search

Azure / logicapps

Azure Logic Apps labs, samples, and tools
MIT License
363 stars 301 forks source link

Logic app is not able to access blob storage #993

Closed mihirpmehta closed 4 months ago

mihirpmehta commented 7 months ago

Describe the Bug with repro steps

I want to trigger action when some file is added in the blob storage.

I have created identity in Logic apps and also created storage contributor role for that identity

It throws error.

I have created system assigned managed identity in Logic app and i have also assigned Storage contributer role to this identity .

{
    "statusCode": 403,
    "headers": {
        "Cache-Control": "no-store, no-cache",
        "Pragma": "no-cache",
        "Set-Cookie": "ARRAffinity=3918252a89b1afdb8c3dc464535f8a9dbabe6782d2c64ae7d28576826f1f4c2f;Path=/;HttpOnly;Secure;Domain=azureblob-wus.azconn-wus-001.p.azurewebsites.net,ARRAffinitySameSite=3918252a89b1afdb8c3dc464535f8a9dbabe6782d2c64ae7d28576826f1f4c2f;Path=/;HttpOnly;SameSite=None;Secure;Domain=azureblob-wus.azconn-wus-001.p.azurewebsites.net",
        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
        "x-ms-request-id": "2aced241-f6fc-4048-bb0f-9308f689cef8",
        "X-Content-Type-Options": "nosniff",
        "X-Frame-Options": "DENY",
        "x-ms-connection-parameter-set-name": "managedIdentityAuth",
        "Timing-Allow-Origin": "*",
        "x-ms-apihub-cached-response": "false",
        "x-ms-apihub-obo": "false",
        "Date": "Thu, 22 Feb 2024 19:16:56 GMT",
        "Content-Length": "358",
        "Content-Type": "application/json",
        "Expires": "-1"
    },
    "body": {
        "status": 403,
        "message": "This request is not authorized to perform this operation using this permission.\r\nclientRequestId: 2aced241-f6fc-4048-bb0f-9308f689cef8",
        "error": {
            "message": "This request is not authorized to perform this operation using this permission."
        },
        "source": "azureblob-wus.azconn-wus-001.p.azurewebsites.net"
    }
}

My storage acctount has "Enabled from all networks" in networking.

Both resources are created with same resource group

What type of Logic App Is this happening in?

Consumption (Portal)

Are you using new designer or old designer

Old Designer

Did you refer to the TSG before filing this issue? https://aka.ms/lauxtsg

No

Workflow JSON

{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "actions": {
            "Send_an_email_(V2)": {
                "inputs": {
                    "body": {
                        "Body": "<p>New loan Files are ready to be processed \n\n@{triggerBody()}</p>",
                        "Importance": "Normal",
                        "Subject": "New loan Files are ready to be processed ",
                        "To": "mihir.mehta@apexon.com"
                    },
                    "host": {
                        "connection": {
                            "name": "@parameters('$connections')['office365']['connectionId']"
                        }
                    },
                    "method": "post",
                    "path": "/v2/Mail"
                },
                "runAfter": {},
                "type": "ApiConnection"
            }
        },
        "contentVersion": "1.0.0.0",
        "outputs": {},
        "parameters": {
            "$connections": {
                "defaultValue": {},
                "type": "Object"
            }
        },
        "triggers": {
            "When_a_blob_is_added_or_modified_(properties_only)_(V2)": {
                "evaluatedRecurrence": {
                    "frequency": "Minute",
                    "interval": 1
                },
                "inputs": {
                    "host": {
                        "connection": {
                            "name": "@parameters('$connections')['azureblob']['connectionId']"
                        }
                    },
                    "method": "get",
                    "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('sbjifitistorageaccount'))}/triggers/batch/onupdatedfile",
                    "queries": {
                        "checkBothCreatedAndModifiedDateTime": false,
                        "folderId": "JTJmc2ItamlmaXRpLXVucHJvY2Vzc2Vk",
                        "maxFileCount": 10
                    }
                },
                "metadata": {
                    "JTJmc2ItamlmaXRpLXVucHJvY2Vzc2Vk": "/sb-jifiti-unprocessed"
                },
                "recurrence": {
                    "frequency": "Minute",
                    "interval": 1
                },
                "splitOn": "@triggerBody()",
                "type": "ApiConnection"
            }
        }
    },
    "parameters": {
        "$connections": {
            "value": {
                "azureblob": {
                    "connectionId": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/resourceGroups/Jifiti-Trustage-RG/providers/Microsoft.Web/connections/azureblob-3",
                    "connectionName": "azureblob-3",
                    "connectionProperties": {
                        "authentication": {
                            "type": "ManagedServiceIdentity"
                        }
                    },
                    "id": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/providers/Microsoft.Web/locations/westus/managedApis/azureblob"
                },
                "office365": {
                    "connectionId": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/resourceGroups/Jifiti-Trustage-RG/providers/Microsoft.Web/connections/office365-1",
                    "connectionName": "office365-1",
                    "id": "/subscriptions/f6e99bee-de48-4a97-ba21-cedc66858b03/providers/Microsoft.Web/locations/westus/managedApis/office365"
                }
            }
        }
    }
}

Screenshots or Videos

No response

Browser

Chrome

Additional context

No response

AB#26922915

KronemeyerJoshua commented 6 months ago

I am also receiving this issue as of this week. My existing logic apps that are deployed are working, but when I try to create a new one I get a 403 Forbidden Error. I attempted to change the connection for Get blob content (V2) and am greeted with this error message.

logicapperror

I am using an access key for blobs storage that I have tested with Azure Storage Explorer. I can also access the storage from the Logic App UX Designer from within the Action of Get blob content (V2), but when I actually run it. It gives me a 403 Forbidden for Get Blob Content.

This issue is not limited to the old designer, as I am using the new designer. It appears to be backend related.

As I am writing this ticket, my Run History is not loading either and I'm not able to start the run of new logic apps.

{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
        "actions": {
            "For_each_Sharepoint_Site": {
                "actions": {
                    "Add_EntryFolder_to_UncrawledFolders": {
                        "inputs": {
                            "name": "UncrawledFolders",
                            "value": [
                                "@items('For_each_Sharepoint_Site')['folder']"
                            ]
                        },
                        "type": "SetVariable"
                    },
                    "Until": {
                        "actions": {
                            "For_each_FileFolder": {
                                "actions": {
                                    "Compose": {
                                        "inputs": "@items('For_each_FileFolder')?['Name']",
                                        "type": "Compose"
                                    }
                                },
                                "foreach": "@body('List_folder')",
                                "runAfter": {
                                    "List_folder": [
                                        "SUCCEEDED"
                                    ]
                                },
                                "type": "Foreach"
                            },
                            "List_folder": {
                                "inputs": {
                                    "host": {
                                        "connection": {
                                            "referenceName": "sharepointonline"
                                        }
                                    },
                                    "method": "get",
                                    "path": "/datasets/@{encodeURIComponent(encodeURIComponent('https://wwpubsec.sharepoint.com/sites/SharepointTest'))}/folders/@{encodeURIComponent(variables('UncrawledFolders')[iterationIndexes('Until')])}"
                                },
                                "runAfter": {
                                    "Reset_SharepointFileList": [
                                        "SUCCEEDED"
                                    ]
                                },
                                "type": "ApiConnection"
                            },
                            "Reset_SharepointFileList": {
                                "inputs": {
                                    "name": "SharepointFileList",
                                    "value": []
                                },
                                "type": "SetVariable"
                            }
                        },
                        "expression": "@equals(0,0)",
                        "limit": {
                            "count": 60,
                            "timeout": "PT1H"
                        },
                        "runAfter": {
                            "Add_EntryFolder_to_UncrawledFolders": [
                                "SUCCEEDED"
                            ]
                        },
                        "type": "Until"
                    }
                },
                "foreach": "@body('Parse_JSON')?['SharepointSites']",
                "runAfter": {
                    "Init_SharepointFileList": [
                        "SUCCEEDED"
                    ]
                },
                "type": "Foreach"
            },
            "Get_blob_content_(V2)": {
                "inputs": {
                    "host": {
                        "connection": {
                            "referenceName": "azureblob"
                        }
                    },
                    "method": "get",
                    "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('AccountNameFromSettings'))}/files/@{encodeURIComponent(encodeURIComponent('/config/config.json'))}/content",
                    "queries": {
                        "inferContentType": true
                    }
                },
                "runAfter": {},
                "type": "ApiConnection"
            },
            "Init_SharepointFileList": {
                "inputs": {
                    "variables": [
                        {
                            "name": "SharepointFileList",
                            "type": "array",
                            "value": []
                        }
                    ]
                },
                "runAfter": {
                    "Init_UncrawledFolders": [
                        "SUCCEEDED"
                    ]
                },
                "type": "InitializeVariable"
            },
            "Init_UncrawledFolders": {
                "inputs": {
                    "variables": [
                        {
                            "name": "UncrawledFolders",
                            "type": "array",
                            "value": []
                        }
                    ]
                },
                "runAfter": {
                    "Parse_JSON": [
                        "SUCCEEDED"
                    ]
                },
                "type": "InitializeVariable"
            },
            "Parse_JSON": {
                "inputs": {
                    "content": "@body('Get_blob_content_(V2)')",
                    "schema": {
                        "properties": {
                            "AcceptedFileTypes": {
                                "items": {
                                    "type": "string"
                                },
                                "type": "array"
                            },
                            "SharepointSites": {
                                "items": {
                                    "properties": {
                                        "folder": {
                                            "type": "string"
                                        },
                                        "url": {
                                            "type": "string"
                                        }
                                    },
                                    "required": [
                                        "url",
                                        "folder"
                                    ],
                                    "type": "object"
                                },
                                "type": "array"
                            }
                        },
                        "type": "object"
                    }
                },
                "runAfter": {
                    "Get_blob_content_(V2)": [
                        "SUCCEEDED"
                    ]
                },
                "type": "ParseJson"
            }
        },
        "contentVersion": "1.0.0.0",
        "outputs": {},
        "triggers": {
            "Recurrence": {
                "recurrence": {
                    "frequency": "Hour",
                    "interval": 24
                },
                "type": "Recurrence"
            }
        }
    },
    "kind": "Stateful"
}
github-actions[bot] commented 5 months ago

This issue is stale because it has been open for 45 days with no activity.

github-actions[bot] commented 4 months ago

This issue was closed because it has been inactive for 14 days since being marked as stale.

geetikagupta16 commented 4 months ago

Any update on this issue? I am facing the same Forbidden error when trying to connect logic app using Create Blob(V2) to a storage account using (Enabled from selected virtual networks and IP addresses) networking setting and user managed identity.

skaxpo commented 3 months ago

Any update on this issue ? @geetikagupta16 , @mihirpmehta let me know if you found the issue or any workaround for this issue.