Unable to index blob storage data with a search service

Question

Unable to index blob storage data with a search service

Ben Lister 20

Following https://github.com/Azure-Samples/azure-search-python-samples/blob/main/Tutorial-RAG/Tutorial-rag.ipynb

I've set up my Azure AI Search service, and added its managed identity as a role assignment to the blob storage account under Storage Blob Data Reader.

I've also added the search service managed identity as a role assignment to my Azure AI Foundry resource under Cognitive Services OpenAI User.

Following the code in the Python notebook everything works until this line:

# Create and run the indexer  
indexer_client = SearchIndexerClient(endpoint=AZURE_SEARCH_SERVICE, credential=credential)
indexer_result = indexer_client.create_or_update_indexer(indexer)

This fails with the following error (404 error code):
Unable to retrieve blob container for account '0843storage' using your managed identity. Ensure the resource ID is correct for this account.

Accepted answer

1 additional answer

Your answer

Answer 1

Hello Ben Lister

Thank you for your question!

The error notification explicitly mentions '0843storage'. This refers to your storage account name. Please verify that the complete resource ID or the accurate storage account name is utilized in your Azure AI Search Data Source definition within the Python code.

data_source = SearchIndexerDataSourceConnection(
    name="my-datasource",
    type="azureblob",
    connection_string=None,  # Set to None if using managed identity
    container=SearchIndexerDataContainer(name="my-container"),
    identity=SearchIndexerDataIdentity(type="managedIdentity")
)

connection_string is set to None (since you’re using managed identity).
The container name matches the actual container in 0843storage.
The identity is correctly set to use the managed identity.
If a connection string is mistakenly provided, remove it to force the use of the managed identity.
Double-check the storage account name (0843storage) in the indexer’s data source configuration. Ensure it’s correct and matches the resource ID format: /subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Storage/storageAccounts/0843storage.

Post which Navigate to your Storage Account (the one named 0843storage).

On the "Overview" blade of your storage account, you'll see "Resource ID" and "Storage account name."
Confirm the name 0843storage is exact. Typos are common.
Check how you're constructing the data source connection string or resource ID in your Python code for the indexer**.** Your data source definition should typically look something like this (if using AzureBlobStorageDataStoreParameters with managed identity):Make sure the container name (your-container-name) is also absolutely correct and exists within the 0843storage account**.** A 404 might mean the container doesn't exist or isn't accessible, not just the account.

You've assigned Storage Blob Data Reader, which is generally correct for reading. However, let's re-verify the scope and ensure propagation.

Confirm Azure AI Search Managed Identity is System-Assigned:
1. Go to your Azure AI Search service in the Azure portal.
2. In the left-hand menu, under "Settings", select "Identity".
3. Ensure "System assigned" status is On. Note the Object ID of this managed identity.

You see the role assignment for Storage Blob Data Reader. The Scope for this assignment is either the Storage Account itself (0843storage) or, even better, the specific Blob Container you are trying to index (e.g., your-container-name within 0843storage). If the scope is a broader resource group or subscription, ensure there are no conflicting "Deny" assignments that might inadvertently block access at a lower level.

Also check check Azure AI Search Diagnostic Logs for more detailed error messages from the Azure AI Search service itself: Go to your Azure AI Search service in the Azure portal _ In the left-hand menu, under "Monitoring", select "Diagnostic settings"_ Click "+ Add diagnostic setting". Give it a name_Under "Logs," select "allLogs"Choose a destination (e.g., "Send to Log Analytics workspace" or "Archive to a storage account" Save the diagnostic setting.

Once logs start flowing (can take a few minutes), query the destination (e.g., Log Analytics workspace) for events related to your indexer creation. Look for messages from the AzureDiagnostics table where ResourceProvider == "MICROSOFT.SEARCH". These logs might provide a more specific internal error code or message from the Search service.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

User's image

Ben Lister 20 Reputation points

2025-06-20T03:45:10.6266667+00:00

Thanks, this worked - not sure if it was just the fact that the container name was wrong, or if it was also because of using SearchIndexerDataIdentity instead of the connection string.
Ben Lister 20 Reputation points

2025-06-21T17:21:30.18+00:00

Hi thank you for unblocking me with creating the search indexer data source connection. Now I have a different issue, at the very last stage when sending a query to the search service.

# Vector Search using text-to-vector conversion of the query string query = "what's NASA's website?" search_client = SearchClient(endpoint=AZURE_SEARCH_SERVICE, credential=credential, index_name=index_name) vector_query = VectorizableTextQuery(text=query, k_nearest_neighbors=50, fields="text_vector") results = search_client.search( search_text=query, vector_queries= [vector_query], select=["chunk"], top=1 )

The search_client.search method fails with 403 Forbidden error, so I guess some credential/role assignment is wrong. There's not really any other details on the exception object. How can I debug further?
Nandamuri Pranay Teja 3,610 Reputation points Microsoft External Staff Moderator

2025-06-23T00:14:36.91+00:00

Hello Ben Lister

Thank you for the kind response!

Firstly, review the code where the credential is created. In the notebook, it’s typically:

from azure.core.credentials import AzureKeyCredential credential = AzureKeyCredential(os.environ.get("AZURE_SEARCH_API_KEY"))

go to Azure AI Search > Your search service > Keys.

Copy the Query key (preferred for search operations) or Admin key (includes query permissions).

credential = AzureKeyCredential("your-query-key")

If you’re using DefaultAzureCredential or a managed identity for the SearchClient, the identity must have the Search Index Data Reader role to query the index.

Go to Azure AI Search > Your search service > Access Control (IAM) > Role assignments. Check if your user account (for local runs) or the Azure AI Search service’s managed identity (for deployed apps) has the Search Index Data Reader role.

Post which Modifie the search_client.search call to capture more details about the 403 error:

from azure.core.exceptions import HttpResponseError try: search_client = SearchClient(endpoint=AZURE_SEARCH_SERVICE, credential=credential, index_name=index_name) vector_query = VectorizableTextQuery(text=query, k_nearest_neighbors=50, fields="text_vector") results = search_client.search( search_text=query, vector_queries=[vector_query], select=["chunk"], top=1 ) for result in results: print(result) except HttpResponseError as e: print("Search failed with error:", e.message) print("Status code:", e.status_code) print("Error details:", e.response.json())

Please let us know if you have any further queries. I’m happy to assist you further.
Ben Lister 20 Reputation points

2025-06-23T02:30:11.85+00:00

Thanks, assigning my user account the Search index Data Reader role was what I needed. This wasn't mentioned in the tutorial I was following.
Nandamuri Pranay Teja 3,610 Reputation points Microsoft External Staff Moderator

2025-06-23T07:46:50.9133333+00:00

Hello Ben Lister

Thanks for letting me know that assigning the Search Index Data Reader role to your user account has resolved the issue and helped to unblock you! I am pleased to assist further if any other matters arise.

Answer 2

hi Ben, thanks for posting your question here ))

first off, sounds like u've done most things right with the managed identity setup. good job! but that pesky 404 is annoying, right? So, check if the managed identity of your search service has 'storage blob data reader' role on the blob container level, not just the storage account. sometimes it gets missed )) here's the exact doc from microsoft that explains it https://learn.microsoft.com/en-us/azure/search/search-howto-managed-identities-storage. also, make sure the container name in your indexer matches exactly what's in blob storage. azure can be picky about uppercase/lowercase letters )

Try refreshing the credentials in your indexer. sometimes the token just needs a kick to start working. u can do this in the azure portal under the indexer settings.

if u're dealing with permissions, always check the hierarchy. does the identity have access at the right level? this might help in other tools too. also worth looking into - sometimes network rules or firewalls block access. as well check this in your storage account settings under 'networking'.

microsoft really made their search service powerful but yeah, it needs all pieces to align )) keep us posted if this helps! if not, we'll dig deeper. happy coding :))

ps. if u're using python, maybe add a quick try-except block to catch the error details. could give u more clues! tiny example of...

try:
    indexer_result = indexer_client.create_or_update_indexer(indexer)
except Exception as e:
    print(f"oops! {str(e)}")

let us know how it goes %)

rgds,

Alex

Ben Lister 20 Reputation points

2025-06-20T04:02:17.7966667+00:00

Hi so I think it was the container name not matching up. Thanks for catching that! Now though I have a new issue - at the very end of the tutorial there's code for sending a request to the search service.

# Vector Search using text-to-vector conversion of the query string query = "what's NASA's website?" search_client = SearchClient(endpoint=AZURE_SEARCH_SERVICE, credential=credential, index_name=index_name) vector_query = VectorizableTextQuery(text=query, k_nearest_neighbors=50, fields="text_vector") results = search_client.search( search_text=query, vector_queries= [vector_query], select=["chunk"], top=1 ) for result in results: print(f"Score: {result['@search.score']}") print(f"Chunk: {result['chunk']}")

The search_client.search call is failing with a 403 error and "Operation returned an invalid status 'Forbidden'". The tutorial does mention that setup/provisioning for one of the previous steps will take some time to occur (and I did wait a few minutes) but if it's just not ready yet, I don't understand how the error code could be a 403.

Share via

Unable to index blob storage data with a search service

1 additional answer

Your answer