azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

Can no longer grant access from certain Azure Resource Types to Azure Storage using Azure Storage Firewall

Open starkfell opened this issue 2 years ago • 3 comments

Notes

The values provided below have been generalized.


Related command(s)

The following commands are related to the issue described below.

az storage account network-rule add


az rest

az resource update


Describe the bug

When attempting to grant access from a Log Analytics Workspace to a Storage Account using the following command:

az storage account network-rule add \
--resource-id "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001" \
--tenant-id 00000000-0000-0000-0000-000000000000 \
--account-name storageaccountname001

The following error occurs:

Bad Request({"error":{"code":"InvalidValuesForRequestParameters","message":"Values for request parameters are invalid: networkAcls.resourceAccessRules[*].resourceId. For more information, see - https://aka.ms/storagenetworkruleset"}})

The error above is also occuring when attempting to grant access from the following Resources Types:

Microsoft.Web/sites/functions
Microsoft.Logic/workflows


To Reproduce

The issue above can be re-created consistently using the following examples.


Example 1

Run the previously described command, az storage account network-rule add, using the following syntax.

az storage account network-rule add \
--resource-id "{AZURE_RESOURCE_ID}" \
--tenant-id {TENANT_ID} \
--account-name {AZURE_STORAGE_ACCOUNT_NAME}

Example 2

Attempt to make a REST API call using the az rest command.


JSON Payload is stored in the variable jsonBody.

jsonBody="{
    'properties': {
        'networkAcls': {
            'resourceAccessRules': [
                {
                    'tenantId': '00000000-0000-0000-0000-000000000000',
                    'resourceId': 'subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001'
                }
            ],
        }
    }
}"

Run the az rest command with the PATCH method against the target Azure Storage Account.

az rest \
--method PATCH \
--uri "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-azure-storage-account/providers/Microsoft.Storage/storageAccounts/storageaccountname001?api-version=2022-09-01" \
--body "$jsonBody"

Example 3

Attempt to use az resource update to update the resourceAccessRules of the Azure Storage Account.


Run the az resource update command using the following syntax.

az resource update \
--id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-azure-storage-account/providers/Microsoft.Storage/storageAccounts/storageaccountname001 \
--add properties.networkAcls.resourceAccessRules \
"{'resourceId'='/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001','tenantId'='00000000-0000-0000-0000-000000000000'}"


Expected Behavior

Running any of the three options above should result in the Resources being added to the networkRuleSet section of the target Azure Storage Account.

  "networkRuleSet": {
    "bypass": "AzureServices",
    "defaultAction": "Deny",
    "ipRules": [],
    "resourceAccessRules": 
    [
         {
             resourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001,
             tenantId: 00000000-0000-0000-0000-000000000000
        }
    ],
    "virtualNetworkRules": []
  },


Environment Summary

Environment Summary is below.

  • The command(s) above were tested on separate Azure Subscriptions that resided on separate Tenants that are not associated or connected.
  • Azure CLI versions tested: 2.45.0, 2.36.0
  • Both versions of Azure CLI were tested on Ubuntu 18.04 and 22.04.
  • For the option above using az rest, API Version(s): 2022-09-01 and 2021-09-01 were targeted.


Additional Context

The purpose of granting access from specific Azure Resource Instances was to lower the exposure specific Azure Resource Types (Azure Log Analytics Workspaces, Azure Functions, Azure Logic Apps) that connect to Azure Storage Accounts in the target Subscriptions.


. . .

starkfell avatar Feb 14 '23 13:02 starkfell

@evelyn-ys for awareness

yonzhan avatar Feb 14 '23 14:02 yonzhan

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @josephkwchan, @jennyhunter-msft.

Issue Details

Notes

The values provided below have been generalized.


Related command(s)

The following commands are related to the issue described below.

az storage account network-rule add


az rest

az resource update


Describe the bug

When attempting to grant access from a Log Analytics Workspace to a Storage Account using the following command:

az storage account network-rule add \
--resource-id "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001" \
--tenant-id 00000000-0000-0000-0000-000000000000 \
--account-name storageaccountname001

The following error occurs:

Bad Request({"error":{"code":"InvalidValuesForRequestParameters","message":"Values for request parameters are invalid: networkAcls.resourceAccessRules[*].resourceId. For more information, see - https://aka.ms/storagenetworkruleset"}})

The error above is also occuring when attempting to grant access from the following Resources Types:

Microsoft.Web/sites/functions
Microsoft.Logic/workflows


To Reproduce

The issue above can be re-created consistently using the following examples.


Example 1

Run the previously described command, az storage account network-rule add, using the following syntax.

az storage account network-rule add \
--resource-id "{AZURE_RESOURCE_ID}" \
--tenant-id {TENANT_ID} \
--account-name {AZURE_STORAGE_ACCOUNT_NAME}

Example 2

Attempt to make a REST API call using the az rest command.


JSON Payload is stored in the variable jsonBody.

jsonBody="{
    'properties': {
        'networkAcls': {
            'resourceAccessRules': [
                {
                    'tenantId': '00000000-0000-0000-0000-000000000000',
                    'resourceId': 'subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001'
                }
            ],
        }
    }
}"

Run the az rest command with the PATCH method against the target Azure Storage Account.

az rest \
--method PATCH \
--uri "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-azure-storage-account/providers/Microsoft.Storage/storageAccounts/storageaccountname001?api-version=2022-09-01" \
--body "$jsonBody"

Example 3

Attempt to use az resource update to update the resourceAccessRules of the Azure Storage Account.


Run the az resource update command using the following syntax.

az resource update \
--id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-azure-storage-account/providers/Microsoft.Storage/storageAccounts/storageaccountname001 \
--add properties.networkAcls.resourceAccessRules \
"{'resourceId'='/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001','tenantId'='00000000-0000-0000-0000-000000000000'}"


Expected Behavior

Running any of the three options above should result in the Resources being added to the networkRuleSet section of the target Azure Storage Account.

  "networkRuleSet": {
    "bypass": "AzureServices",
    "defaultAction": "Deny",
    "ipRules": [],
    "resourceAccessRules": 
    [
         {
             resourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001,
             tenantId: 00000000-0000-0000-0000-000000000000
        }
    ],
    "virtualNetworkRules": []
  },


Environment Summary

Environment Summary is below.

  • The command(s) above were tested on separate Azure Subscriptions that resided on separate Tenants that are not associated or connected.
  • Azure CLI versions tested: 2.45.0, 2.36.0
  • Both versions of Azure CLI were tested on Ubuntu 18.04 and 22.04.
  • For the option above using az rest, API Version(s): 2022-09-01 and 2021-09-01 were targeted.


Additional Context

The purpose of granting access from specific Azure Resource Instances was to lower the exposure specific Azure Resource Types (Azure Log Analytics Workspaces, Azure Functions, Azure Logic Apps) that connect to Azure Storage Accounts in the target Subscriptions.


. . .

Author: starkfell
Assignees: jiasli, evelyn-ys, zhoxing-ms
Labels:

Storage, Service Attention, question, ARM, customer-reported, CXP Attention, Auto-Assign, Azure CLI Team
Milestone: Backlog

ghost avatar Feb 20 '23 05:02 ghost

Error from storage service. Need's service explanation or fix

evelyn-ys avatar Feb 20 '23 05:02 evelyn-ys