Azure Storage - Allowed Microsoft Service when Firewall is set

Jorge Rodrigues 181 Reputation points
2020-06-19T12:04:11.66+00:00

Hello all,

I am trying to connect a public logic app (not ISE environment) to a storage account that is restricted to a Vnet.
According to the Storage account documentation access should be possible using a system managed identity.

However I just tried in 3 different subscriptions and the result is always the same:

{
"status": 403,
"message": "This request is not authorized to perform this operation.\r\nclientRequestId: 2ada961e-e4c5-4dae-81a2-520397f277a6",
"error": {
"message": "This request is not authorized to perform this operation."
},
"source": "azureblob-we.azconn-we-01.p.azurewebsites.net"
}

Already provided access with different IAM roles, including owner. This feels like the service that should be allowed according to the documentation is not being allowed.

The Allow trusted Microsoft services... setting also allows a particular instance of the below services to access the storage account, if you explicitly assign an RBAC role to the system-assigned managed identity for that resource instance. In this case, the scope of access for the instance corresponds to the RBAC role assigned to the managed identity.

Azure Logic Apps Microsoft.Logic/workflows Enables logic apps to access storage accounts

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#exceptions

What am I doing wrong?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,940 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,994 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Sumarigo-MSFT 45,491 Reputation points Microsoft Employee
    2020-06-23T07:15:14.567+00:00

    @rodjorge Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    Can you try to provide Storage Reader role and also Storage Contributor role and check for the status. If the issue still persist, I would recommend please reach to me via AZCommunity[AT]microsoft.com with a link to this Issue as well as your subscription ID and please mention "ATTN subm" in the subject field. We would like to work closer with you on this matter.

    Also let me explain How RBAC work, Refer to this link which provides detailed information of RBAC and Permissions.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  2. kiwi_cam 1 Reputation point
    2020-07-05T22:11:30.19+00:00

    I'm in the same situation now. I've tried adding Storage Account Contributor for the Logic App identity and I'm still getting the same error. The only way I can get my Logic App to connect to the storage account is by changing the Storage Account "Firewalls and virtual networks" setting to All access from "All networks".

    The information on the page you reference doesn't appear to work.

    0 comments No comments

  3. Jim Copeland 1 Reputation point
    2021-02-04T21:17:03.813+00:00

    I am having the same problem. I moved one of our storage accounts to a private network and now my logic apps won't work. I granted the Logic App managed identities access to the storage account and they are both on the same subscription, but I am still receiving this error.

    Please check your account info and/or permissions and try again. Details: This request is not authorized to perform this operation. clientRequestId: 3a6b5bd4-1d5a-4c00-976a-9c19ac879a32

    Do I need to peer the vNets that the services live on?

    0 comments No comments