Skip to content

Can no longer grant access from certain Azure Resource Types to Azure Storage using Azure Storage FirewallΒ #25455

New issue
New issue
Open
Open
Can no longer grant access from certain Azure Resource Types to Azure Storage using Azure Storage Firewall#25455
Assignees
jiaslievelyn-yszhoxing-ms
Labels
ARMaz resource/group/lock/tag/deployment/policy/managementapp/account management-groupAuto-AssignAuto assign by botService AttentionThis issue is responsible by Azure service team.Storageaz storagecustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog
@starkfell

Description

@starkfell
starkfell
opened on Feb 14, 2023

Notes

The values provided below have been generalized.


Related command(s)

The following commands are related to the issue described below.

az storage account network-rule add

az rest
az resource update


Describe the bug

When attempting to grant access from a Log Analytics Workspace to a Storage Account using the following command:

az storage account network-rule add \
--resource-id "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001" \
--tenant-id 00000000-0000-0000-0000-000000000000 \
--account-name storageaccountname001

The following error occurs:

Bad Request({"error":{"code":"InvalidValuesForRequestParameters","message":"Values for request parameters are invalid: networkAcls.resourceAccessRules[*].resourceId. For more information, see - https://aka.ms/storagenetworkruleset"}})

The error above is also occuring when attempting to grant access from the following Resources Types:

Microsoft.Web/sites/functions
Microsoft.Logic/workflows


To Reproduce

The issue above can be re-created consistently using the following examples.


Example 1

Run the previously described command, az storage account network-rule add, using the following syntax.

az storage account network-rule add \
--resource-id "{AZURE_RESOURCE_ID}" \
--tenant-id {TENANT_ID} \
--account-name {AZURE_STORAGE_ACCOUNT_NAME}

Example 2

Attempt to make a REST API call using the az rest command.


JSON Payload is stored in the variable jsonBody.

jsonBody="{
    'properties': {
        'networkAcls': {
            'resourceAccessRules': [
                {
                    'tenantId': '00000000-0000-0000-0000-000000000000',
                    'resourceId': 'subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001'
                }
            ],
        }
    }
}"

Run the az rest command with the PATCH method against the target Azure Storage Account.

az rest \
--method PATCH \
--uri "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-azure-storage-account/providers/Microsoft.Storage/storageAccounts/storageaccountname001?api-version=2022-09-01" \
--body "$jsonBody"

Example 3

Attempt to use az resource update to update the resourceAccessRules of the Azure Storage Account.


Run the az resource update command using the following syntax.

az resource update \
--id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-azure-storage-account/providers/Microsoft.Storage/storageAccounts/storageaccountname001 \
--add properties.networkAcls.resourceAccessRules \
"{'resourceId'='/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001','tenantId'='00000000-0000-0000-0000-000000000000'}"


Expected Behavior

Running any of the three options above should result in the Resources being added to the networkRuleSet section of the target Azure Storage Account.

  "networkRuleSet": {
    "bypass": "AzureServices",
    "defaultAction": "Deny",
    "ipRules": [],
    "resourceAccessRules": 
    [
         {
             resourceId: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-log-analytics-workspaces/providers/Microsoft.OperationalInsights/workspaces/log-analytics-workspace-001,
             tenantId: 00000000-0000-0000-0000-000000000000
        }
    ],
    "virtualNetworkRules": []
  },


Environment Summary

Environment Summary is below.

  • The command(s) above were tested on separate Azure Subscriptions that resided on separate Tenants that are not associated or connected.
  • Azure CLI versions tested: 2.45.0, 2.36.0
  • Both versions of Azure CLI were tested on Ubuntu 18.04 and 22.04.
  • For the option above using az rest, API Version(s): 2022-09-01 and 2021-09-01 were targeted.


Additional Context

The purpose of granting access from specific Azure Resource Instances was to lower the exposure specific Azure Resource Types (Azure Log Analytics Workspaces, Azure Functions, Azure Logic Apps) that connect to Azure Storage Accounts in the target Subscriptions.


. . .

Metadata

Metadata

Assignees

Labels

ARMaz resource/group/lock/tag/deployment/policy/managementapp/account management-groupAuto-AssignAuto assign by botService AttentionThis issue is responsible by Azure service team.Storageaz storagecustomer-reportedIssues that are reported by GitHub users external to the Azure organization.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions