Share via

403 error access blob from azure automation runbook

Arif Usman 496 Reputation points
2025-12-10T02:29:13.68+00:00

folks, I am trying to access blob in storage account from azure automation account runbook and getting following error in runbook.

===============================================

Environments                                                                                           Context
------------                                                                                           -------
{[AzureUSGovernment, AzureUSGovernment], [AzureChinaCloud, AzureChinaCloud], [AzureCloud, AzureCloud]} Microsoft.Azure.…
Get-AzStorageBlob: 
Line |
   3 |  $blob = Get-AzStorageBlob -Container "sqlbackup" -Context $ctx
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | This request is not authorized to perform this operation.
RequestId:8f59929b-d01e-005f-0a74-694c02000000
Time:2025-12-10T01:30:16.3669972Z
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure
Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:8f59929b-d01e-005f-0a74-694c02000000
Time:2025-12-10T01:30:16.3669972Z</Message></Error>
Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 8f59929b-d01e-005f-0a74-694c02000000
x-ms-client-request-id: 949743df6eb2-8810656c-3172-4b70-bccc-949743df6eb2
x-ms-error-code: AuthorizationFailure
Date: Wed, 10 Dec 2025 01:30:15 GMT
Content-Length: 246
Content-Type: application/xml
Blob: ctx Microsoft.WindowsAzure.Commands.Storage.AzureStorageContext

==========================================================================================================

this is in the runbook to test

Connect-AzAccount -Identity
$ctx = New-AzStorageContext -StorageAccountName "storageaccountname" -UseConnectedAccount
$blob = Get-AzStorageBlob -Container "sqlbackup" -Context $ctx
Write-Output "Blob:$blob ctx $ctx"

Automation account has system identity enable.

Automation account of manage identity has 'Network Contributor', 'Reader', 'Storage Blob Data Contributor' role access in storage account.

Storage account and Automation have private endpoint (public access is disable). Both resources use same vnet and subnet in same resource group of subscription. Not sure why am I getting 403 error. Manage identity of aa has been given to storage account.

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-10T02:29:27.0833333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The 403 error you are encountering when trying to access the Azure Blob Storage from your Azure Automation runbook indicates an authorization failure. Here are some potential causes and solutions to consider:

    1. Network Restrictions: Since both the storage account and the automation account have a private endpoint and public access is disabled, ensure that the Azure Automation runbook is configured to access resources through the virtual network. If the Azure Firewall is enabled on the storage account, it may block access from Azure Automation runbooks. You might need to use a Hybrid Runbook Worker to facilitate this access.
    2. Role Assignments: Although you mentioned that the managed identity of the automation account has the "Storage Blob Data Contributor" role, ensure that this role is assigned at the correct scope (e.g., storage account level). Also, verify that there are no additional role restrictions that might be affecting access.
    3. Run As Account Permissions: If you are using a Run As account, ensure that it has the necessary permissions to access the storage account. The Run As account might not have the same permissions as the managed identity.
    4. Check for IP Restrictions: Ensure that there are no IP address restrictions that could be blocking access to the storage account from the automation account.
    5. Service Endpoint Configuration: Confirm that the service endpoint for Azure Storage is correctly configured in your virtual network settings.

    By reviewing these areas, you should be able to identify the root cause of the 403 error and resolve the issue.

    References:

    0 comments
  2. Sandhya Kommineni 2,810 Reputation points Microsoft External Staff Moderator
    2025-12-10T03:48:23.07+00:00

    Hi Arif Usman,

    Thanks for posting your query in Microsoft Q&A forum

    It looks like you're facing a 403 error when trying to access a blob in your Azure Storage account from an Azure Automation runbook. This error typically indicates an authorization issue, often linked to permissions or network security settings. Let’s go through a few things you can check:

    Steps to Troubleshoot the 403 Error:

    1. Check Role Assignments: Ensure that the managed identity of your Azure Automation account is assigned the correct permissions. For accessing blobs, the roles you should look for include:
      • Storage Blob Data Contributor (for read/write access)
      • Storage Blob Data Reader (for read-only access)
      You can verify this by navigating to the Access control (IAM) section of your storage account in the Azure portal.
    2. Verify Network Configuration: Since your storage account has private endpoints and public access is disabled, try these checks:
      • Confirm that the Azure Automation account is within the same Virtual Network (VNet) as the storage account.
      • Make sure that the appropriate private endpoints are set up correctly and that the necessary endpoints are connected.
    3. Allow Azure Services: If you haven't done so already, enable the option Allow Azure services on the trusted services list to access this storage account in the networking settings of your storage account.
    4. Firewall Settings: If your storage account firewall is enabled, confirm the IP address from which the request is being made is allowed through firewall settings. This includes verifying that Azure Automation is included if you are using this setting.
    5. Use a Hybrid Runbook Worker: If none of the above resolves the issue, consider using a Hybrid Runbook Worker since it allows for more flexible connectivity options, especially in scenarios where network configurations restrict access.

    Reference Links:

    I hope this helps! If you're still running into issues, let me know, and I can help you dig deeper. Would you be able to clarify the following:

    • Have you verified the role permissions for the managed identity?
    • Is the Azure Automation account configured correctly within the same VNet as the storage account?
    • Are there any other network security rules that might be affecting access?

    Let me know!

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.