Azure
How to troubleshoot Azure Storage Blob issues
When deploying a flex consumption app I get the following error
Created blob uri: https://xxx.blob.core.windows.net/app-package-xxx/released-package.zip
Token Endpoint: http://169.254.255.2:8081/msi/token?api-version=1.0&resource=https://xxx.blob.core.windows.net
Received Token using system assigned identity
Failed to upload because Azure Storage responded with Forbidden : Response status code does not indicate success: 403 (This request is not authorized to perform this operation.)..
Failed to upload blob package to storage account with Error: Response status code does not indicate success: 403 (This request is not authorized to perform this operation.).
Azure.Functions.Cli.Common.CliException: The deployment failed, Please check the printed logs.
at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.PerformFlexDeployment(Site functionApp, Func`1 zipFileFactory, Func`2 deploymentStatusPollTask, IDictionary`2 deploymentParameters) in D:\a\_work\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 844
at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.HandleFlexConsumptionPublish(Site functionApp, Func`1 zipFileFactory) in D:\a\_work\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 801
at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.PublishFunctionApp(Site functionApp, GitIgnoreParser ignoreParser, IDictionary`2 additionalAppSettings) in D:\a\_work\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 584
at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.RunAsync() in D:\a\_work\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 239
at Azure.Functions.Cli.ConsoleApp.RunAsync[T](String[] args, IContainer container) in D:\a\_work\1\s\src\Azure.Functions.Cli\ConsoleApp.cs:line 63
How do I troubleshoot this error? Where are the printed logs mentioned in the error?
I the Storage Blob Log I can see that I get an "AuthorizationError" when attempting to store the zip-file in the blob, I can see the object id from the managed identity I've configured, but I don't understand why it fails, the identity has been granted the role "Storage Blob Contributor" on the storage account level.
Any pointers are welcome.
Same problem and situation here, MI correctly configured with RBAC roles and receiving the same errors.
Same problem and situation here, MI correctly configured with RBAC roles and receiving the same errors.
I may have resolved my issue. My storage account is configured with disabled public access and access key access. So, what I did to make this work is this:
- Create a VNET/Subnet that is delegated to Microsoft.App/environment
- Add that to the network configuration on my Storage Account
- Deploy my Flex Consumption App
- Configure the identity of the app to use a System Assigned Managed Identity
- Grant the MSI the Storage Blob Contributor role on the storage account
- Verify that the deployment setting for the app is configured to use the MSI
- Change the environment variable from AzureWebJobsStorage to AzureWebJobsStorage__accountName
I'm writing this from memory so it may be in the wrong order, or some other mental bug may have snuck in.
Kudos to Vlad for this blog entry: here it helped quite a bit.
However, some more troubleshooting options would be great to have. Maybe an option to display which options the func azure functionapp publish command will attempt to connect with.
@pejuborg glad you resolved the issue. For flex apps, here is our docs on deployment config. It includes some details on VNET integration and deployment config: https://learn.microsoft.com/en-us/azure/azure-functions/flex-consumption-how-to?tabs=azure-cli%2Cazure-cli-publish&pivots=programming-language-javascript#deploy-your-code-project
Maybe an option to display which options the func azure functionapp publish command will attempt to connect with.
If this is something you want us to pursue, please open a separate issue with your proposal.
Going to close this as your issue is resolved.
