Network Rules of storage account blocking container creation

1
votes

Following the instructions for the Azure CLI "quickstart" on creating a blob.

It looks like something in the default storage account is blocking the ability to create new containers; yet, the "defaultAction" is Allow:

The following Azure CLI:

az storage container create --account-name meaningfulname --name nancy --auth-mode login

... results in the error explaining the network rules of the Storage Account might be the cause:

The request may be blocked by network rules of storage account. Please check network rule set using 'az storage account show -n accountname --query networkRuleSet'.
If you want to change the default action to apply when no rule matches, please use 'az storage account update'.

Using the suggestion from the above message, the "show" command on the account-name gives:

> az storage account show -n meaningfulname --query networkRuleSet
{
  "bypass": "AzureServices",
  "defaultAction": "Allow",
  "ipRules": [],
  "virtualNetworkRules": []
}

I would think that the Azure CLI would be among the "services" that could bypass and do operations. And, the default action would seem to me to be quite permissive.

I've done to searching around by the error messages and commands (and variations). There does not appear to be much on what I don't know the quirks of the Azure CLI, so maybe this is so obvious that people haven't written anything up. I don't think I'm duplicating

4
azureazure-cli
Does the storage account have any firewall restrictions?Paolo
I didn't knowing add any. I thought the az storage account show -n ... was querying for that. Is there another way to determine if there are firewall restrictions? (I thought ipRules was equivalent to firewall restrictions)lenards
Could you check if my edit is helpful?Nancy Xiong

4 Answers

1
votes

Not sure if this would be helpful ...

If you update the "Firewalls and virtual networks" section of the Storage account and make it accessible for all networks , using CLI , it takes sometime to take effect. I have observed that it takes around 10 -30 seconds to take effect.

Try waiting for 30 seconds and then try the az container create statement. It should work.

0
votes

The current networkRuleSet configuration is enough. I can not reproduce this issue with the same networkRuleSet configuration as you. So you may double-check if there is a typo for the storage account when creating a container or querying the networkRuleSet.

By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action.

If you need to only allow access your storage account from some specific IP addresses or specific subnets and allow Azure services, you can add it like this,

{
  "bypass": "AzureServices",
  "defaultAction": "Deny",
  "ipRules": [
    {
      "action": "Allow",
      "ipAddressOrRange": "100.100.100.100"
    }
  ],
  "virtualNetworkRules": [
    {
      "action": "Allow",
      "virtualNetworkResourceId": "subnetID"
    }
  ]
}

With Azure CLI, Set the default rule to allow network access by default.

az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny

az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Allow

See Change the default network access rule for more details.

Edit

In this case, you set the --auth-mode parameter to login to authorize with Azure AD credentials. You need to ensure that the Azure AD security principal with which you sign in to Azure CLI has permission to do data operations against Blob or Queue storage. For more information about RBAC roles in Azure Storage, see Manage access rights to Azure Storage data with RBAC.

0
votes

Although the selected answer is different.

There can be another reason as in my case. You need to be in the role before you can create a container as stated by Microsoft documentation here

Before you create the container, assign the Storage Blob Data Contributor role to yourself. Even though you are the account owner, you need explicit permissions to perform data operations against the storage account.

Also note that

Azure role assignments may take a few minutes to propagate.

0
votes

Remove the --auth-mode login from your command. Use it like this:

az storage container create \
--account-name helloworld12345 \
--name images \
--public-access container

If we don't set --auth-mode, it uses the default auth-mode key. Which will query for the account key inside your storage account

https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-data-operations-cli

Use --auth-mode login if you have required RBAC roles in your command. For more information about RBAC roles in storage, visit https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-cli.