403 error access blob from azure automation runbook

Question

403 error access blob from azure automation runbook

Arif Usman 496

folks, I am trying to access blob in storage account from azure automation account runbook and getting following error in runbook.

===============================================

Environments                                                                                           Context
------------                                                                                           -------
{[AzureUSGovernment, AzureUSGovernment], [AzureChinaCloud, AzureChinaCloud], [AzureCloud, AzureCloud]} Microsoft.Azure.…
Get-AzStorageBlob: 
Line |
   3 |  $blob = Get-AzStorageBlob -Container "sqlbackup" -Context $ctx
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | This request is not authorized to perform this operation.
RequestId:8f59929b-d01e-005f-0a74-694c02000000
Time:2025-12-10T01:30:16.3669972Z
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure
Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:8f59929b-d01e-005f-0a74-694c02000000
Time:2025-12-10T01:30:16.3669972Z</Message></Error>
Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 8f59929b-d01e-005f-0a74-694c02000000
x-ms-client-request-id: 949743df6eb2-8810656c-3172-4b70-bccc-949743df6eb2
x-ms-error-code: AuthorizationFailure
Date: Wed, 10 Dec 2025 01:30:15 GMT
Content-Length: 246
Content-Type: application/xml
Blob: ctx Microsoft.WindowsAzure.Commands.Storage.AzureStorageContext

==========================================================================================================

this is in the runbook to test

Connect-AzAccount -Identity
$ctx = New-AzStorageContext -StorageAccountName "storageaccountname" -UseConnectedAccount
$blob = Get-AzStorageBlob -Container "sqlbackup" -Context $ctx
Write-Output "Blob:$blob ctx $ctx"

Automation account has system identity enable.

Automation account of manage identity has 'Network Contributor', 'Reader', 'Storage Blob Data Contributor' role access in storage account.

Storage account and Automation have private endpoint (public access is disable). Both resources use same vnet and subnet in same resource group of subscription. Not sure why am I getting 403 error. Manage identity of aa has been given to storage account.

Sandhya Kommineni 2,895 Reputation points Microsoft External Staff Moderator

2025-12-10T03:48:23.07+00:00
Hi Arif Usman,

Thanks for posting your query in Microsoft Q&A forum

It looks like you're facing a 403 error when trying to access a blob in your Azure Storage account from an Azure Automation runbook. This error typically indicates an authorization issue, often linked to permissions or network security settings. Let’s go through a few things you can check:

Steps to Troubleshoot the 403 Error:

Check Role Assignments: Ensure that the managed identity of your Azure Automation account is assigned the correct permissions. For accessing blobs, the roles you should look for include:

Storage Blob Data Contributor (for read/write access)

Storage Blob Data Reader (for read-only access)

You can verify this by navigating to the Access control (IAM) section of your storage account in the Azure portal.

Verify Network Configuration: Since your storage account has private endpoints and public access is disabled, try these checks:

Confirm that the Azure Automation account is within the same Virtual Network (VNet) as the storage account.

Make sure that the appropriate private endpoints are set up correctly and that the necessary endpoints are connected.

Allow Azure Services: If you haven't done so already, enable the option Allow Azure services on the trusted services list to access this storage account in the networking settings of your storage account.

Firewall Settings: If your storage account firewall is enabled, confirm the IP address from which the request is being made is allowed through firewall settings. This includes verifying that Azure Automation is included if you are using this setting.

Use a Hybrid Runbook Worker: If none of the above resolves the issue, consider using a Hybrid Runbook Worker since it allows for more flexible connectivity options, especially in scenarios where network configurations restrict access.

Reference Links:

Azure Storage networking

Configure a private endpoint for Azure Storage

Azure RBAC overview

Troubleshooting runbook execution errors

I hope this helps! If you're still running into issues, let me know, and I can help you dig deeper. Would you be able to clarify the following:

Have you verified the role permissions for the managed identity?

Is the Azure Automation account configured correctly within the same VNet as the storage account?

Are there any other network security rules that might be affecting access?

Let me know!
Sandhya Kommineni 2,895 Reputation points Microsoft External Staff Moderator

2025-12-11T15:16:31.9433333+00:00

Hi Arif Usman,

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this. Please accept as Yes and upvote if the answer is helpful so that it can help others in the community.
Arif Usman 496 Reputation points

2025-12-11T16:04:31.8533333+00:00
Automation accounts has manage identity access to storage account

Storage Blob Data Contributor (for read/write access) Storage Blob Data Reader (for read-only access)

Automation account and storage account has same vnets and subnets

Automation account and storage account has private endpoints and public access is disable.

there are not network security rules or firewall rules applied to both resources.
Sandhya Kommineni 2,895 Reputation points Microsoft External Staff Moderator

2025-12-12T07:07:35.9+00:00
Hello Arif Usman, Thanks for sharing the details

Enabling the Azure Firewall on Azure Storage, blocks access from Azure Automation runbooks for those services. Access will be blocked even when the firewall exception to allow trusted Microsoft services is enabled, as Automation is not a part of the trusted services list. With an enabled firewall, access can only be made by using a Hybrid Runbook Worker and a virtual network service endpoint.

Firewall rules If firewall rules are enabled, ensure the client is making requests from an allowed IP address or subnet. If the storage account allows traffic only from a specific virtual network subnet, any attempt to access data from a public network is forbidden. For example, if a user tries to access the storage account from the Azure portal (which uses the browser's network) or from a local machine, a 403 error appears unless you add the IP address of the browser network or local machine to the IP address rules. See Azure Storage firewall rules.

Ensure that your Run As account has permissions to access any resources used in your script.

Refer document: https://dori-uw-1.kuma-moon.com/en-us/troubleshoot/azure/azure-storage/blobs/authentication/storage-troubleshoot-403-errors#public-network-endpoint

I hope this helps

1 answer

Your answer

Sandhya Kommineni 2,895 Reputation points Microsoft External Staff Moderator

2025-12-11T15:16:31.9433333+00:00

Hi Arif Usman,

Just checking to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this. Please accept as Yes and upvote if the answer is helpful so that it can help others in the community.
Arif Usman 496 Reputation points

2025-12-11T16:04:31.8533333+00:00

Automation accounts has manage identity access to storage account

Storage Blob Data Contributor (for read/write access) Storage Blob Data Reader (for read-only access)

Automation account and storage account has same vnets and subnets

Automation account and storage account has private endpoints and public access is disable.

there are not network security rules or firewall rules applied to both resources.
Sandhya Kommineni 2,895 Reputation points Microsoft External Staff Moderator

2025-12-12T07:07:35.9+00:00

Hello Arif Usman, Thanks for sharing the details

Enabling the Azure Firewall on Azure Storage, blocks access from Azure Automation runbooks for those services. Access will be blocked even when the firewall exception to allow trusted Microsoft services is enabled, as Automation is not a part of the trusted services list. With an enabled firewall, access can only be made by using a Hybrid Runbook Worker and a virtual network service endpoint.

Firewall rules If firewall rules are enabled, ensure the client is making requests from an allowed IP address or subnet. If the storage account allows traffic only from a specific virtual network subnet, any attempt to access data from a public network is forbidden. For example, if a user tries to access the storage account from the Azure portal (which uses the browser's network) or from a local machine, a 403 error appears unless you add the IP address of the browser network or local machine to the IP address rules. See Azure Storage firewall rules.

Ensure that your Run As account has permissions to access any resources used in your script.

Refer document: https://dori-uw-1.kuma-moon.com/en-us/troubleshoot/azure/azure-storage/blobs/authentication/storage-troubleshoot-403-errors#public-network-endpoint

I hope this helps

Answer 1

The 403 error you are encountering when trying to access the Azure Blob Storage from your Azure Automation runbook indicates an authorization failure. Here are some potential causes and solutions to consider:

Network Restrictions: Since both the storage account and the automation account have a private endpoint and public access is disabled, ensure that the Azure Automation runbook is configured to access resources through the virtual network. If the Azure Firewall is enabled on the storage account, it may block access from Azure Automation runbooks. You might need to use a Hybrid Runbook Worker to facilitate this access.
Role Assignments: Although you mentioned that the managed identity of the automation account has the "Storage Blob Data Contributor" role, ensure that this role is assigned at the correct scope (e.g., storage account level). Also, verify that there are no additional role restrictions that might be affecting access.
Run As Account Permissions: If you are using a Run As account, ensure that it has the necessary permissions to access the storage account. The Run As account might not have the same permissions as the managed identity.
Check for IP Restrictions: Ensure that there are no IP address restrictions that could be blocking access to the storage account from the automation account.
Service Endpoint Configuration: Confirm that the service endpoint for Azure Storage is correctly configured in your virtual network settings.

By reviewing these areas, you should be able to identify the root cause of the 403 error and resolve the issue.

References:

Share via

403 error access blob from azure automation runbook

1 answer

Your answer