azureazure-web-app-serviceweb-development-server

Azure App Service can't access Search Service index anymore. What configurations or permission do I need to set?


I'm using an Azure App Service with a Python backend, and I want to access a Search Service indexer (in the same resource group) to get its status and then run the indexer from my App Service. I'm using the "azure.search.documents.indexes.aio" library with its SearchService client, and I'm calling the indexer like this:

status = (await search_service_client.get_indexer_status(INDEX_NAME)).last_result
(...)
await search_service_client.run_indexer(INDEX_NAME)

This code works if I execute the code locally (under my personal user account, which has "Azure AI Developer" and "Contributor" role), and it used to work with our online App Service as well. The App Service it authenticates with EntraID, for which I use the same user account as above. It and all its deployment slots have a User-Assigned Managed Identity assigned that has the "Search Index Data Contributor" role, which should allow it to access the indexer.

We recently upgraded our App-Service Plan from Standard S1 tier to Premium v3 P0V3 tier, and after we did that, the above code did no longer work. We got the following error:

2025-06-10T08:18:16.1191016Z   File "/tmp/8dd8bb4373a8209/app.py", line 1217, in run_indexer
2025-06-10T08:18:16.1191043Z     status = (await search_service_client.get_indexer_status(INDEX_NAME)).last_result
2025-06-10T08:18:16.1191069Z   File "/tmp/8dd8bb4373a8209/antenv/lib/python3.10/site-packages/azure/core/tracing/decorator_async.py", line 119, in wrapper_use_tracer
2025-06-10T08:18:16.1191093Z     return await func(*args, **kwargs)
2025-06-10T08:18:16.1191121Z   File "/tmp/8dd8bb4373a8209/antenv/lib/python3.10/site-packages/azure/search/documents/indexes/aio/_search_indexer_client.py", line 331, in get_indexer_status
2025-06-10T08:18:16.1191144Z     return await self._client.indexers.get_status(name, **kwargs)
2025-06-10T08:18:16.119117Z   File "/tmp/8dd8bb4373a8209/antenv/lib/python3.10/site-packages/azure/core/tracing/decorator_async.py", line 119, in wrapper_use_tracer
2025-06-10T08:18:16.1191191Z     return await func(*args, **kwargs)
2025-06-10T08:18:16.1191244Z   File "/tmp/8dd8bb4373a8209/antenv/lib/python3.10/site-packages/azure/search/documents/indexes/_generated/aio/operations/_indexers_operations.py", line 949, in get_status
2025-06-10T08:18:16.1191268Z     raise HttpResponseError(response=response, model=error)
2025-06-10T08:18:16.119129Z azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'Forbidden'

This was tried from our deployment slot "staging", not from the main production slot, since the "call the indexer" feature is a new feature that still in development, so we can't put it on the production slot.

From this error, I gathered that the App Service (slot) was not allowed to access the indexer for some reason. What I don't understand is why it's not allowed now, when it previously worked when the App Service was still Standard S1 tier.

What I've tried so far:

I think the problem might have something to do with the fact that the IP addresses can change when you upgrade to a different tier. However, I don't know where else I can check whether any IP address restrictions are configured.

My question is: What do I need to configure to make this app service (and its slots) able to access this search service's indexer status?


Solution

  • Since indexers live in the search service’s control plane, giving your app the “Search Index Data Contributor” role only covers document-level operations. To call get_indexer_status or run_indexer you must grant your App Service’s managed identity a control-plane role on the search resource itself. The simplest built-in role is Search Service Contributor, which lets you list, start and stop indexers, manage indexes, and read service properties.

    In the Azure portal navigate to your Search service < Access control (IAM) < Add role assignment. Pick Search Service Contributor and select both your system-assigned and any user-assigned managed identities on your App Service (and its staging slot). If you prefer the CLI, open Cloud Shell (you won’t have az in the slot’s SSH terminal on Linux), then run something like:

    az role assignment create --role "Search Service Contributor" \
      --assignee-object-id <MI_OBJECT_ID> \
      --scope /subscriptions/<SUB_ID>/resourceGroups/<RG>/providers/Microsoft.Search/searchServices/<SERVICE_NAME>
    
    

    Finally, make sure your search service accepts Azure AD tokens as well as API keys. By default it may only allow key-based auth, so run:

    az search service update --name <SERVICE_NAME> --resource-group <RG> --auth-options aadOrApiKey
    
    

    Wait about ten minutes for role changes to propagate, then retry your code. With the control-plane role in place and AAD auth enabled, your staging slot will be able to check indexer status and kick off runs again.