cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Access Storage Accounts behind Firewalls from Logic Apps within the same region
By
talsaifi
Published Feb 19 2021 12:36 AM 24.5K Views
talsaifi
Microsoft
‎Feb 19 2021 12:36 AM

Access Storage Accounts behind Firewalls from Logic Apps within the same region

‎Feb 19 2021 12:36 AM

Storage accounts behind firewalls will not be accessible by Logic apps within the same region using Azure blob storage connector, because we can not add firewall rules to give access for the connector outgoing IP addresses; please check the following link for details: https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-azureblobstorage#access-stor...

 

Azure blob storage connector will be returning 403 error, as shown below:

403.png

 

As a workaround, we use the HTTP action to call storage account REST API's using managed identity; to do so, please follow the steps below:

 

  1. Enable your logic app managed identity:
    1. Go to your logic app.
    2. Go to Settings -> Identity.
    3. Select System assigned.
    4. Select Status -> On.
    5. Click Save.                                                                                                                                   Identity.png
  2. In your storage account, add role assignment for your logic app:
    1. Go to your storage account.
    2. Click on access Control (IAM).
    3. Click on Role assignments tab.
    4. Click Add and select Add role assignment:
      1. From the Role dropdown list, select Storage Blob Data Contributor.
      2. From Assign access to dropdown list, select Logic App.
      3. Under the Select field, type the name of your logic app to search for it and select it once it’s found, it will appear under the selected members list.
      4. Click Save.                                                                                                                         Role assignment.png
  3. In your storage account, make sure that the exception to allow trusted Microsoft services to access this storage account is selected:
    1. Go to your storage account.
    2. Go to Settings -> Networking.
    3. Select Firewalls and virtual networks.
    4. Scroll down to Exceptions.
    5. Select Allow trusted Microsoft services to access this storage account.
    6. Click Save.                                                                                                                               trusted services.png
  4. Connect your logic app to storage account using HTTP action to call storage account REST API:
    1. Go to your logic app
    2. Click on View in logic apps designer
    3. Add an action
    4. Search for and select HTTP action:
      1. From method dropdown list, select a method (GET, PUT, etc.).
      2. Enter the URI for the folder under your storage account (https://your account name.blob.core.windows.net/container name/file Name)
      3. Under headers, add the following key value pairs:
        1. Key: x-ms-blob-type, Value: BlockBlob.
        2. Key: x-ms-version, Value: 2019-07-07.
      4. In the body field, enter or select the variable or data token that holds your file content, in case of using PUT method.
      5. From add new parameter, select authentication:
        1. From Authentication type dropdown list, select Managed Identity.
        2. From Managed Identity dropdown list, select System Assigned Managed Identity.
        3. For audience, enter https://storage.azure.com                                                        Blob HTTP.png
17 Comments
Zoltan
Microsoft
‎Feb 25 2021 07:57 AM
‎Feb 25 2021 07:57 AM

Great content!

RienvL
Copper Contributor
‎Mar 22 2021 03:19 AM
‎Mar 22 2021 03:19 AM

This was a life safer. Thank you!

robergc
Copper Contributor
‎Apr 18 2021 11:57 PM
‎Apr 18 2021 11:57 PM

Great job!!!

But when I try to connect against table storage I receive a 401 error, even if I pass it the correct authorization header. In Postman it works but not in the logic app.

Do you know how solve it?

talsaifi
Microsoft
‎Apr 20 2021 11:54 PM
‎Apr 20 2021 11:54 PM

@robergc This will not work with table storage, logic app and storage account need to be in two different regions to be able to connect to table storage and the reason for this is that table storage does not support Azure AD integration.

Please check the following link for more info: Authorize requests to Azure Storage (REST API) | Microsoft Docs

0 Likes
Like
AsheN0ne
Copper Contributor
‎Jul 14 2021 09:44 AM
‎Jul 14 2021 09:44 AM

@talsaifi Is there any way that a Logic App can connect to table storage with a Storage account behind Firewalls within the same region? If not any alternative ways/methods?

( Tried above and was seeing 403 error ,where I could able to connect through Postman but not through Logic App)

Could you please assist? As we really need Table storage for our logic apps :(

0 Likes
Like
talsaifi
Microsoft
‎Jul 15 2021 02:37 AM
‎Jul 15 2021 02:37 AM

@AsheN0ne Actually, at the time when this article was published, the above was not possible with Azure table storage! The good news is that now table storage supports Azure AD Integration :smile: 

 

You can follow the steps above, except:

1- Use Storage Table Data Contributor instead of Storage Blob Data Contributor when adding role assignment.

2- Your HTTP action should look as follows:

talsaifi_0-1626340533101.png

  1. Enter the URI for the table under your storage account: https://your account name.table.core.windows.net/table name
  2. Under Headers, add the following key value pairs:
    1. Key: Accept, Value: application/json.
    2. Key: x-ms-version, Value: 2019-07-07.

 

For list of REST API operations on table entities, check the following link: Operations on entities (REST API) - Azure Storage | Microsoft Docs

 

The other option is:

1- Have the storage account and logic app in different regions.

2- Use the Azure Table Storage connector; for connector reference, check the following link: Azure Table Storage - Connectors | Microsoft Docs

3- Add the logic app connector outgoing IP addresses to the storage account firewall to allow access.

AsheN0ne
Copper Contributor
‎Jul 15 2021 01:12 PM
‎Jul 15 2021 01:12 PM

Hi @talsaifi Thank you for the prompt reply!!

 

So, I have the logic app and the storage account on the same region 
Did followed the steps above:
1- I have assigned Storage Table Data Contributor, Storage Table Data Reader roles and also added outgoing IP addresses to the storage account
2- And I am trying to Insert Entity REST API operation for Table Storage which looks like below

AsheN0ne_2-1626379831108.png

 

and included the below headers

 

{
  "Accept": "application/json",
  "Content-Type": "application/json",
  "DataServiceVersion": "3.0;NetFx",
  "MaxDataServiceVersion": "3.0;NetFx",
  "x-ms-date": "Thu, 15 Jul 2021 19:10:40 GMT",
  "x-ms-version": "2019-07-07"
}

 

and still having 403"AuthorizationFailure" error -- This request is not authorized to perform this operation

 

I really don't understand what I am doing wrong here :( as I was able to connect to Blob storage but not Table Storage. Could you please tell what am I missing here? @talsaifi  

Thank you in advance!

0 Likes
Like
talsaifi
Microsoft
‎Jul 16 2021 01:01 AM
‎Jul 16 2021 01:01 AM

Hi @AsheN0ne

 

Remove any additional headers, the HTTP action should look as follows:

talsaifi_0-1626421700034.png

 

0 Likes
Like
AsheN0ne
Copper Contributor
‎Jul 16 2021 06:56 AM
‎Jul 16 2021 06:56 AM

@talsaifi Trust me!! I've tried all different ways I could, to get this work :( but nothing helped. Did tried like above

AsheN0ne_0-1626442728807.png

I can give any further details if needed, just can't understand what I am missing here..

Could you please assist!! :sad:

0 Likes
Like
emanuele86
Copper Contributor
‎Oct 07 2021 09:37 AM
‎Oct 07 2021 09:37 AM

Hi @talsaifi 

 

your solution work but i got some trouble in my scenario.

I have to take attachement from email and copy it to storage account, the problem is that file saved is corrupted if is a xlsx or changed if is a csv(it save the body of previous step in my flow). My flow is configured as follow:

 

 

emanuele86_0-1633624424905.png

emanuele86_2-1633624499823.png

emanuele86_3-1633624540311.png

 

there is a way to take the attachment and save it as-is? (independently by file extension)

0 Likes
Like
runciblehat
Copper Contributor
‎Oct 07 2021 03:00 PM
‎Oct 07 2021 03:00 PM

Thanks for this post which helped me get the result I needed for posting to a queue. For reference in case others need to do this, the syntax is as follows:

 

Method:      POST

URI:      http://<storage-name>.queue.core.windows.net/<queue-name>/messages

 

Headers:

Acceptapplication/json
x-ms-dateutcNow('R')
x-ms-version2019-07-07

 

Body

<QueueMessage>
<MessageText>YOUR-MESSAGE</MessageText>
</QueueMessage>

 

Authentication

Authentication typeManaged Identity
Managed identitySystem-assigned managed identity
Audiencehttps://storage.azure.com

 

The information which I needed to make this work (esp. getting the format of the x-ms-date field right which is a mandatory field was from the REST API guide here:

https://docs.microsoft.com/en-us/rest/api/storageservices/put-message

 

0 Likes
Like
talsaifi
Microsoft
‎Oct 13 2021 01:21 AM
‎Oct 13 2021 01:21 AM

Hi @emanuele86 

 

To resolve the issue, please apply the base64toBinary() function on the Attachments Content in the Body field, your HTTP Body code view should look as follows: 

 

"body": "@base64toBinary(items('For_each')?['ContentBytes'])",
 
By the way, there is no need for the Get Attachment (V2) action, the Include Attachments option is set to Yes on the trigger and that will retrieve the attachments.
emanuele86
Copper Contributor
‎Oct 13 2021 05:24 AM
‎Oct 13 2021 05:24 AM

Hi @talsaifi ,

 

great thank you! It works! i also removed get email attachment v2.

 

"body": "@base64toBinary(items('For_each')?['ContentBytes'])" is good also for csv file?

 

Other question, there is a way to save only the file in attachment(csv, xlsx...)? Becouse the flow store also image into email signature, for example.

 

Thanks again

Regards

0 Likes
Like
talsaifi
Microsoft
‎Oct 14 2021 01:25 AM
‎Oct 14 2021 01:25 AM

Hi @emanuele86 

 

"body": "@base64toBinary(items('For_each')?['ContentBytes'])" will work for any file type.

 

Regarding your other question, you can use the Attachments is Inline property in a Control - Condition action to exclude any inline attachments, your For each loop will look as follows:

 

talsaifi_0-1634199833536.png

Nikeshvadavathi
Copper Contributor
‎Jun 13 2023 02:52 PM
‎Jun 13 2023 02:52 PM

Hi,

Thanks for the article!

I tried the same approach mentioned here, but I am getting the below error even though container named fieldglass exists.

<?xml version="1.0" encoding="utf-8"?><Error><Code>ContainerNotFound</Code><Message>The specified container does not exist.
RequestId:d30706a8-501e-0061-6a3a-9efae8000000
Time:2023-06-13T21:04:10.2196556Z</Message></Error>
Nikeshvadavathi_0-1686693139729.png

 

 
0 Likes
Like
Hasko202
Copper Contributor
‎Jan 12 2024 07:44 AM
‎Jan 12 2024 07:44 AM

Is there any way to GET data from blob with this workaround?

0 Likes
Like
carmelo81
Copper Contributor
‎Apr 01 2024 12:58 PM
‎Apr 01 2024 12:58 PM

Any way to get this to work with Azure Files? My flow includes an azure file storage location that is joined to AD. 

0 Likes
Like
Co-Authors
Version history
Last update:
‎Feb 19 2021 12:35 AM
Updated by: