User Managed Identity not able access the blob storage account with private end point with Azure IR from ADF

Question

I am trying to upload a file to a container from ADF using copy activity. I have used User Assigned Managed Identity in linked service to connect to storage account. The connection is successful but the copy activity is failing with below error.

User Assigned Managed ID has resource group contributor role asssigned in storage account.

Failure happened on 'Sink' side. ErrorCode=FileForbidden,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Error occurred when trying to upload a blob, detailed message: 20240320_130837_File1.csv,Source=Microsoft.DataTransfer.ClientLibrary,''Type=Microsoft.WindowsAzure.Storage.StorageException,Message=The remote server returned an error: (403) Forbidden.,Source=Microsoft.WindowsAzure.Storage,StorageExtendedMessage=This request is not authorized to perform this operation using this permission. RequestId:b1c85e0a-b01e-001c-6a79-7be8ba000000 Time:2024-03-21T10:18:31.4813244Z,,''Type=System.Net.WebException,Message=The remote server returned an error: (403) Forbidden.,Source=Microsoft.WindowsAzure.Storage,'

Answer 1

Your Use-assigned managed identity doesn't have permission to upload a blob into storage account, that may be reason for getting above error. You should assign storage blob data contributor role to your user-assigned managed identity as follows:

Step 1: Go to the IAM of the blob storage account and click on "Add role assignment" as shown below:

Step 2: Search for the storage Blob data contributor role and select it, as shown below:

Step 3: Select the Managed identity, as shown below:

Then you will be able to upload a blob successfully into storage account through copy activity:

Uploaded file: