Error about permission with Powershell command Get-AzureStorageBlob in Azure Runbook

Question

I'm trying to create a runbook in Azure that accesses a blob storage and list the contents. But I keep getting the following error:

The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation using this permission.

I checked the following: Azure Portal -> Storage Account -> Networking -> Check Allow Access From (All Networks / Selected Networks) It is set to all networks.

I checked the SAS. It's correct.

On the storage account and the container I set the Access Control to Storage Blob Data Reader and Sotrage Blob Data Owner to Managed Identity\Automation Account.

i created an Access Policy and set its rights to rdl, but I don't know how to call it from within my Powershell statement. I don't know whether it makes any difference.

Who can help me? I've about read all the articles on Internet but can't find the answer.

It's the statement Get-AzureStorageBlob that fails.

This is the code in the runbook:

$storage = "opslag" #name of storage account
$blobcontainer = "contener" #name of container
$sas = "****"

Write-Output $storage
Write-Output $container

$context = New-AzureStorageContext -StorageAccountName $storage - 
SasToken $sas
Write-Output $context

$blobs = Get-AzureStorageBlob -Container $blobcontainer -Context 
$context

Answer 1

To test this in our local environment, we have created a storage account, automation account with PowerShell runbook

• We have enabled Managed identity for the automation account, given the permissions Storage blob data Reader, Storage Blob Data Owner for the same managed identity.
• In the storage account, we have created an access policy with read, delete, list permissions to access the blob contents from PowerShell statements.

Here is the PowerShell Script that we have run in the Automation account Runbook:

• We have used the same managed identity to authenticate to our azure account in the automation account.

  Disable-AzContextAutosave -Scope Process  # Ensures you do not inherit an AzContext in your runbook
    $AzureContext = (Connect-AzAccount -Identity).context # Connect to Azure with system-assigned managed identity
    $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext  # set and store context
    
    Import-module -name Az.Storage
    
    $storage = "<strgName>"  #name of storage account
    $blobcontainer = "<containerName>"  #name of container
    $sas = "<SAStoken>"  # Generated SAS token for the container with allowing HTTP & HTTPS protocol.
    Write-Output $storage
    Write-Output $container
    $context = New-AzStorageContext -StorageAccountName $storage -SasToken $sas
    Write-Output $context
    $blobs = Get-AzStorageBlob -Container $blobcontainer -Context $context
    Write-Output $blobs

Here is the sample output for reference: