I have a Web API which accesses an Azure Storage Account, in local development/test all works fine, however when I published my Web API to Azure, my API stopped working raising the Authorization Error below:
2021-10-24T10:31:31.511791298Z: [INFO] [41m[30mfail[39m[22m[49m: DocumentUploader.Controllers.DocumentController[1001]
2021-10-24T10:31:31.511811800Z: [INFO] POST : Internal Error. Error message : This request is not authorized to perform this operation.
2021-10-24T10:31:31.511846903Z: [INFO] RequestId:db008379-e01a-0021-59c2-c84447000000
2021-10-24T10:31:31.512839496Z: [INFO] Time:2021-10-24T10:31:31.5024279Z
2021-10-24T10:31:31.512866599Z: [INFO] Status: 403 (This request is not authorized to perform this operation.)
2021-10-24T10:31:31.512871599Z: [INFO] ErrorCode: AuthorizationFailure
2021-10-24T10:31:31.512883200Z: [INFO]
2021-10-24T10:31:31.512886901Z: [INFO] Content:
2021-10-24T10:31:31.512890801Z: [INFO] <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
2021-10-24T10:31:31.512895702Z: [INFO] RequestId:db008379-e01a-0021-59c2-c84447000000
2021-10-24T10:31:31.512899402Z: [INFO] Time:2021-10-24T10:31:31.5024279Z</Message></Error>
2021-10-24T10:31:31.512903302Z: [INFO]
2021-10-24T10:31:31.512906803Z: [INFO] Headers:
2021-10-24T10:31:31.512910403Z: [INFO] Server: Microsoft-HTTPAPI/2.0
2021-10-24T10:31:31.512913903Z: [INFO] x-ms-request-id: db008379-e01a-0021-59c2-c84447000000
2021-10-24T10:31:31.512917504Z: [INFO] x-ms-client-request-id: 328261a6-0b66-4526-9425-06f1cdb07bb8
2021-10-24T10:31:31.512921104Z: [INFO] x-ms-error-code: AuthorizationFailure
2021-10-24T10:31:31.512924704Z: [INFO] Date: Sun, 24 Oct 2021 10:31:31 GMT
2021-10-24T10:31:31.512928305Z: [INFO] Content-Length: 246
2021-10-24T10:31:31.512931805Z: [INFO] Content-Type: application/xml
I believe to be a problem with firewall/networking, I read this link https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#manage-exceptions, therefore I added the exceptions to allow the Web API's public IP access to the storage.
The public IPs, I found on the Web API networking page, therefore I added these as exceptions in the Storage...
Any clue why my web API can't access the storage?
CodePudding user response:
Go the the properties of your App Service and copy all the outbound IP addresses in the networking tile of your Storage Account to whitelist them.
You can enable "Allow trusted Microsoft Services" to give access for your App Service to the Storage Account. There are two modes of trusted access for Microsoft services:
- Trusted access for resources registered in your subscription
- Trusted access based on system-assigned managed identity
If you are using a App Service Plan that has a Standard, Premium, or Isolated tier, you can put your App Service in a virtual network. Then, you would add your VNET your Storage Account networking configuration.
CodePudding user response:
Your traffic likely comes over the internal network and not the public internet. Since you can't add internal IP adresses to the firewall you'll need to add a virtuel network and subnet to the web app. Then you can enable to the storage services for that subnet and add it as exception to the storage account.