0

My first attempt to make use of Azure Purview and scan Azure Resources like Azure File, Azure Blob, AWS s3, etc. I was able to connect to AWS S3 and scan the buckets but my attempt to connect to Azure File and Azure Blob failed with "Failure to connect to data source" error!

Azure File scan allows Account Key only. I added the credential in Key Vault and Purview was able to read secret from KV. However, when I tried to scan Azure File Purview can't connect to resource.

Azure Blob scan allows Account Key and Managed Identity. I tried both but I still can't connect to the resource.

I don't see diagnostics in Purview and I can't tell what's causing the failure. I removed network restriction on the storage account but no success.

Permission is granted to Storage Account through Managed Identity of Purview. Key has full permission!

So, any idea what's causing Purview to encounter Failure to connect to data source?

Prodip
  • 436
  • 8
  • 21

2 Answers2

1

You need to grant the Purview managed identity in your Azure Key Vault in the Access Policies tab by selecting the Get and List in the Secrets permissions.

Link: https://learn.microsoft.com/en-us/azure/purview/manage-credentials#grant-the-purview-managed-identity-access-to-your-azure-key-vault

You need to verify your Azure RBAC role to the Azure File and Azure Blob resources as well. Take a look at the troubleshooting guide for Azure Purview connections.

Link: https://learn.microsoft.com/en-us/azure/purview/troubleshoot-connections

Nadine Raiss
  • 591
  • 1
  • 4
  • 17
  • Nadine Raiss- Thanks for the feedback. I did grant the permission to Purview Managed Identity on the Access Policy. Initially, I didn't assign the policy and I got error message that was meaningful. I got past the key vault access error after I assigned the access policy. My next step is the use the credential to connect to resource and that's where Purview is failing. – Prodip Oct 25 '21 at 17:07
  • What do you get as an error ? – Nadine Raiss Oct 25 '21 at 17:14
  • "Failure to connect to data source" is the error message I get when I click Test Connection on Scan configuration. – Prodip Oct 25 '21 at 17:19
  • I updated my answer. Please take a look at the troubleshooting guide. – Nadine Raiss Oct 25 '21 at 17:37
  • Nadine Raiss- I was able to connect to Azure Blob but I had to use Managed Identity. Meaning Managed Identity is granted permission to read blobs in storage account. Use of account key is still running into error. I turned on the logging in key vault and I see error message: The policy requires the caller 'name=Microsoft.Purview/accounts;appid={my-app-id};oid={managed-id-of-purview};iss={my-token-issuer}' to use on-behalf-of (OBO) flow. For more information on OBO, please see https://go.microsoft.com/fwlink/?linkid=2152310. Investigating why Purview can't access key vault. – Prodip Oct 25 '21 at 20:14
0

@Nadine-Raiss, Thank you for pointing to the right direction. It was indeed had to do with access to Key Vault. Initially, I configured both select principal and authorized application and that's incorrect. We have to leave application blank, just assign the app id to principal. That was it, I am able to connect to Azure File/Azure Blob using account key from Purview. Thanks again for the assistance.

enter image description here

enter image description here

Prodip
  • 436
  • 8
  • 21
  • Glad to know that your issue has resolved. After 48 hours, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in). This can be beneficial to other community members. Thank you. – CHEEKATLAPRADEEP Oct 27 '21 at 03:21