Access to Azure Blob Storage with Firewall from Azure Function App

3
votes

I have an Azure blob storage account which is fire walled to selected networks only. I would like to access this storage account from a function app running on a dynamic plan whose outbound IP addresses are known to me. Problem is that I add these outbound ips to the Allowed IP addresses in Firewall and Virtual Network settings of the blob storage but I still continue to get an error which says:

This request is not authorized to perform this operation.

Can someone please point out where I am going wrong?

N.B. I am using PythonSDK for accessing the blob storage with the account name and the account key!

1
pythonazureazure-storage-blobsazure-functions
What is your blob access policy? Have you tried adding your function app to the permissions list for your storage account?Micah_MSFT
My blobs are set to private at the moment. I do not know how to set the function app to the permissions list of the storage account apart from using the outbound ip addresses of the function app. Can you please explain a bit more?NightOwl85
According to the docs, you'll still need proper authorization (a valid access key or SAS token) to access the storage account. Have you tried using a SAS your connection string (docs.microsoft.com/en-us/azure/storage/common/…)? You can generate a Shared access signature through the azure portal under "Shared access signature"Marie Hoeger
If you are not ASE enviriment, it seems that it isnot supported to access the private storage. You could refer to this SO thread for more information.Tom Sun - MSFT

1 Answers

0
votes

I did some test on my side using consumption function app to access my files in blob storage and it works for me. There are 2 steps I did :

  1. I enabled storage account firewall and added all function app outbound IPs to it.

  2. Enabling anonymous access on the container that the blob file I would like to access,so that my function app can access the blob file directly (as storage firewall is enabled so that only the specified IPs would be able to access your storage , I think the security here is ok. If you need higher security level in your scenario, as @Marie Hoeger said , you should use private container and SAS token to control blob access).

If you have any further concerns , pls feel free to let me know : )