Blog Post

Azure Synapse Analytics Blog
1 MIN READ

Storage configuration for external table is not accessible while query on Serverless

Liliam_C_Leme's avatar
Liliam_C_Leme
Icon for Microsoft rankMicrosoft
Dec 29, 2020

 

Following this lab: Lab: Serverless Synapse - From Spark to SQL On Demand - Microsoft Tech Community

You may experience this message: 

Failed to execute the query because content of directory cannot be listed) 

This is due to an extra step required to enable the AAD to pass through the firewall on the storage.

 

Scenario:

Query SQL Serverless failed as following while querying Spark. 

 

On Azure Portal, Storage Account -> Networking is configured as follows ( with Allow trusted Microsoft services to access this account enabled):

If you change to All Networks it does work successfully. 

 

Mitigation: Enable the AAD to pass through the firewall on the storage.

 

Microsoft DocControl storage account access for serverless SQL pool - Azure Synapse Analytics | Microsoft Docs

 

 

Run the following-> exactly like this example but replace the values as required: 

 

 

 

Add-AzStorageAccountNetworkRule -ResourceGroupName $resourceGroupName -Name $accountName -TenantId $tenantId -ResourceId "/subscriptions/<subscriptionid>/resourcegroups/<rgname>/providers/Microsoft.Synapse/workspaces/<workspacename>"

 

 

 

Requisites:

 

1) For the Tenant ID you can get the value from the Azure Portal ->AAD

 

 

2) Note you may need to install Power Shell version 3 like my example:

(PowerShell Gallery | Az.Storage 3.0.1-preview)

 

Thanks to Stefan Azaric.

 

That is it!

Liliam

UK Engineer.

Updated Sep 15, 2021
Version 6.0

2 Comments

  • UJ2021's avatar
    UJ2021
    Copper Contributor

    In my case, the firewall setting already said "All Networks" but it still did not work.  I had to give access by adding the managed identity of the synapse workspace to the role Storage account blob contributor for it to work. 

  • Shane_Blake's avatar
    Shane_Blake
    Copper Contributor

    Another option is to set up the data source for the external table to use the Synapse Managed Identity. This way you can then secure the external table using GRANT statements on the external table and have Synapse request the data from the Data Lake.