Issues with browsing a datastore in Azure ML web UI when using Managed Identity (MiD)

Aakif Nawaz (Silo AI Oy) 0 Reputation points Microsoft Vendor
2024-05-27T12:19:26.9466667+00:00

I get an error in the Web UI stating:

"Unable to access data because it does not exist, is behind a virtual network, or you do not have Storage Blob Data Reader role on this storage account."

when I try to browse the data asset linked to a storage account. I am using User Assigned Managed Identities which has the necessary Roles to access the storage account (Contributor, Reader, Storage Blob Data Reader) as well as contributor role in the Workspace. Also to be clear the storage account in question isn't behind a Virtual Network either.

So can someone point me what am I missing here ?

On clicking "more details" I get

Unable to access data because it does not exist, is behind a virtual network, or you do not have Storage Blob Data Reader role on this storage account.
{ "error": "This request is not authorized to perform this operation using this permission." }
Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
2,655 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 5,471 Reputation points
    2024-05-27T14:41:13.34+00:00

    Hello Aakif Nawaz (Silo AI Oy),

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are encountering error when accessing a data asset linked to a storage account via the Web UI and the error indicates issues with permissions or network configurations.

    This prescribed solution was based on the scenario given and your questions, while focusing on the problem statement. If you have ensured as stated that the Role Assignments is perfect and you're able to validate Identity in Workspace and everything is Okay.

    Do this two:

    1. Check Scope of Role Assignments if the roles assigned were at the correct scope (storage account level, resource group, or subscription level). Make sure that the roles are assigned at the correct scope. The roles need to be assigned at the storage account level or at a higher scope (e.g., resource group or subscription level) to ensure they apply to the entire storage account.
    2. Check Firewall and Networking. Although you mentioned that the storage account is not behind a virtual network, it is still worth checking the firewall and network settings. Similar solution: https://learn.microsoft.com/en-us/answers/questions/276987/cannot-access-container-in-a-storage-account.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam

    0 comments No comments