I want to trigger action when some file is added in the blob storage.
I have created identity in Logic apps and also created storage contributor role for that identity
I have created system assigned managed identity in Logic app and i have also assigned Storage contributer role to this identity .
It throws error.
{
"statusCode": 403,
"headers": {
"Cache-Control": "no-store, no-cache",
"Pragma": "no-cache",
"Set-Cookie": "ARRAffinity=3918252a89b1afdb8c3dc464535f8a9dbabe6782d2c64ae7d28576826f1f4c2f;Path=/;HttpOnly;Secure;Domain=azureblob-wus.azconn-wus-001.p.azurewebsites.net,ARRAffinitySameSite=3918252a89b1afdb8c3dc464535f8a9dbabe6782d2c64ae7d28576826f1f4c2f;Path=/;HttpOnly;SameSite=None;Secure;Domain=azureblob-wus.azconn-wus-001.p.azurewebsites.net",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"x-ms-request-id": "2aced241-f6fc-4048-bb0f-9308f689cef8",
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY",
"x-ms-connection-parameter-set-name": "managedIdentityAuth",
"Timing-Allow-Origin": "*",
"x-ms-apihub-cached-response": "false",
"x-ms-apihub-obo": "false",
"Date": "Thu, 22 Feb 2024 19:16:56 GMT",
"Content-Length": "358",
"Content-Type": "application/json",
"Expires": "-1"
},
"body": {
"status": 403,
"message": "This request is not authorized to perform this operation using this permission.\r\nclientRequestId: 2aced241-f6fc-4048-bb0f-9308f689cef8",
"error": {
"message": "This request is not authorized to perform this operation using this permission."
},
"source": "azureblob-wus.azconn-wus-001.p.azurewebsites.net"
}
}
My storage acctount has "Enabled from all networks" in networking.
Both resources are created with same resource group
What type of Logic App Is this happening in? Consumption (Portal)
Workflow JSON
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"Send_an_email_(V2)": {
"inputs": {
"body": {
"Body": "<p>New loan Files are ready to be processed <br>\n<br>\n@{triggerBody()}</p>",
"Importance": "Normal",
"Subject": "New loan Files are ready to be processed ",
"To": "mihir.mehta@apexon.com"
},
"host": {
"connection": {
"name": "@parameters('$connections')['office365']['connectionId']"
}
},
"method": "post",
"path": "/v2/Mail"
},
"runAfter": {},
"type": "ApiConnection"
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_a_blob_is_added_or_modified_(properties_only)_(V2)": {
"evaluatedRecurrence": {
"frequency": "Minute",
"interval": 1
},
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azureblob']['connectionId']"
}
},
"method": "get",
"path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('sbjifitistorageaccount'))}/triggers/batch/onupdatedfile",
"queries": {
"checkBothCreatedAndModifiedDateTime": false,
"folderId": "JTJmc2ItamlmaXRpLXVucHJvY2Vzc2Vk",
"maxFileCount": 10
}
},
"metadata": {
"JTJmc2ItamlmaXRpLXVucHJvY2Vzc2Vk": "/sb-jifiti-unprocessed"
},
"recurrence": {
"frequency": "Minute",
"interval": 1
},
"splitOn": "@triggerBody()",
"type": "ApiConnection"
}
}
},
"parameters": {
"$connections": {
"value": {
"azureblob": {
"connectionId": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/resourceGroups/Jifiti-Trustage-RG/providers/Microsoft.Web/connections/azureblob-3",
"connectionName": "azureblob-3",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/providers/Microsoft.Web/locations/westus/managedApis/azureblob"
},
"office365": {
"connectionId": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/resourceGroups/Jifiti-Trustage-RG/providers/Microsoft.Web/connections/office365-1",
"connectionName": "office365-1",
"id": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/providers/Microsoft.Web/locations/westus/managedApis/office365"
}
}
}
}
}
Browser Chrome
Please try using "Storage Blob Data Contributor" as per the guide below. I very strongly suspect that the problem is that when using managed identity authentication with a logic app it expects to use these data-specific roles and their rights to access data directly. The regular storage account contributor role is only able to access data because it is able to access the storage account key.