I have a storage account in an Azure account locked with "Enabled from selected virtual networks and IP addresses" under Networking section.
I would like to now grant access to a virtual machine hosted in another Azure account (different tenant) which doesn't have a public IP or NSG configured, to this storage account so it can download blobs using a script that authenticates with a service principal and the azure.storage.blob python module.
I have already tried seeing what IP is the VM exiting to the internet, then whitelisted that public IP at the storage account level, but still, I am prompted with the following error:
Traceback (most recent call last):
File "/tmp/blob_download.py", line 39, in <module>
download_blob_file(
File "/tmp/blob_download.py", line 25, in download_blob_file
blob_contents = blob_client.download_blob().readall()
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/my-envs/py311/lib/python3.11/site-packages/azure/core/tracing/decorator.py", line 76, in wrapper_use_tracer
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/opt/my-envs/py311/lib/python3.11/site-packages/azure/storage/blob/_blob_client.py", line 851, in download_blob
return StorageStreamDownloader(**options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/my-envs/py311/lib/python3.11/site-packages/azure/storage/blob/_download.py", line 349, in __init__
self._response = self._initial_request()
^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/my-envs/py311/lib/python3.11/site-packages/azure/storage/blob/_download.py", line 429, in _initial_request
process_storage_error(error)
File "/opt/my-envs/py311/lib/python3.11/site-packages/azure/storage/blob/_shared/response_handlers.py", line 181, in process_storage_error
exec("raise error from None") # pylint: disable=exec-used # nosec
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<string>", line 1, in <module>
azure.core.exceptions.HttpResponseError: This request is not authorized to perform this operation.
RequestId:xxxxx
Time:2024-10-01T14:12:19.4117902Z
ErrorCode:AuthorizationFailure
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:xxxx
Time:2024-10-01T14:12:19.4117902Z</Message></Error>
I'd like to point out that downloading works fine with public access enabled on the storage account - Enabled from all networks, hence all required permissions are already configured for the SP:
The SP is added on the Entra ID of the Tenant where the storage account exists. The 2nd account, where the download attempt happens on the VM, is authenticating using this SP.
was able to grant access only using CLI:
az storage account network-rule add -g myRG --account myAccount --subnet mySubnetId