You have created a Search Service and you want to import your data from the Storage account which is behind a firewall.
There are certain times when you need to update your Indexer for additional properties for a particular search service. So, while trying to update the Indexer, you navigate to “Add Indexer” option and then under Settings tab, you update the required properties.
While updating the Indexer, suddenly you encounter that it failed with the below error message.
Failed to update indexer ‘xxxxxx-indexer', error: 'Error with data source: Credentials provided in the connection string are invalid or have expired. For more information on troubleshooting connection issues to Azure Storage accounts, please see https://go.microsoft.com/fwlink/?linkid=2049388 Please adjust your data source definition in order to proceed.'
You start wondering! Maybe your storage connection string has expired, or it is wrongly added, and you regenerate the connection strings again. But still the error prevails.
Cause: Both storage and search services are in the same region and that is the reason for the above error.
Verify first both the services should be in different regions. This is the easiest way to resolve the issue.
If by any chance, your application does not permit you to keep your search service and storage account in a different region, please follow the next steps below:
You can use Trusted Services to achieve the same. But it still would need the two resources to be under the same subscription. Please remember that trusted services must use a System Managed Identity.
Navigate to your storage account and enable the checkbox “Allow services on the trusted services list to access this storage account”
Your System Managed Identity is disabled by default. You need to navigate to the Identity column and enable it by toggling it to On
Managed Identity must be paired with Azure Role that determines permissions on the Azure resource.
Navigate to your Azure Storage, select Access Control (AIM) in the left navigation pane.
Select Add Role Assignment
On the Role Page, Choose the Role “Storage Blob Data Reader”
On the Members page, select Managed Identity
Select members. In the Select managed identity page, choose your subscription, and then filter by service type, and then select that search service. Only those services that have a managed identity will be available to select.
Copy the Resource Id manually from Storage account Endpoint properties and paste it in the Import data wizard of Search service in the connection string and index the data and create a Indexer.
If the index schema is detected, the connection succeeded and ready to create the Indexer.
The above will work in scenarios where your storage account and Search service is in same region and same subscriptions.
Another option that can be leveraged is to add the resource Instance rule if your storage account and search service is in different subscriptions in the same tenant.
Navigate to Networking tab on left side blade.
Under Firewalls and Virtual networks, for Selected Networks, select to allow access
Scroll down to find Resource Instances and in the Resource type dropdown list, choose the resource type of your resource instance.
In the Instance name dropdown list, choose the resource instance. You can also choose to include all resource instances in the active tenant, subscription, or resource group.
Select Save to apply your changes. The resource instance appears in the Resource instances section of the network settings page.