Azure Blob Storage Access in App Service

Question

I am getting this error when i am trying to upload data to blob through my app service post api.
Locally my data is being uploaded using post api

But after the deployment of project it is not be able to access the blob storage and giving me Unauthorized error, all the IPs are whitelisted in Storage Account.
Here is the full error

Internal server error: This request is not authorized to perform this operation.
RequestId:06b37250-a01e-006f-0794-e1c26c000000
Time:2024-07-29T08:54:06.1468173Z
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure

Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:06b37250-a01e-006f-0794-e1c26c000000
Time:2024-07-29T08:54:06.1468173Z</Message></Error>

Headers:
Vary: Origin
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 06b37250-a01e-006f-0794-e1c26c000000
x-ms-client-request-id: 7013b445-902a-45cf-a92f-251d26df9b7d
x-ms-error-code: AuthorizationFailure
Date: Mon, 29 Jul 2024 08:54:05 GMT
Content-Length: 246
Content-Type: application/xml

Answer 1

Hi Hassan Kaleem - Thanks for reaching out over Q&A Forum.

A quick isolation test will be to test with access to all the networks. If it works, then the call is getting blocked on Networking level.

Now, if the App Service and Storage account is in same region, then the call might will tend to happen via internal backbone (Private IP). In that case, I would recommend, putting your app service in a VNET and then whitelisting the VNET on the storage account level.

Hope that helps!

Please let me know if there are any further queries/concerns, will be glad to assist.

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

I created a vnet instance and added vnet in app service, and given the access of vnet in storage account the issue still exist.

Answer 3

Hello Hassan Kaleem,

Greetings! Welcome to Microsoft Q&A Platform.

I understand that when you try to upload data to blob through app service Post API you are receiving the 403 error with the message “This request is not authorized to perform this operation” and the error code AuthorizationFailure typically indicates that the request lacks the necessary permissions to access the resource or the access restrictions on the blob storage are preventing the APIs from accessing the storage.

To resolve this issue, you can authorize access to the blob storage using Azure Active Directory. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Azure AD to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service.

See- https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory

https://learn.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal

Ensure that the outbound IP addresses of your APIs are correctly added to the firewall settings of the storage account. Verify that the IP addresses match the ones used by the APIs. It's possible that the IP addresses have changed or were not added correctly.

1. Double-check the access restrictions settings on the storage account. Ensure you have enabled access from selected virtual networks and IP addresses, and that the correct IP addresses or IP ranges are added.
2. Check if any other network security groups or firewalls could be blocking the traffic between the APIs and the storage account. Review the network configuration for both the APIs and the storage account to ensure there are no conflicting rules.
3. Verify that the identity used by both the APIs and the storage account has the necessary permissions to access the blob storage. Ensure that the identity is correctly configured and has the appropriate roles or access policies assigned.
4. check if you have added a firewall exception on the storage with the IP of the app service even though the "Allow trusted Microsoft services to access this storage account" was checked.
5. Make sure the credentials or token you had used is having the necessary permissions to perform the requested operation, check  whether the token is valid, or it got expired, Regenerate the token if it is necessary.

If you are using a virtual network (vNet) with service endpoints for the storage account, ensure that the vNet and the APIs are properly configured to allow traffic between them. Check if any network security groups or route tables are blocking the communication.

Review the logs and diagnostics of both the APIs and the storage account to gather more information about the error and identify any potential issues.

 

Here is the doc for your reference: https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#trusted-access-for-resources-registered-in-your-subscription.

 

Similar post:https://learn.microsoft.com/en-us/answers/questions/1630959/azure-blob-storage-not-connecting-with-app-service, https://learn.microsoft.com/en-us/answers/questions/895845/app-service-cannot-write-to-blob-storage.

  

Hope this answer helps! please let us know if you have any further queries. I’m happy to assist you further. 

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.