Azure app service unable to upload/download from storage account using managed identity RRS feed

  • Question

  • We have a an Azure app service for which we turned on the managed identity and granted it's service principle storage blob data owner and storage blob data contributor roles in the storage account at the container level but still get the error below. The roles were first assigned at the blob container level only then we assigned it at the storage account level but still the same error. Only after turning the network and firewall settings for the storage account to allow all network are we able to upload and download using the app service.Please advise if we are missing something in terms of setup of managed identity,RBAC roles,network or storage account itself. An individual user can upload/download but the app service is not able to perform this operation with the same roles unless the firewall settings is changed to allow all networks.Appreciate any suggestions!

    For managed identity we just changed the system managed identity to 'ON' and have not done anything other that that. Is that all you need to assign access to the storage account?

    This request is not authorized to perform this operation.\r\n Source Trace: at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteAsyncInternal[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext, CancellationToken token)\r\n at Microsoft.WindowsAzure.Storage.Blob.CloudBlob.DownloadRangeToStreamAsync(Stream target, Nullable`1 offset, Nullable`1 length, AccessCondition accessCondition, BlobRequestOptions options, OperationContext operationContext, IProgress`1 progressHandler, CancellationToken cancellationToken

    Tuesday, May 12, 2020 8:22 PM

All replies

  • Thanks for posting a good question.
    There are a few limitations of Azure Storage with App Service today, please check these below: 

    • Azure Storage with App Service supports mounting Azure Files containers (Read / Write) and Azure Blob containers (Read Only). When you use BYOS with App Service on Linux or Web App for Containers, we mount blob storage as read only If you wish to read/write, then you'll need to use Azure Files and not Azure Blob storage.
    • Azure Storage with App Service doesn't support using the Storage Firewall configuration because of infrastructure limitations.

     Kindly refer this document Configure Azure Files in a Windows Container on App Service for additional details on this. 

    Additionally, in regards to RBAC permissions to Manage identity on a Resource. 

    • System-assigned managed identity: You need write permissions over the resource. Example- Storage account contributor role. 
    • User-assigned managed identity: You need write permissions over the resource. In addition to Managed Identity Operator role assignment over the managed identity.
    Wednesday, May 13, 2020 6:54 AM
  • Just following-up to keep you posted.

    We're migrating from MSDN to Microsoft Q&A as our new forums and Azure WebApps has already made the move!
    In future, you can ask and look for the discussion for Azure WebApps related questions on the respective forums: 
     Since this thread did not land in the right forum it would be moved to the appropriate forum.

    We are actively working to onboard remaining Azure services on Microsoft Q&A.
    We will make a public announcement once complete. 
    Want to Learn more about new platform, see Microsoft Q&A Getting Started: 

    Wednesday, May 13, 2020 6:57 AM
  • Thanks for your response Ajay.

    We are not trying to mount the storage directly for this app service. We are using the app service to go and upload/download blob from a specific storage account in Azure. Are these two scenarios the same thing and will the limitations you provided for Blob and storage firewall apply in both scenarios? In our latest test we are able to upload and download from the blob container when we publish code to the app service in Azure from visual studio.Managed identity is turned on for the App service in Azure and storage blob data owner and storage blob data contributor roles have assigned for this app service to the storage account.  We can only do this when the network and firewall settings are set to "All Network"  but when we change to "selected network" it stops working even though Allow trusted Microsoft services to access this storage account is checked under exceptions for selected network. Please Advise.

    Wednesday, May 13, 2020 5:08 PM
  • Hi-Appreciate if you can provide some more feedback on my reply.

    Also I can't seem to find this thread in the new forum.

    Thursday, May 14, 2020 3:34 PM
  • Apologies for the delay!
    Thanks for sharing additional details. With the scenario you outlined, as mentioned in the limitation, the issue is due to "Azure Storage with App Service doesn't support using the Storage Firewall configuration because of infrastructure limitations." - Services in Azure do not talk to storage via the outbound IPs, it uses the Azure backbone. 

    In regards to platform Microsoft Q&A info, I was just mentioning that, for any future questions on Azure WebApps, you can post them on the new platform (forum). For this instance/thread, I will be more than happy to continue to assist you on your issue here on MSDN only.

    If you have any further questions on this please let us know we would be happy to assist you (here).

    Thanks for your reply and co-operation.

    Thursday, May 14, 2020 9:06 PM
  • Thanks Again,

    So I assume our scenario is not the case of mounting the storage to the App service but using Storage as a client. Even with the storage firewall limitation(when set to All Network) it seems like you still need authentication and authorization through Azure AD and RBAC  for both managed identity enabled resources (App service and any other) and individual users/groups in our Azure AD that want to upload/download/list/copy from a blob container as the Public access level for blob container is set to private access. With this in mind is this kind of setup not secure? Can you suggest security vulnerabilities in allowing *All network access* instead of selected networks to storage account to be used by App services and other services running in azure to store and retrieve content from Blob containers. Also with this storage firewall limitation it seems like multiple resources (running in a Vnet or On Prem) and PAAS resources like azure app services cannot use the same storage account then? Appreciate your time!

    Trusted Microsoft services

    Some Microsoft services operate from networks that can't be included in your network rules. You can grant a subset of such trusted Microsoft services access to the storage account, while maintaining network rules for other apps. These trusted services will then use strong authentication to connect to your storage account securely. We've enabled two modes of trusted access for Microsoft services.

    • Resources of some services, when registered in your subscription, can access your storage account in the same subscription for select operations, such as writing logs or backup.
    • Resources of some services can be granted explicit access to your storage account by assigning an RBAC role to its system-assigned managed identity.

    Is assigning a RBAC role to the system-assigned managed identity for App service to the storage account or blob container not considered trusted access to microsoft services?

    None of these docs talk about the network or firewall limitations when using managed identity enabled services combined with Azure AD to use or access storage? Is this then considered a safe option with the network firewall rule set to *All Networks* ?



    • Edited by Mohdzk Sunday, May 17, 2020 7:46 PM
    Sunday, May 17, 2020 7:09 PM
  • Appreciate if you can respond to my newest reply on this topic.
    Monday, May 18, 2020 4:15 PM
  • Please accept my apologies for the late response. I just saw your response today.

    If your scenario is to reference storage in your code, you can leverage VNET integration to securely connect to storage using service endpoints. This document outlines that scenario.

    Only if you’re calling storage in your code. Options like diagnostic logs or function related storage accounts do not support storage firewalls. Just to highlight for some clarification, MSI is related to authentication and authorization whereas Firewall is for restricting access from storage from an IP perspective. RBAC is used for management access, it’s not used to manage access to the specific files on the Storage account.

    Kindly refer the document to know on how to authorize requests made by a managed identity to the Azure Blob, see Authorize access to blobs and queues with Azure Active Directory and managed identities for Azure Resourcesand for managed identities in Azure AD, see Managed identities for Azure resources.

    Kindly let us know if you still have more questions on this. I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:Ajay” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID, I will follow-up with you.  Once again, apologies for any inconvenience with this issue.
    Thanks for your patience and co-operation.

    Tuesday, May 19, 2020 8:25 PM
  • Any update on this?

    If the proposed answer was useful please remember to "Upvote" and "Mark as Answer"

    Wednesday, May 27, 2020 8:06 AM
  • Is there any update on the issue?

    If the suggested answer helped for your issue, do click on "Mark as Answer" and “Vote as Helpful” on the post that helps you, this can be beneficial to other community members.

    Thursday, June 4, 2020 4:01 PM