Whitelisting cross tenant subnet in storage account firewall in azure

1
votes

I want to access a storage account residing in Azure AD Tenant(say tenant id T1) from a subnet(say S1) residing in other Azure AD Tenant(say tenant id T2). Using azure CLI I was able to add this existing vent/subnet in Firewalls and virtual networks tab of Storage Account.

AZ CLI : az storage account network-rule add -g myRG --account myAccount --subnet mySubnetId

But the Endpoint Status of this subnet says Insufficient permissions instead of Enabled. Hence not able to access this Storage Account from the added subnet S1.

Error : Unable retrieve endpoint status for one or more subnets. Status 'insufficient permissions' indicates lack of subnet read permissions ('Microsoft.Network/virtualNetworks/subnets/read').

Detailed Error :

You do not have authorization to access this resource.

Resource ID: /subscriptions/****/resourceGroups/my-network-rg/providers/Microsoft.Network/virtualNetworks/my-vnet

Status Code: 401

Status Message: The access token is from the wrong issuer 'https://sts.windows.net/T1/'. It must match the tenant 'https://sts.windows.net/T2/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/T2' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.

What necessary cross tenant permissions am I missing? How to provide them? Any help is appreciated. Although this might be trivial, as I am new to Azure I am not sure what am I missing here. Thanks.

1
azureazure-active-directoryazure-storagemulti-tenantweb-application-firewall
Does the subscription you are using match tenant 2?Carl Zhao
You are using the token issued by tenant 1 to call tenant 2's subscription resources.Carl Zhao
Could you elaborate more on what do you mean by "subscription you are using match tenant 2" ? Both resources(storage account and vnet) are in different subscription of different tenants.abhi195
And regarding "using the token issued by tenant 1 to call tenant 2's subscription resources" : explicitly I am not making any API calls, it's default storage account's backend. Is there any way I could mention storage account service that this particular vnet/subnet it from different tenant so that it authenticates with sts token of that tenant.abhi195
The subscription id you are using is in tenant 2, right?Carl Zhao

1 Answers

1
votes

You have performed all steps correctly, it's just the message which is confusing: You are logged into the Azure Portal with a user which got a token from tenant 1 but the VNet resides in tenant 2 and you don't have a token which can be used to read the subnet data in tenant 2.

To confirm that the network rule was actually set correctly you can run

az storage account network-rule list --account-name myAccount

and you should see a "state": "Succeeded".

The only thing left to do is to make sure that the user account which accesses the storage account coming from the subnet has an eligible role assignment to access the storage account. So for example, if the user should be able to read and write blob data, add a Storage Blob Data Contributor role for your user.