Connecting Storage Account to Logic App with Managed Identity

Niels 40 Reputation points
2023-11-24T14:32:03.56+00:00

Hi All

We have a scenario where we want to create Blob Files and also generate a SAS URI using a Logic App.

Everything works fine but the moment we want to secure the storage account so that only people from within a certain IP Range can access the SAS URI (which is per file) the connection fails.

I have followed the following steps: https://learn.microsoft.com/en-us/azure/connectors/connectors-create-api-azureblobstorage?tabs=consumption#access-blob-storage-in-same-region-with-system-managed-identities

This basically says that we need to configure System Managed Identities so that the Consumption Logic App can be in the same region as the Storage account.

Everything works in setting it up but the moment I run the flow the connections starts to time out, resulting in the following error;

The remote name could not be resolved: 'accountnamefromsettings.blob.core.windows.net'

Anybody got some experience with this issue?

Thanks a lot :)

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,906 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,979 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anand Prakash Yadav 7,780 Reputation points Microsoft Vendor
    2023-11-28T13:00:17.6633333+00:00

    Niels, I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

    User's image

    Issue: Customer wants to create Blob Files and generate SAS URIs using a Logic App. When securing the Storage Account to allow access only from specific IP ranges, the Logic App connection fails, and the customer is encountering timeout errors.

    Error Message: "The remote name could not be resolved: 'accountnamefromsettings.blob.core.windows.net'"

    Cause: Whilst the designer gave the option to select the storage account from the dropdown, it didn't really select it.

    Solution: Customer added the blob endpoint as a custom value and now the flow works with the IP restrictions active.

    User's image

    0 comments No comments

5 additional answers

Sort by: Most helpful
  1. Adam Zachary 2,886 Reputation points
    2023-11-24T22:05:22.4966667+00:00

    Hi Niels,

    Creating a Logic App to generate a SAS URI and manage Blob Files in an Azure Storage Account using a Managed Identity involves several steps and considerations.

    Here's a comprehensive guide based on Microsoft's best practices:

    Enable Managed Identity:

    • In Azure Portal, go to your Logic App resource.
    • Under Settings, select Identity.
    • In the Identity pane, under System assigned, select On and Save.
    • This step registers the system-assigned identity with Microsoft Entra ID, represented by an object ID​​.

    Assign Necessary Role:

    • Open the Azure Storage Account in Azure Portal.
    • Select Access control (IAM) > Add > Add role assignment.
    • Assign a role like 'Storage Blob Data Contributor', which includes write access for blobs in an Azure Storage container, to the managed identity.
    • Under Assign access to, select Managed identity > Add members, and choose your Logic App's identity​​

    Configure Logic App:

    • Use specific built-in and managed connector operations that support OAuth with Microsoft Entra ID.
    • Azure Logic Apps supports connectors like Azure Blob Storage for Consumption Logic App workflows, which can use the system-assigned identity for authentication​​.

    Access Control and Security:

    • To secure the storage account, you can set up Azure role-based access control (Azure RBAC). This ensures that only authorized identities have access to the storage resources​​.

    Troubleshooting Connection Issues:

    • If you encounter connection timeouts or errors like 'The remote name could not be resolved', verify the network configuration, including any firewalls or network security groups that may be blocking access.
    • Ensure that the managed identity has the necessary permissions and roles assigned to access the storage account.
    0 comments No comments

  2. Niels 40 Reputation points
    2023-11-24T22:39:19.06+00:00

    Hi We are aware of the Microsoft documentation and we followed this. But the issues keep occuring. When we take the normal http action it worked but we also need to generate sas uri's. So it's an issue atm

    0 comments No comments

  3. Adam Zachary 2,886 Reputation points
    2023-11-24T22:56:19.7933333+00:00

    Hi Niels,

    The error "The remote name could not be resolved: 'accountnamefromsettings.blob.core.windows.net'" typically indicates a DNS resolution issue. This can occur when your Azure Logic App is unable to resolve the DNS name of the Azure Blob Storage account. Here are some steps you can take to troubleshoot and resolve this issue:

    1. Ensure that there is no misconfiguration in the DNS settings within your Azure environment. Sometimes, DNS issues can arise due to incorrect settings or network restrictions.
    2. Verify that the Network Security Group (NSG) rules associated with the subnet or network interfaces that your Azure Logic App and Azure Blob Storage are using make sure it doesn't inadvertently block DNS resolution or necessary traffic.
    3. If your Storage Account is behind an Azure firewall, ensure that the necessary rules are in place to allow traffic from your Logic App. Since you mentioned restricting access to a specific IP range, ensure that the outbound IP addresses of your Logic App are included in the allowed list.
    4. Double-check that the Managed Identity used by your Logic App has the appropriate permissions. While you might have set the necessary RBAC roles, there could be additional permissions needed specifically for DNS resolution or network communication.
    5. Try creating a similar setup in a different network environment, if possible, to see if the issue is specific to your current network configuration.
    6. Examine the configuration of your Logic App, especially the parts where it connects to the Storage Account. Ensure that there are no typos or misconfigurations in the Storage Account name or other related settings.
    7. You also can use Azure's monitoring and logging tools to gather more detailed information about the error. This can help in identifying the exact point of failure in the DNS resolution process.

    Resolving DNS issues often requires a process of elimination and careful examination of network and configuration settings.

    0 comments No comments

  4. Niels 40 Reputation points
    2023-11-27T07:27:54.7133333+00:00

    Hi

    Well I recreated the same process but with a normal HTTP Action and that works fine, so it must have something to do with the Blob Connector? Which is a bummer because it has a OOB action that I really need.

    It works with the HTTP Connector but not with the Azure Blob Connector, yet I followed all of the same steps as the documentation says.

    I also use System Managed Identities in both cases.

    I am also not a network expert of some sort, so troubleshooting this is not as straightforward as i would like.

    Kind regards