We have Cloud service extended support (worker role) which processes data (read/write/append/list etc) in Storage Blob. When it had Networking/Public network access set to 'Enabled from all networks' everything worked, but after changing to 'Enabled from selected virtual networks and IP addresses' we getting error 'Microsoft.Azure.Storage.StorageException This request is not authorized to perform this operation' on all CloudBlockBlob methods (ExistsAsync,UploadFromByteArrayAsync,DownloadToStreamAsync etc.)
Cloud service accesses Storage using App Registration xxx which creates tocken to get Storage Access Key from Key Vault App Registration xxx has roles Storage Account Contributor and Storage Blob Data Contributor
Added Storage Blob Data Owner on Container: storageaccount -> container -> Access control rules -> add role assignement -> Storage Blob Data Owner -> selected App Registration xxx
Added Cloud service IP and local (VPN's) IP.
Local works fine, Cloud service still has authentication error.
Thanks for sharing the detailed error message with the
x-ms-requestID. The 403 error failure is due to the IP Authorization failure. We could see an ipv6 address reaching the storage FE layer. This typically happens while the VNET has the service endpoint enabled. Could you please follow this blog and check if that helps ? Also ensure that you have Added that subnet of that VNET in the storage account as shown below ?