Reputation: 1
Error about permission with Powershell command Get-AzureStorageBlob in Azure Runbook
I'm trying to create a runbook in Azure that accesses a blob storage and list the contents. But I keep getting the following error:
The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation using this permission.
I checked the following: Azure Portal -> Storage Account -> Networking -> Check Allow Access From (All Networks / Selected Networks) It is set to all networks.
I checked the SAS. It's correct.
On the storage account and the container I set the Access Control to Storage Blob Data Reader and Sotrage Blob Data Owner to Managed Identity\Automation Account.
i created an Access Policy and set its rights to rdl, but I don't know how to call it from within my Powershell statement. I don't know whether it makes any difference.
Who can help me? I've about read all the articles on Internet but can't find the answer.
It's the statement Get-AzureStorageBlob that fails.
This is the code in the runbook:
$storage = "opslag" #name of storage account
$blobcontainer = "contener" #name of container
$sas = "****"
Write-Output $storage
Write-Output $container
$context = New-AzureStorageContext -StorageAccountName $storage -
SasToken $sas
Write-Output $context
$blobs = Get-AzureStorageBlob -Container $blobcontainer -Context
$context
Upvotes: 0
Views: 1029
Answers (1)
Reputation: 5506
To test this in our local environment, we have created a storage account, automation account with PowerShell runbook
- We have enabled Managed identity for the automation account, given the permissions
Storage blob data Reader, Storage Blob Data Ownerfor the same managed identity. - In the storage account, we have created an access policy with
read, delete, listpermissions to access the blob contents from PowerShell statements.
Here is the PowerShell Script that we have run in the Automation account Runbook:
- We have used the same managed identity to authenticate to our azure account in the automation account.
Disable-AzContextAutosave -Scope Process # Ensures you do not inherit an AzContext in your runbook
$AzureContext = (Connect-AzAccount -Identity).context # Connect to Azure with system-assigned managed identity
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext # set and store context
Import-module -name Az.Storage
$storage = "<strgName>" #name of storage account
$blobcontainer = "<containerName>" #name of container
$sas = "<SAStoken>" # Generated SAS token for the container with allowing HTTP & HTTPS protocol.
Write-Output $storage
Write-Output $container
$context = New-AzStorageContext -StorageAccountName $storage -SasToken $sas
Write-Output $context
$blobs = Get-AzStorageBlob -Container $blobcontainer -Context $context
Write-Output $blobs
Here is the sample output for reference:
Upvotes: 0
Related Questions
- Get-AzStorageFileContent: Can not find your azure storage credential
- Read PublicAccess property for AzureRmStorageAccount
- Azure Powershell : Get-AzureStorageAccount erroring
- How to Execute Powershell stored in Azure storage using Runbook
- Get-Command : The term 'Get-AzStorageBlobContent' is not recognized as the name of a cmdlet, function, script file, or operable program
- Error Message when Running Azure Automation Runbook
- 'Could not get the storage context' error when using Set-AzureStorageBlobContent in VSTS Azure Powershell task
- Failed to Get Azure Storage Key using Get-AzureStorageKey in Powershell
- Get-AzureStorageBlob : Could not get the storage context. Please pass in a storage context or set the current storage context
- Start-AzureStorageBlobCopy error in Automation runbook