Azure Storage Account : Blob service (SAS) Connectivity Check FAILED

amsDeveloper 71 Reputation points
2020-06-29T03:51:34.083+00:00

We created a new Storage Account on Azure. And, when we perform the Connectivity Check, it shows that Blob service (SAS) endpoint is not accessible with message "Public access is not permitted on this storage account." The status code is 409.

The Storage Account was upgraded from V1 to General-Purpose V2. Is that causing this issue?

10881-blob-sas.png

Also, "Generate SAS and connection string" button in "Shared access signature" is disabled and greyed out.

10828-screen-shot-2020-06-29-at-181219.png

How do we create and enable this endpoint? My search so far doesn't point to any solution to create/enable this over the Portal. Is it possible only through the REST API?

Blob service (SRP) check, Share Access Signature check is successful. There is no private endpoint, firewall created and access is allowed from "All Networks".

Accessing blob from client side with Storage Account Key with an API is currently failing with error code 403.

Also, we are successfully able to fetch the blob details from "Microsoft Azure Storage Explorer" connected with the 'Connection String' of the Storage Account.

Additional Details :

I can also see that "Blob service (Azure AD)" endpoint is not accessible, but "Queue service (Azure AD) endpoint is.

10976-blob-ad.png

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,714 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,436 questions
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Saravanan Kuppusamy 81 Reputation points
    2020-10-27T14:37:39.473+00:00

    @amsDeveloper

    I had the same issue and having a closer look at the Shared access signature pane details, I realised that unless "Allow resource type" are checked (at least one of them - by default all are unchecked i.e. Service, Container & Object). Once you do this, the button should be enabled to create signatures.

    Let me know if this works.

    Cheer
    SL

    16 people found this answer helpful.
  2. deherman-MSFT 33,626 Reputation points Microsoft Employee
    2020-06-29T20:38:51.257+00:00

    @amsDeveloper and @Erik Lippens Please set AllowBlobPublicAccess to true on your storage accounts. You can do this in the Portal under Configuration for the storage account by setting "Blob public access" to Enabled.

    -------------------------

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    4 people found this answer helpful.
  3. roccol82 6 Reputation points
    2020-07-10T17:14:39.337+00:00

    try to log out and then log in because the problem is "authentication method"
    11834-schermata-2020-07-10-alle-190820.png

    1 person found this answer helpful.
  4. Erik Lippens 1 Reputation point
    2020-06-29T08:25:23.36+00:00

    im also having this issue , I guess there's a setup before we are able to access the containers.

    0 comments
  5. deherman-MSFT 33,626 Reputation points Microsoft Employee
    2020-07-14T16:31:35.52+00:00

    @amsDeveloper-1720 My sincere apologies for not following up sooner. I confirmed that the Blob public access setting is a recent change and needs to be Enabled for Blob server(SAS) and Blob service (Azure AD) checks to pass. After changing this setting it may take a few minutes for the checks to begin to pass. This is only true for newly created storage accounts, older storage accounts may still show Blob public access set to Disabled and have the checks passing. More information on this setting can be found here.

    I didn't previously see that the Queue service check was failing. This indicates that your user may not have appropriate permissions for the ListQueues operation. Make sure that your user has access. You may need to add one of the built-in RBAC roles for queues which can be found here.

    If the issue still persists you may also need to add your client IP address under the Firewalls and virtual networks tab.

    Hopefully this information helps you to resolve this issue. If not please update me with what you are seeing after adjusting these settings.

    12099-firewalls.png

    Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.