Blog Post

Azure Database Support Blog
2 MIN READ

VA Failed message: Could not authenticate to storage account 'storageaccount.blob.core.windows.net'

Mohamed_Baioumy_MSFT's avatar
Apr 20, 2022

You may get error message similar to the one below when you are trying to update vulnerability assessment baseline using PowerShell command.

 

"statusCode": "BadRequest",
"serviceRequestId": null,
"statusMessage": "{\"error\":{\"code\":\"VulnerabilityAssessmentStorageAuthenticationFailed\",\"message\":\"Could not authenticate to storage account 'storageaccount.blob.core.windows.net' .\"}}",
"eventCategory": "Administrative",

 

Set-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline `
-ResourceGroupName "ResourceGroup01" `
-ServerName "Server01" `
-DatabaseName "Database01" `
-RuleId "VA2108" `
-BaselineResult @('Principal1', 'db_ddladmin', 'SQL_USER', 'None') , @( 'Principal2', 'db_ddladmin', 'SQL_USER', 'None')

 

This error indicates authentication issue connecting from Azure SQL Server to the Storage blob where that vulnerability assessment saves baseline and vulnerability assessment scan results. 

 

To understand how this authentication works between Azure SQL Server and Storage blob account. please take into consideration the following prerequisites:

 

The SQL Vulnerability Assessment service needs permission to the storage account to save baseline and scan results. There are three methods:

  • Use Storage Account key: Azure creates the SAS key and saves it (though we don't save the account key)
  • Use Storage SAS key: The SAS key must have: Write | List | Read | Delete permissions
  • Use SQL Server managed identity: The SQL Server must have a managed identity. The storage account must have a role assignment for the SQL Managed Identity as Storage Blob Data Contributor. When you apply the settings, the VA fields storageContainerSasKey and storageAccountAccessKey must be empty. When storage is behind a firewall or virtual network, then the SQL managed identity is required.

When you use the Azure portal to save SQL VA settings, Azure checks if you have permission to assign a new role assignment for the managed identity as Storage Blob Data Contributor on the storage. If permissions are assigned, Azure uses SQL Server managed identity, otherwise Azure uses the key method.

 

For the VA service save the scan results/baseline and read the baseline, it must have permission to access to the storage account.

 

There are two methods:

  • Using Storage Account key / SAS Key
  • Using SQL Server managed identity (Recommended)
    • The SQL server must have a managed identity.
    • The storage account must have role assignment for the SQL server identity as Storage Blob Data Contributor.
    • When we have a storage behind firewall / VNET – VA only works with managed identity method

 

Note: Assign the Storage blob Data Contributor role to AAD Group might not working probably and you need to assign the role to the Azure SQL Server managed identity directly.

 

Updated Apr 20, 2022
Version 5.0
  • JulioQueiroz's avatar
    JulioQueiroz
    Copper Contributor

    just go to the storage account IAM menu and add the managed identity (resource name) for the resource generating the assessment report. In your case, the SQL server.

  • tsfto01's avatar
    tsfto01
    Copper Contributor

    Hi, I'm seeing this for SQL Managed Instances, but *only* if the managed identity is a user-managed one. If I add a system-managed identity to the SQL MI resource, the VA works, but with a user-managed, it fails. This happens regardless of the mechanism I use (ARM templates, Terraform).

     

    Is it possible to confirm that vulnerability assessments only work with system-assigned, and not with user-assigned managed identities? If so, I'm guessing this should be considered a bug.

     

    Note that I have confirmed that both kinds of managed identity have the correct role assignments (Storage Blob Data Contributor) with scope on the storage account.