question

SarahRobert-3529 avatar image
0 Votes"
SarahRobert-3529 asked JonathanFord-7901 commented

Logic app trigger when blob is created showing error

I have created a logic app and I want it to trigger when a new blob is added to a storage account. As soon as I add this trigger, the following error comes, its not very descriptive and not sure which permissions is it not seeing.

Please check your account info and/or permissions and try again. Details: This request is not authorized to perform this operation.

I am following instructions mentioned here https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-azureblobstorage#add-blob-storage-trigger

HTTP trigger works but then then storage connection step fails again. I am not sure what account info or permissions is not given.
88391-image.png


Also, when I try to create a new connection . I am still seeing the same error.
88337-image.png


Also, I noticed that storage account and logic app cant be in the same region. I kept them separate by having storage app in West US 2 and logic app in West US 1.

I am following the instructions in this article too. But have the same issue.
https://techcommunity.microsoft.com/t5/integrations-on-azure/access-storage-accounts-behind-firewalls-from-logic-apps-within/ba-p/1997801


Here is a screenshot of that. Http connection works but Azure Blob storage connection does not.


88383-image.png


azure-logic-appsazure-storage-accounts
image.png (106.9 KiB)
image.png (59.0 KiB)
image.png (36.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MayankBargali-MSFT avatar image
0 Votes"
MayankBargali-MSFT answered JonathanFord-7901 commented

@SarahRobert-3529 Logic apps can't directly access storage accounts behind firewalls when they're both in the same region. As a workaround, put your logic apps in a region that differs from your storage account and give access to the outbound IP addresses for the managed connectors in your region, and the same is mentioned in this document.

This article talks about how you can communicate with storage REST services as the Local communication in the datacenter abstracts the internal IP addresses, so you can't set up firewall rules with IP restrictions and the same is mentioned in this document and the other solution for this scenario is mentioned on the same section of the article.

In nutshell, you cannot use a storage connector behind the firewall for the same region. The workaround is mentioned here and another article takes the about the same. If the storage account is in a different region behind the firewall then you need to give access to the access to the [outbound IP addresses for the managed connectors in your region.

You either need to use an HTTP trigger way to access the storage using storage REST API from the logic app within the same region. For different regions make sure you have added the outbound IP in your storage account.

Hope the above helps you to resolve the issue. Feel free to reach out to me if you need any assistance.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks much @MayanBargali-MSFT for this info. . I did mention in my post that storage account is in West US 2 and logic app is in West US region so both are in different regions. And I also checked the allow trusted msft services to access storage account.

I pretty much followed this article .
https://techcommunity.microsoft.com/t5/integrations-on-azure/access-storage-accounts-behind-firewalls-from-logic-apps-within/ba-p/1997801

HTTP trigger somehow seems to be working but I cant monitor with it if a new blob has come in and grab hold of its path, so I do need to use Azure blob storage trigger within the logic app.

I might need help with this suggestion though "For different regions make sure you have added the outbound IP in your storage account." how can I get the outbound IP address? I apologize if my questions are very basic, I am learning.

Looking forward to your help.

0 Votes 0 ·

@SarahRobert-3529 Sure. For testing, I have created the logic app and storage account (enabled VNET and firewall) in different regions and when I try to add the storage connection string manually I observed the same error as you have mentioned.

88436-image.png


To resolve the error I have navigated to my storage account and enable "Allow trusted Microsoft services to access this storage account" as mentioned here. Wait for some time for the changes to reflect and try to add the action/connection again if it still fails.

88455-image.png

Feel free to get back to me if you are still facing the issue.


0 Votes 0 ·
image.png (85.6 KiB)
image.png (17.4 KiB)

Thanks so much @MayankBargali-MSFT So I checked the setting and that exception is already checked. Still getting the same error with the below setting checked.

89264-image.png


0 Votes 0 ·
image.png (23.6 KiB)
Show more comments