks then the messages are published successfully.

Does anyone know why allowing access from trusted azure resources doesn't allow messages to be published to the storage queue? We would like to block public access if at all possible on the storage account.

Thanks

Azure Queue Storage
Azure Queue Storage
An Azure service that provides messaging queues in the cloud.
97 questions
Azure Event Grid
Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
318 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MuthuKumaranMurugaachari-MSFT 22,151 Reputation points
    2023-02-24T19:01:54.3866667+00:00

    Thomas Adams Thanks for your patience and working with us offline.

    Update for Community:

    Currently, User-assigned managed identity is not supported yet for storage accounts with VNET/Firewall rules enabled and with Allow Azure services on the trusted services list to access this storage account option. Our product team has a backlog item and unfortunately, no ETA yet. I have passed your feedback internally with them and opened https://github.com/MicrosoftDocs/azure-docs/issues/105746 to update this limitation in our docs so that it will help others.

    Meanwhile, please use system-assigned managed identity if possible or user-assigned managed identity without VNET/Firewall rules. You can also submit feedback directly with our product team via https://feedback.azure.com/d365community/forum/a095b5b5-f124-ec11-b6e6-000d3a4f0da0 and others with similar interests can upvote your idea too. I hope this helps and let me know if any questions.

    0 comments