Not able to access private storage Blob using SAS token from Synapse Pipeline

Question

We need to connect to a 3rd Party vendor's Storage account to get the data files we need and they have provided us with a SAS token.

I have used Self-Hosted IR to have a Static IP for their Firewall and got it whitelisted in the vendor's firewall.

When I created the Linked Service with SAS URI as Authentication, the Connection shows successful but when I created a dataset to access the file it throws 403 error. The below error:

"Blob operation failed for: Blob Storage on container '' and path '/' get failed with 'The remote server returned an error: (403) Forbidden.'. Possible root causes: (1). Grant service principal or managed identity appropriate permissions to do copy. For source, at least the “Storage Blob Data Reader” role. For sink, at least the “Storage Blob Data Contributor” role. For more information, see https://docs.microsoft.com/en-us/azure/data-factory/connector-azure-blob-storage?tabs=data-factory#service-principal-authentication. (2). It's possible because the IP address of the self-hosted integration runtime machines are not allowed by your Azure Storage firewall settings. (3). If the self-hosted integration runtime use proxy server, it's possible because the IP address of the proxy server is not allowed by your Azure Storage firewall settings.. The remote server returned an error: (403) Forbidden.StorageExtendedMessage=Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:f1dbda01-901e-003e-57d5-7d505b000000 Time:2023-05-03T15:39:04.9513992Z, The remote server returned an error: (403) Forbidden."

To test out I have even installed storage explorer in the VM the Self-Hosted IR is installed and I'm able to access the files.

The Issue is only with the Synapse pipeline in accessing a blob Container with SAS. The firewall is whitelisted too. Doesn't have RBAC as its a 3rd party vendor and we should be able to connect using SAS token.

Please help me with this one.

Answer 1

@Siva B I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: Was difficulty accessing a private storage blob via SAS token from within a Synapse pipeline. Team needs to access data files from a third-party vendor's storage account, and we have been provided with a SAS token for this purpose. To ensure that we can connect to the storage account, I have set up a Self-Hosted IR with a static IP address and had it whitelisted in the vendor's firewall. When creating a Linked Service using the SAS URI as authentication, the connection appears to be successful. However, when I try to create a dataset to access the file, a 403 error is thrown.

Solution: Initially, I was unable to access the data from the Synapse dataset browser because it was looking from the root directory, which I did not have access to. However, after specifying the correct path, I was able to access the data successfully.

---

Please let us know if you have any more questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.