Question 105752 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – Storage Account – Forbidden Action

I scoured the internet to find a solution to my current issue without finding a solution that works for my situation. I currently am trying to insert data into a Azure Storage Account Table. This data insertion is done from an Azure DevOps pipeline that executes a Powershell script. This script authenticates itself as a service principal to my Azure Active Directory using the "Connect-AzAccount" command. This service principal has the "Store Account Data Contributor" assigned to it scoped on the table into which I want to insert data into. With this authentication, I am able to get a reference to my Azure Storage Account table using the command "Get-AzTableTable (https://github.com/paulomarquesc/AzureRmStorageTable) without any problems. The issue arises when I try to insert data into this same table using the "Add-AzTableRow". When I execute this command, I am returned the error:

Exception calling "Execute" with "1" argument(s): "Forbidden"

I am aware that I the IP address of the Azure Devops agent needs to be whitelisted in the Firewall settings of the Storage Account. In my script, I get the IP address of the Azure DevOps agent and I temporarily add it to this whitelist until my script has ended the data insertion operations. This temporary addition did not solve my issue.

The odd thing with all of this is that I can manually type the same commands found in the script in my local Powershell terminal on my computer and I do not receive the forbidden error mentionned earlier.

Frankly, I am out of options and any help would be much appreciated.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Thanks for all the replies everyone. As it turns out, I thought by adding all the Azure Service IP addresses to the firewall configuration of the Storage Account, I thought I would allow my pipeline agent to access my storage account, this was not the case. I finally took a self-hosted agent an added the subnet of the virtual network, in which this agent is in, in the configuration of the storage account's firewall.


  2. 0

    I ran into this issue a few months ago and got around it by adding a delay to the script I ran that added my IP address to the storage account firewall. I ended up putting the sleep command at the end of the script just to give Azure and the firewall time to sync up. It worked for me. I will share my script below for reference.

    az storage account network-rule add --account-name "storageaccountname" --ip- 
address $IPADDR
az keyvault network-rule add --name "kv-$(COMMON_APP_NAME)" --ip-address $IPADDR
sleep 30
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search