Azure Blob storage unauthorized 403 while access from app service

Tahami Rizwan 20

We have multiple backend APIs hosted on Azure web app under same plan. All APIs have same outbound ips, and all these APIs enabled access restriction, these APIs only accessible within the api gateway. We have blob storage, we have also enable restriction on it (Networking Enabled from selected virtual networks and IP addresses  Firewall, added all APIs ips on it), Now when APIs going to fetch some image from blob it throw following error,

Azure.RequestFailedException: This request is not authorized to perform this operation.

RequestId:0bc5827d-c01e-0030-382f-929e61000000

Status: 403 (This request is not authorized to perform this operation.)

ErrorCode: AuthorizationFailure

Content:

Point to be noted that both APIs and blob are not using vNet, and both are on same resource group and using the same Identity

but when we remove network restriction on storage account it works fine

B santhiswaroop naik 390 Reputation points

2023-05-31T06:32:33.5733333+00:00
Based on the error message you provided, it seems that the request from your APIs to the blob storage is not authorized due to the access restrictions you have set up on the storage account.

To troubleshoot this issue, here are a few suggestions:

Ensure that the outbound IP addresses of your APIs are correctly added to the firewall settings of the storage account. Verify that the IP addresses match the ones used by the APIs. It's possible that the IP addresses have changed or were not added correctly.

Double-check the access restrictions settings on the storage account. Ensure you have enabled access from selected virtual networks and IP addresses, and that the correct IP addresses or IP ranges are added.

Check if any other network security groups or firewalls could be blocking the traffic between the APIs and the storage account. Review the network configuration for both the APIs and the storage account to ensure there are no conflicting rules.

Verify that the identity used by both the APIs and the storage account has the necessary permissions to access the blob storage. Ensure that the identity is correctly configured and has the appropriate roles or access policies assigned.

If you are using a virtual network (vNet) with service endpoints for the storage account, ensure that the vNet and the APIs are properly configured to allow traffic between them. Check if any network security groups or route tables are blocking the communication.

Review the logs and diagnostics of both the APIs and the storage account to gather more information about the error and identify any potential issues.
Tahami Rizwan 20 Reputation points

2023-05-31T09:53:32.3766667+00:00

yes , I have verified the required IP's and other settings for this but same issue
SnehaAgrawal-MSFT 21,661 Reputation points

2023-06-01T15:45:29.0466667+00:00

@Tahami Rizwan

The error message you are seeing indicates that the request to fetch the image from the blob storage is not authorized.

One possible reason for this error is that the access restrictions on the blob storage are preventing the APIs from accessing the storage.

To resolve this issue, you can authorize access to the blob storage using Azure Active Directory. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.

See- https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory

https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal

Let us know
SnehaAgrawal-MSFT 21,661 Reputation points

2023-06-05T06:02:29.0833333+00:00

@Tahami Rizwan

Just checking if you have chance to see recent response.

Please let us know if further query or issue remains.
Tahami Rizwan 20 Reputation points

2023-06-06T05:04:35.9733333+00:00

we are authenticating blob storage through SAS token
SnehaAgrawal-MSFT 21,661 Reputation points

2023-06-12T07:59:25.3833333+00:00

@Tahami Rizwan Thanks for reply! A Shared Access Signature (SAS) token is utilized to provide restricted access to a blob for users without authentication. This access can be restricted to a specific time period and limited to actions such as reading, writing, or other operations on a specific file within the blob storage.

Could you double-check that the SAS token is correctly configured with the necessary permissions (e.g., read, write) for the specific blob or container you are trying to access. Ensure that the token has not expired and that the time range is set correctly, Also confirm that the App Service has the appropriate permissions to access the blob storage. If you are using a managed identity for your App Service, ensure that it has the necessary roles and access rights assigned in the Azure portal.

Suggest you to refer this blog if any step is missing

Generate SAS Token For Azure Blob Storage Using Managed Identity

For more details see official document link here - https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json

Let us know.
Stéphane Bourbeau 0 Reputation points

2024-09-12T19:56:56.1133333+00:00

For those stumbling on the issue: we solved it by creating a SAS Token that was valid PRIOR to DateTime.now. it's as if there was a Timezone issue or server time difference that made the server query for the file with a token that was not valid YET. By creating a token that was valid from Yesterday to now + 20 minutes, we completly solved the issue.

1 answer

Vasco Ezequiel 11 Reputation points

2024-09-25T16:58:32.2966667+00:00

I want to share my case to help those who might encounter a similar error.

My case

My storage was only accessible from a limited set of public IPs. I could run the AzCopy commands from my house without any issues, but running the same command from a VM in Azure generated an error. To make things worse, I could run AzCopy Sync successfully as long as the blobs were the same or in --dry-run mode, but I could not copy them.

Investigation

The public IPs of the VMs were in the allow list.

<br>However some transactions were done with non-routable IPs, I could not add the private IP 10.x.x.x/16 to that list.

Solution

After reviewing the logs, I noticed that a new and unknown public IP from Microsoft was also attempting to do the copy. Once that IP was added to the allow list, the error was resolved.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Blob storage unauthorized 403 while access from app service

1 answer

Your answer