Function App host storage account shared key access disabled issues.

SivaD 0 Reputation points Microsoft Vendor
2024-06-15T06:04:13.0066667+00:00

Hi,

Please help on the below issue.

Recently I set "disabled" on my host storage account Property "Allow storage account key access" as part S360 issue fix but Function app which is running in Standard plan stopped working.

Storage account and function app both are running in the same region (Cental US).

Network firewall is set to "Enabled from all networks" in the host storage account and did all the necessary app settings in the function app to support managed identity but still getting the 403 error: 

Status: 403 (This request is not authorized to perform this operation using this permission.) ErrorCode: AuthorizationPermissionMismatch

Storage account Network setting:

thumbnail image 15 of blog post titled  Use managed identity instead of AzureWebJobsStorage to connect a function app to a storage account

FunctionApp Network settings:

thumbnail image 16 of blog post titled  Use managed identity instead of AzureWebJobsStorage to connect a function app to a storage account

 

Thank you,

Siva

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,631 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,909 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,524 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. akinbade abiola 8,450 Reputation points
    2024-06-15T06:14:29.9766667+00:00

    Hello SivaD,

    Thanks for your question.

    This is an IAM issue, not a networking one.

    Check the permissions on the service principal or managed identity being used.

    Go to Storage account > IAM > Add role assignment.

    In 'Add Role Assignment', select these two roles and assign it to the account or identity connecting.

    Regards,

    You can mark it 'Accept Answer' if this helped you

    0 comments No comments