You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/data-factory/connector-troubleshoot-azure-data-lake.md
+24-1Lines changed: 24 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: jianleishen
6
6
ms.service: data-factory
7
7
ms.subservice: data-movement
8
8
ms.topic: troubleshooting
9
-
ms.date: 08/10/2022
9
+
ms.date: 11/08/2022
10
10
ms.author: jianleishen
11
11
ms.custom: has-adal-ref, synapse
12
12
---
@@ -108,6 +108,29 @@ This article provides suggestions to troubleshoot common problems with the Azure
108
108
1. The file name contains `_metadata`.
109
109
2. The file name starts with `.` (dot).
110
110
111
+
### Error code: ADLSGen2ForbiddenError
112
+
113
+
- **Message**: `ADLS Gen2 failed for forbidden: Storage operation % on % get failed with 'Operation returned an invalid status code 'Forbidden'.`
114
+
115
+
- **Cause**: There are two possible causes:
116
+
117
+
1. The integration runtime is blocked by network access in Azure storage account firewall settings.
118
+
2. The service principal or managed identity doesn’t have enough permission to access the data.
119
+
120
+
- **Recommendation**:
121
+
122
+
1. Check your Azure storage account network settings to see whether the public network access is disabled. If disabled, use a managed virtual network integration runtime and create a private endpoint to access. For more information, see [Managed virtual network](managed-virtual-network-private-endpoint.md) and [Build a copy pipeline using managed VNet and private endpoints](tutorial-copy-data-portal-private.md).
123
+
124
+
1. If you have enabled selected virtual networks and IP addresses in your Azure storage account network setting:
125
+
126
+
1. It's possible because some IP address ranges of your integration runtime are not allowed by your storage account firewall settings. Add the Azure integration runtime IP addresses or the self-hosted integration runtime IP address to your storage account firewall. For Azure integration runtime IP addresses, see [Azure Integration Runtime IP addresses](azure-integration-runtime-ip-addresses.md), and to learn how to add IP ranges in the storage account firewall, see [Managing IP network rules](../storage/common/storage-network-security.md#managing-ip-network-rules).
127
+
128
+
1. If you allow trusted Azure services to access this storage account in the firewall, you must use [managed identity authentication](connector-azure-data-lake-storage.md#managed-identity) in copy activity.
129
+
130
+
For more information about the Azure storage account firewalls settings, see [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md).
131
+
132
+
1. If you use service principal or managed identity authentication, grant service principal or managed identity appropriate permissions to do copy. For source, at least the **Storage Blob Data Reader** role. For sink, at least the **Storage Blob Data Contributor** role. For more information, see [Copy and transform data in Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md#service-principal-authentication).
133
+
111
134
## Next steps
112
135
113
136
For more troubleshooting help, try these resources:
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments