.Net application, running in a Docker container unable to connect to Azure Storage when running on the virtual node
Question
We have a.Net application, running in a docker container, connecting to Azure Storage, running on Azure AKS. We use the connectionString to connect to the Azure Storage, for both temporary file storage, as well as logging purposes. Our AKS sits within a vNet, with it's own su.net, and it happily connects to the storage, which also sits in its own su.net, with the two su.nets linked via a service endpoint. The storage is not open to all.networks, it's been set to only be enabled from selected virtual.networks and IP addresses.
Now, if we try and move / run the container on the AKS virtual node, it's starts up amd runs without any issues, but if we try and hit the storage from within the container, we now have authorization issues:
Status: 403 (This request is not authorized to perform this operation.) ErrorCode: AuthorizationFailure
Content:
AuthorizationFailureThis request is not authorized to perform this operation. RequestId:131fd452-901e-001a-4329-f3010f000000 Time:2022-11-08T04:23:09.0663031Z
If I enable the storage to have public.network access, it works, but we don't want this. So what our options to fix this seeing as we can't add a service endpoint to the underlying su.net / vNet on which the virtual node is running. We're also concerned, because this will probably affect any db connections as well, which will be an issue if we want to run our db backed containers on the virtual node.
1 answers
solution1
0 2022-12-02 09:24:07
Status: 403 (This request is not authorized to perform this operation.) ErrorCode: AuthorizationFailure
Content:
AuthorizationFailureThis request is not authorized to perform this operation.
The above 403 errors occur you may not give proper permission and also you may not assign roles in storage account.
For principal authentication purpose you need to assign roles in your storage account.
- Storage blob data owner
- Storage blob data contributor.
Portal: In portal go to your storage account -> Access Control (IAM) -> Add ->Add role assignments-> Storage blob data owner or Storage blob data contributor with your service principal.
After assigning it you can view the access through portal by referring below snap:
- Make sure with
Networking and Firewalls and virtual.networksin the public access is set to Enabled from selected virtual.networks and IP addresses.
Make sure you were adding correct virtual.network and su.nets in the portal and also virtual node client IP address in your environment issue may client IP was not added to the firewall rules for the storage account and also check the Allow Azure services on the trusted services list to access this storage account. in Checked state, Then, these trusted providers will establish a secure connection to your storage account using strong authentication.
Go to Azure Portal -> Storage Accounts -> Networking-> Enabled from selected virtual.networks and IP addresses.
Reference: Creating Azure Storage Containers in a storage account with.network rules, with Terraform by Ansuman Bal
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.