Question 105800 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation"

I am trying to run a terraform deployment that deploys a storage container. The initial deployment works (due to no IP filtering yet being in place), but subsequent fail. When running terraform plan I am getting the following:

Error: retrieving Container "xxxx" (Account "xxxx" / Resource Group "xxx"): containers.Client#GetProperties: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailure" Message="This request is not authorized to perform this operation.nRequestId:62a85c92-901e-0021-12de-816608000000nTime:2022-06-17T00:11:56.2063816Z"

From some research and debugging this happens when the storage container does not have the IP of the hosted pipeline agent whitelisted.

I have modified my pipeline so that the IP of the agent is retrieved and added as a firewall rule. I have then added sleeps of various times (up to 5 minutes) to try and give time for the rule to take affect, but it never works.

Here is a snippet of my pipeline:

          - task: AzureCLI@2
            inputs:
              azureSubscription: '$(azureSubscription)'
              scriptType: 'bash'
              scriptLocation: 'inlineScript'
              inlineScript: |
                 agentIP=$(curl -s https://api.ipify.org/)
                 az storage account network-rule add -g xxx --account-name xxx --ip-address $agentIP
                 sleep 300

During the sleep period I have confirmed that the agent IP is added to the whitelist. The whitelisting is also done within the same stage as the terraform plan.

Is anyone able to advise as to where I might be going wrong?

EDIT

I have taken this a step further and added a step in my pipeline to whitelist all IP addresses in my DevOps Organization Region (114 ranges) and it still fails.

And the IP my Azure DevOps pipeline agent gets is not even part of the ranges returned by az network list-service-tags --location australiaeast --query "values[?name == 'AzureCloud.australiaeast'].properties.addressPrefixes[]"

Tags:

2

Answers


  1. 0

    To resolve the error "Status=403 Code=AuthorizationFailure Message=This request is not authorized to perform this operation" try to modify setting in Azure Portal like below:

    Go to Azure Portal -> Storage Accounts -> Your Storage Account you have created from terraform -> Networking

    enter image description here

    • Enabling "Allow trusted Microsoft services to access this storage account" allows you to access storage account.
    • Make sure to have the required permissions like Contributor and User Access Administrator roles / Storage Blob Data Owner role.

    If still the issue persists, make use of the sample code in this similar SO Thread by Ansuman Bal.

    Login or Signup to reply.
  2. 0

    What I ended up doing was grabbing the build agent IP when build initiates on the DevOps pipeline (just initiate a call to https://api.ipify.org?format=json to get the build agent IP), and then adding that IP to the list of Network Rules on the storage account (if it exists) using powershell/AzCli, and then also ensure IP is added to the network rules in your bicep/arm/terraform. That seems to work fine.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search