Can't access a storage account from a container app

Yovel Cohen 20 Reputation points

I'm trying to connect a new container app to an existing storage account that I use in other apps as well. the new container app is on the same resource group as my other apps, yet attempting to interact with the storage account (blob/table) from the new container results in an AuthenticationFailed error.

I've made sure the new container app has owner/contributor role in the storage account, yet I still get the AuthenticationFailed error.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,821 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
313 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Amrinder Singh 3,795 Reputation points Microsoft Employee

    Hi Yovel Cohen - Thanks for reaching out.

    Can you please share complete exception details if possible?

    Are there any kind of network level configurations/restriction on the storage account?

    Have you tried configuring using any other auth mechanism such as Access Keys/SAS etc and if you are able to connect ahead?

    Looking forward to hear from your end.

    0 comments No comments

  2. Nehruji R 3,726 Reputation points Microsoft Vendor

    Hello Yovel Cohen,

    Greetings! Welcome to Microsoft Q&A Platform.

    I understand that you’re encountering an AuthenticationFailed error when your new container app tries to interact with the existing storage account. Please consider checking the following below and one of these approaches will help you resolve the AuthenticationFailed error.

    • This article shows you how to configure authentication for Azure Container Apps so that your app signs in users with the Microsoft identity platform as the authentication provider.
    • Ensure that the managed identity of your container app has the appropriate permissions on the storage account. You can assign the Storage Table/Blob Data Contributor role to the managed identity at either the subscription level or the resource level for the specific storage account. Make sure to wait a few hours to ensure the changes propagate.
    • If you’re using Terraform, make sure to whitelist your build agent. You can do this by either using a self-hosted agent within a VNET or allowing access from that VNET in your storage account’s firewall rules.
    • Consider upgrading your Azure Storage SDK version. Some older versions may have issues. If you’re using Microsoft.WindowsAzure.Storage, try updating to a more recent version.
    • Check your SAS token and if it is expired, create a new version of the secret using a SAS token with a longer duration.
    • Verify if your storage account has firewall configurations, if set to “Selected Networks,” make sure your ip is whitelisted to access the storage account.

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments