Login/Register
Azure Storage - Allowed Microsoft Service when Firewall is set
Asked Answered
Solved azure-storagefirewallazure-logic-appsazure-managed-identityazure-storage-account
O

1

0

I am trying to connect a public logic app (not ISE environment) to a storage account that is restricted to a Vnet. According to the Storage account documentation access should be possible using a system managed identity.

However I just tried in 3 different subscriptions and the result is always the same:

    {
    "status": 403,
    "message": "This request is not authorized to perform this operation.\r\nclientRequestId: 2ada961e-e4c5-4dae-81a2-520397f277a6",
    "error": {
    "message": "This request is not authorized to perform this operation."
    },
    "source": "azureblob-we.azconn-we-01.p.azurewebsites.net"
    }

Already provided access with different IAM roles, including owner. This feels like the service that should be allowed according to the documentation is not being allowed.

The Allow trusted Microsoft services... setting also allows a particular instance of the below services to access the storage account, if you explicitly assign an RBAC role to the system-assigned managed identity for that resource instance. In this case, the scope of access for the instance corresponds to the RBAC role assigned to the managed identity.

Azure Logic Apps Microsoft.Logic/workflows Enables logic apps to access storage accounts

[https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security#exceptions][1]

What am I doing wrong?

Added screenshots:

https://i.sstatic.net/CfwJK.png

https://i.sstatic.net/tW7k9.png

https://i.sstatic.net/Lxyqd.png

https://i.sstatic.net/Sp7ZV.png

https://i.sstatic.net/Hp9JG.png

https://i.sstatic.net/rRbau.png

Oppose answered 19/6, 2020 at 13:36 Comment(0)
N
0

For authenticating access to Azure resources by using managed identities in Azure Logic Apps, you could follow the document. Azure Logic Apps should be registered in the same subscription as your storage account. If you want to access the blob in an Azure Storage container. You could add the Storage Blob Data Contributor(Use to grant read/write/delete permissions to Blob storage resources) role for the Logic App system identity in the storage account.

enter image description here

Update

From your screenshot, I found that you have not used a system-managed identity to design the Create blob logic but using an API connection.

For validating connecting a public logic app to a storage account with Allow trusted Microsoft services... setting enabled. You can design your logic using the managed identity with a trigger or action through the Azure portal. To specify the managed identity in a trigger or action's underlying JSON definition, see Managed identity authentication.

enter image description here

output

enter image description here

For more details, please read these steps in Authenticate access with managed identity.

Nanananak answered 22/6, 2020 at 4:29 Comment(7)
Hello Nancy. I think the address is from the storage account. Regarding the Logic Apps, we are not using ISE. We already enabled the system managed identity on the logic app and provided IAM permission for the logic app on the storage account. I followed the documentation. But for some reason it is not working,Oppose
Could you show the configuration in your logic APP?Nanananak
I've added the screenshots: i.sstatic.net/CfwJK.png i.sstatic.net/tW7k9.png i.sstatic.net/Lxyqd.png i.sstatic.net/Sp7ZV.png i.sstatic.net/Hp9JG.png i.sstatic.net/rRbau.pngOppose
Please check my update, if this helps you, please mark it and upvote it refer hereNanananak
Thank you for the reply. I will check it and mark as solved if it succeeds.Oppose
Is the issue fixed on your side?Nanananak
Yes. Thank you for the help. I just accepted your answer as the solution.Oppose

© 2022 - 2024 — McMap. All rights reserved.