how service principal can access to private stroge container from onprem splunk

Ankita Rani Patro 176 Reputation points
2024-11-04T21:53:21.06+00:00

i have a private stage container. where public access disabled but access allowed from selected network. we created service principle and assign storage data contributor access to container.splunk is trying to use that service principl to connect container.but getting error as
Still seems to be there:  2024-11-04 17:02:59,618 +0000 log_level=ERROR, pid=3951404, tid=Thread-9, file=mscs_storage_dispatcher.py, func_name=_dispatch_storage_list, code_line_no=90 | [stanza_name="..." account_name="..." container_name="adf-container" blob_list="logs"] Exception@_dispatch_tables() ,error_message=Public access is not permitted on this storage account. ErrorCode: PublicAccessNotPermitted

i see no drop in firewall

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,279 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Silvia Wibowo 4,166 Reputation points Microsoft Employee
    2024-11-05T00:07:20.86+00:00

    Hi @Ankita Rani Patro , I understand you have an on-prem service (Splunk) that's trying to access Azure Storage Account.

    Network-wise, how is your on-prem Splunk connected to Azure: using VPN, Express Route, or Internet (public IP address)?

    If you're using internet, you need to enable public endpoint (public network access) of the Azure Storage Account. Enabling public endpoint opens the network access of the Storage Account from public IP address. You can still select which public IP address is allowed to access the storage account (Storage Firewall setting): grant access to public IP address/range. You also still need the service principal as authorization.

    1 person found this answer helpful.
    0 comments No comments

  2. Sumarigo-MSFT 47,286 Reputation points Microsoft Employee
    2024-11-17T07:42:00.36+00:00

    @Ankita Rani Patro Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    Adding more information to the above response!

    Based on the error message, Please refer to the suggestion mentioned in this Tech Community Blog

    "Public access is not permitted on the storage account" means that the Azure storage account is configured to prevent anonymous access to its data, meaning anyone without specific credentials cannot access the files stored within it, effectively blocking public access to the storage account; this is typically done for security reasons to protect sensitive data.

    Can you please share the screenshot of the error message, If the issue still persists?

    To enable a service principal to access a private storage container from an on-premises Splunk instance, you need to ensure that the network configuration and permissions are correctly set up. Here are the steps you can follow:

    Network Configuration: Ensure that your on-premises Splunk instance is connected to Azure via a secure method such as VPN or ExpressRoute. If you're using the internet, you need to enable the public endpoint of the Azure Storage Account and configure the storage firewall to allow access from specific public IP addresses

    Private Endpoint: If you're using a private endpoint, make sure it is correctly configured. The service principal must have the necessary permissions to access the storage account via the private endpoint. You can refer to the Azure documentation on how to connect to a storage account using a private endpoint

    Service Principal Permissions: Verify that the service principal has the correct permissions. The Storage Blob Data Contributor role should be sufficient, but ensure there are no additional restrictions or policies affecting access

    Firewall Rules: Check the firewall rules on the storage account to ensure they allow access from the selected network. Make sure there are no conflicting rules that might be blocking access

    By following these steps, you should be able to configure your service principal to access the private storage container from your on-premises Splunk instance. If you encounter any issues, double-check the network configuration, permissions, and firewall rules to ensure everything is set up correctly.

    Additional information : To access a private Azure storage container from an on-premise Splunk instance using a service principal, you need to configure the Splunk add-on for Microsoft Cloud Services, create a service principal with appropriate permissions on the storage account in Azure, and then use the service principal credentials within the Splunk add-on to access the private container data
    Authorize access to blobs using Microsoft Entra ID
    Splunking Microsoft Cloud Data
    You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details)). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.

    Please let us know if you have any further queries. I’m happy to assist you further.     


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.