Unable to download blob from Azure Virtual Machine created in the allowed subnet of the Storage Account

0
votes

I have configured my Storage Account to allow access from a subnet. I created a Virtual machine inside the subnet. I then generated a valid SAS url from my Storage Account for that blob. I used PS Remoting from Azure Cloud Shell to login to the Virtual Machine. In that powershell session, I typed in the following command: curl . I got a 403 Forbidden error.

Note that the endpoint status for the subnet is showing as enabled. When I reviewed the subnet service endpoint, Storage is enabled. The subnet is configured with a network security group with the defaults. The only addition was allowing access for the PS Remoting port.

Why else am I missing to access the blob from the Virtual Machine?

1
azure-storageazure-storage-blobsazure-virtual-machine
Can you show the full curl command? or can you try to download blob with Get-AzureStorageBlobContent on that Azure VM?view=azurermps-6.13.0)? see more exampleNancy Xiong
@NancyXiong I installed the PS modules for Az.Account and Az.Storage on the VM. I executed a Connect-AzAccount -UseDeviceAuthentication which was successful. I then executed Get-AzStorageAccount. It did not return any storage account which makes me suspect that it cannot connect to the Storage Account. I executed the following with the correct context and got a 403 as well: Get-AzStorageBlobContent -Blob "ConfigureServer.ps1" -Container "deploy" -Context $ctxDavid Lee

1 Answers

0
votes

From the document,

An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with an SAS token.

when you access a storage account in the authorized vNet, you still need to provide proper authorization for the request. Please check it on your side. Also, you could allow trusted Microsoft service in that exception.