Not able to connect to blob storage from data factory using managed identity (in a pipeline)

Question

I created a linked service for blob storage using managed identity and it works when I test connection.

But when I put it to a pipeline, it gives an error. The data factory has access on the blob storage. Details discussed with @HarithaMaddi-MSFT and she was able to replicate it.

Any pointers in this regard will be helpful.

Thanks,
Kothai.

Answer 1

Hi @Kothai Ramanathan ,

Thanks for your patience again!

I got update from ADLS Gen2 team that each role definition has a set of permissions associated with it. The permissions can be set for management operations (Actions) or data operations (DataActions). Actions grant permissions for operations on the resource itself, for example the storage account itself, but not the data within the resource. On the other hand, DataActions grant permissions for operations on the data contained within the resource.

As a Contributor you have Actions that grant you full control of a storage account, but you do not have any DataActions. This prevents you from accessing the data in the storage account.

As a Storage Blob Data Reader, you have a DataAction that grants “Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read” permission, so you can read blobs. Note this role also grants the Action “Microsoft.Storage/storageAccounts/blobServices/containers/read” which allows you to read containers. From an RBAC perspective, operations on containers are treated as management operations as opposed to data operations.

Hope this helps! Please let us know for further queries and we will be glad to assist.

----

• Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
• Want a reminder to come back and check responses? Here is how to subscribe to a notification.