Azure AI Foundry & Azure AI Search - Failed to upload documents to ACS index 'Forbidden'

Question

Azure AI Foundry & Azure AI Search - Failed to upload documents to ACS index 'Forbidden'

Dushyant Priyadarshee 161

Following the tutorial - https://learn.microsoft.com/en-us/azure/ai-foundry/tutorials/deploy-chat-web-app

Even though I have performed all the required role assignments, I keep getting the following error at Add your data and try the chat model again section.

[2025-06-16 20:34:11] ERROR    azureml.rag.azureml.rag.embeddings - Failed to upload documents to ACS index due to: Operation returned an invalid status 'Forbidden' (__init__.py:1202)
Traceback (most recent call last):
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/embeddings/__init__.py", line 1156, in upload_to_index
    index_store.upload_documents(batch)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/indexes/index_stores.py", line 147, in upload_documents
    results = self._search_client.upload_documents(documents)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_search_client.py", line 548, in upload_documents
    results = self.index_documents(batch, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_search_client.py", line 647, in index_documents
    return self._index_documents_actions(actions=batch.actions, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_search_client.py", line 655, in _index_documents_actions
    batch_response = self._client.documents.index(batch=batch, error_map=error_map, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_generated/operations/_documents_operations.py", line 1202, in index
    raise HttpResponseError(response=response, model=error)
azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'Forbidden'
[2025-06-16 20:34:11] ERROR    azureml.rag.update_acs.update_acs - ActivityCompleted: Activity=update_acs, HowEnded=Failure, Duration=7239.85 [ms], Exception=HttpResponseError (activity.py:127)
[2025-06-16 20:34:11] ERROR    azureml.rag.update_acs - Failed to update ACS index (update_acs.py:429)
[2025-06-16 20:34:12] ERROR    azureml.rag.update_acs.update_acs - ServiceError: intepreted error = Rag system error, original error = Operation returned an invalid status 'Forbidden' (exceptions.py:124)
[2025-06-16 20:34:17] ERROR    azureml.rag.update_acs.update_acs - update_acs failed with exception: Traceback (most recent call last):
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/tasks/update_acs.py", line 465, in main_wrapper
    map_exceptions(main, activity_logger, args, logger, activity_logger)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/utils/exceptions.py", line 126, in map_exceptions
    raise e
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/utils/exceptions.py", line 118, in map_exceptions
    return func(*func_args, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/tasks/update_acs.py", line 456, in main
    raise e
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/tasks/update_acs.py", line 420, in main
    create_index_from_raw_embeddings(
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/tasks/update_acs.py", line 336, in create_index_from_raw_embeddings
    emb.upload_to_index(
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/embeddings/__init__.py", line 1156, in upload_to_index
    index_store.upload_documents(batch)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/indexes/index_stores.py", line 147, in upload_documents
    results = self._search_client.upload_documents(documents)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_search_client.py", line 548, in upload_documents
    results = self.index_documents(batch, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_search_client.py", line 647, in index_documents
    return self._index_documents_actions(actions=batch.actions, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_search_client.py", line 655, in _index_documents_actions
    batch_response = self._client.documents.index(batch=batch, error_map=error_map, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_generated/operations/_documents_operations.py", line 1202, in index
    raise HttpResponseError(response=response, model=error)
azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'Forbidden'
 (update_acs.py:467)
[2025-06-16 20:34:17] ERROR    azureml.rag.update_acs.update_acs - ActivityCompleted: Activity=update_acs, HowEnded=Failure, Duration=14369.32 [ms], Exception=HttpResponseError (activity.py:127)
Traceback (most recent call last):
  File "/azureml-envs/rag-embeddings/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/azureml-envs/rag-embeddings/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/tasks/update_acs.py", line 499, in <module>
    main_wrapper(args, logger)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/tasks/update_acs.py", line 465, in main_wrapper
    map_exceptions(main, activity_logger, args, logger, activity_logger)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/utils/exceptions.py", line 126, in map_exceptions
    raise e
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/utils/exceptions.py", line 118, in map_exceptions
    return func(*func_args, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/tasks/update_acs.py", line 456, in main
    raise e
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/tasks/update_acs.py", line 420, in main
    create_index_from_raw_embeddings(
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/tasks/update_acs.py", line 336, in create_index_from_raw_embeddings
    emb.upload_to_index(
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/embeddings/__init__.py", line 1156, in upload_to_index
    index_store.upload_documents(batch)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azureml/rag/indexes/index_stores.py", line 147, in upload_documents
    results = self._search_client.upload_documents(documents)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_search_client.py", line 548, in upload_documents
    results = self.index_documents(batch, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_search_client.py", line 647, in index_documents
    return self._index_documents_actions(actions=batch.actions, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_search_client.py", line 655, in _index_documents_actions
    batch_response = self._client.documents.index(batch=batch, error_map=error_map, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/core/tracing/decorator.py", line 94, in wrapper_use_tracer
    return func(*args, **kwargs)
  File "/azureml-envs/rag-embeddings/lib/python3.9/site-packages/azure/search/documents/_generated/operations/_documents_operations.py", line 1202, in index
    raise HttpResponseError(response=response, model=error)
azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'Forbidden'

If I change the connection to use primary key of Azure Search, it works.

Anyone else seen this issue? How did you solve it?

Siva Nair 2,420 Reputation points Microsoft External Staff Moderator

2025-06-16T23:08:10.82+00:00

Hi Dushyant Priyadarshee,

You can only assign the below role if you have owner role for your azure resource, i mean only someone having owner role can assign the below role

Below are the roles you need to assign- cross check and let me know if you have all those

If you have any further assistant, do let me know.
Dushyant Priyadarshee 161 Reputation points

2025-06-17T08:39:33.4866667+00:00
Hi @Siva Nair , thank you for your response. I am the owner. As specified above, the role assignments have been added as per the documentation.

When I go through Azure AI Foundry and click on AI Services in connected resources, it takes me to the Azure portal to the Azure AI Foundry itself.

I have provided the suggested roles to the identity highlighted in the screenshot.

Search Index Data Reader to the Azure AI services managed identity

Search Service Contributor to the Azure AI services managed identity

Storage Blob Data Contributor to the Azure AI services managed identity
Pavankumar Purilla 8,335 Reputation points Microsoft External Staff Moderator

2025-06-17T12:26:00.3133333+00:00

Hi Dushyant Priyadarshee,
Please ensure that you are using a hub-based project in Azure AI Foundry, as this is required for the feature to function correctly.

I have reproduced the scenario on my side using a hub project and was able to successfully upload the data files and proceed with the setup. After selecting your Azure AI Search service, proceed by clicking "Next" for the vector index name. On the Search settings page, under Vector settings, make sure to deselect the checkbox labeled "Add vector search to this search resource." This setting determines how the model responds to requests and disabling it avoids additional configuration that may incur extra cost. After reviewing your settings, select "Create vector index." In the playground, you will see that data ingestion begins, and this process may take a few minutes. Please wait until the data source and index name appear in place of the status before continuing.

If you’re still encountering issues, could you please share the exact steps you have followed, the region in which your resources are deployed
Dushyant Priyadarshee 161 Reputation points

2025-06-17T13:29:31.0466667+00:00

Hi @Pavankumar Purilla

I am using hub-based project and UK South region.

I followed the rest of steps as per the documentation (which seems same as what you have suggested). Still no luck.

Accepted answer

0 additional answers

Your answer

Siva Nair 2,420 Reputation points Microsoft External Staff Moderator

2025-06-16T23:08:10.82+00:00

Hi Dushyant Priyadarshee,

You can only assign the below role if you have owner role for your azure resource, i mean only someone having owner role can assign the below role

Below are the roles you need to assign- cross check and let me know if you have all those

If you have any further assistant, do let me know.
Dushyant Priyadarshee 161 Reputation points

2025-06-17T08:39:33.4866667+00:00

Hi @Siva Nair , thank you for your response. I am the owner. As specified above, the role assignments have been added as per the documentation.

When I go through Azure AI Foundry and click on AI Services in connected resources, it takes me to the Azure portal to the Azure AI Foundry itself.

I have provided the suggested roles to the identity highlighted in the screenshot.

Search Index Data Reader to the Azure AI services managed identity

Search Service Contributor to the Azure AI services managed identity

Storage Blob Data Contributor to the Azure AI services managed identity
Pavankumar Purilla 8,335 Reputation points Microsoft External Staff Moderator

2025-06-17T12:26:00.3133333+00:00

Hi Dushyant Priyadarshee,
Please ensure that you are using a hub-based project in Azure AI Foundry, as this is required for the feature to function correctly.

I have reproduced the scenario on my side using a hub project and was able to successfully upload the data files and proceed with the setup. After selecting your Azure AI Search service, proceed by clicking "Next" for the vector index name. On the Search settings page, under Vector settings, make sure to deselect the checkbox labeled "Add vector search to this search resource." This setting determines how the model responds to requests and disabling it avoids additional configuration that may incur extra cost. After reviewing your settings, select "Create vector index." In the playground, you will see that data ingestion begins, and this process may take a few minutes. Please wait until the data source and index name appear in place of the status before continuing.

If you’re still encountering issues, could you please share the exact steps you have followed, the region in which your resources are deployed
Dushyant Priyadarshee 161 Reputation points

2025-06-17T13:29:31.0466667+00:00

Hi @Pavankumar Purilla

I am using hub-based project and UK South region.

I followed the rest of steps as per the documentation (which seems same as what you have suggested). Still no luck.

Answer 1

Hello @Dushyant Priyadarshee ,

The error is because of roles assignment or access control for search service, here are the things you can check.

I believe in your hub project, the ai search connection you set to AAD(Microsoft Entra ID) authentication like below, if not please add details like where you enabled managed identity while adding data source in chat playground.

enter image description here

Next, you set the access control in search service to both like below.

enter image description here

Additionally you need to add roles to yourself, below are the details.

Resource	Role	Assignee	Description
Azure AI Search	Search Services Contributor	Developer's Microsoft Entra ID	List API-Keys to list indexes from Azure AI Foundry portal.
Azure AI Search	Search Services Contributor	Developer's Microsoft Entra ID	List API-Keys to list indexes from Azure AI Foundry portal.
Azure AI Search	Search Index Data Contributor	Developer's Microsoft Entra ID	Required for the indexing scenario.
Azure AI services/OpenAI	Cognitive Services OpenAI Contributor	Developer's Microsoft Entra ID	Call public ingestion API from Azure AI Foundry portal.
Azure AI services/OpenAI	Cognitive Services Contributor	Developer's Microsoft Entra ID	List API-Keys from Azure AI Foundry portal.
Azure AI services/OpenAI	Contributor	Developer's Microsoft Entra ID	Allows for calls to the control plane.
Azure Storage Account	Contributor	Developer's Microsoft Entra ID	List Account SAS to upload files from Azure AI Foundry portal.
Azure Storage Account	Storage Blob Data Contributor	Developer's Microsoft Entra ID	Needed for developers to read and write to blob storage.
Azure Storage Account	Storage File Data Privileged Contributor	Developer's Microsoft Entra ID	Needed to Access File Share in Storage for Promptflow data.
The resource group or Azure subscription where the developer need to deploy the web app to	Contributor	Developer's Microsoft Entra ID	Deploy web app to the developer's Azure subscription.

After assigning this roles try to add data source, i can confirm from my end it is working fine after following above steps along with assigning roles to Azure OpenAI managed identity.

Do let us know if you face any error or query in comments.

Thank you

JAYA SHANKAR G S 4,035 Reputation points Microsoft External Staff Moderator

2025-06-20T04:13:21.6733333+00:00

Hello @Dushyant Priyadarshee ,

I hope you checked above steps, let us know if you have any query.

Thank you
Dushyant Priyadarshee 161 Reputation points

2025-06-22T22:18:21.18+00:00

Hi @JAYA SHANKAR G S

Thank you for the role assignment details.

It now works for me. If the user submitting the request should have all these role assignments, then it should be in the Tutorial documentation as well, else it gets difficult to understand why it keeps failing.

After following the tutorial document, I added all the role assignments you suggested, and now the file upload works.

setup.ps1.txt

Have attached the Azure CLI commands I used to assign the roles, in case it helps anyone else. Thank you.
JAYA SHANKAR G S 4,035 Reputation points Microsoft External Staff Moderator

2025-06-23T03:55:43.04+00:00

Hi @Dushyant Priyadarshee ,

Thanks for the update and cli script.

Here is the documentation for role assignment base on users and resources, but the document you referring it's not mentioned in that, maybe there it should be updated, and it seems like the document is for only using managed identity and api key connection in connected resources.

Thank you

Share via

Azure AI Foundry & Azure AI Search - Failed to upload documents to ACS index 'Forbidden'

0 additional answers

Your answer