question

SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT asked SumanthMarigowda-MSFT edited

Authorization Failure of Storage account by Shared access signature


User is trying to connect to Azure storage using the following SAS token from Azure VM <..IP..> but receive permission errors.
Also user noticed that the Azure VM IP changed to<..IP...> while access to the storage account.



Note: This question is being posted as part of an internal effort at Microsoft to share emerging content with the community. A Microsoft employee will be following up with an answer shortly. If you have feedback regarding this issue, we encourage the community to start a discussion in the comments.

azure-storage-accounts
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT answered SumanthMarigowda-MSFT edited

Cause:
If your Azure VM is located in the same region with the storage account, then the “signedIp (sip)” field should not be assigned with the VM’s IP.
Requests made from within the same region using a SAS with an outbound IP address specified will fail.

143777-1a097719180fec11b6e60022481d2fb4.png


Resolution:
- If client resource is in Azure environment, and not in the same region of the storage account, then SAS should not be assigned with “signedIp (sip)”, or the requests made from the client will fail.
- If you would like to allow only specific clients to connect to your storage account, you can configure them in Firewall and virtual network settings.
You may select the virtual networks to allow the resources in it to access this storage account.
For “Firewall” section, it is for “Add IP ranges to allow access from the internet or your on-premises networks”.

For more details on the Networking setting, please refer to the document “Configure Azure Storage firewalls and virtual networks”

143829-image.png

Service SAS - How to Specifying IP address or IP range.

More information: About Network routing preference for storage account, there are two options:

  • Microsoft network routing: Requests between on-premise and storage account will be routed through the point of presence (POP) of Microsoft that is closest to the client.

  • Internet routing: Requests between on-premise and storage account will be through the point of presence (POP) of Microsoft that is closest to the storage account.

For more information about the Networking routing for storage account, please refer to this article.



image.png (519.1 KiB)
image.png (105.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.