Skip to content

Differentiate between IAM and Networking Exceptions #31475

New issue
New issue
Open
Open
Differentiate between IAM and Networking Exceptions#31475

Description

@edwhittle

edwhittle
openedon Oct 21, 2024

Is your feature request related to a problem? Please describe.
When an operation is performed on a Storage Account where the Networking rules prevent the execution of a function, the error message returned from the Rest API is the same as when a user is not authorized.

e.g.

Error occurred while staging blocks. Error - RestError: This request is not authorized to perform this operation.
RequestId:e71b8c46-101e-009f-6467-232174000000
Time:2024-10-21T03:12:55.4646418Z

This adds a level of uncertainty as to whether a Managed Identity is not authorised to perform a request on a Storage Account, or whether there are networking rules in place that prevent the request from being serviced. For our particular case, we were certain that the target storage account that is owned by another team had provisioned Storage Blob Data Contributor access to our Managed Identity but the failure kept occurring.

It wasn't until our team requested the StorageBlobLogs from the external team for the requests that we saw the RequesterObjectId was blank, which indicated it was not an identity issue. It was only from past experience that we knew that if there were networking rules in place (e.g. a range of allowed subnets has been configured) that the AKS subnet needed to be whitelisted to allow the operation to be performed.

Describe the solution you'd like
It should be immediately apparent that the request was rejected due to networking rules, and not due to an authorization error. IMO Authorization that a particular identity does not have permission, rather than a whole subnet does not have permission. Most other protocols indicate that networking issues (e.g. SFTP will tell you there was no handshake if there is a firewall blocking, and return an authorisation failure if it has to do with the credentials"

Describe alternatives you've considered
From a client side there are no alternatives, the error messages returned from the REST API are exactly the same so they cannot be handled differently.

Additional context
Add any other context or screenshots about the feature request here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

ClientThis issue points to a problem in the data-plane of the library.Service AttentionWorkflow: This issue is responsible by Azure service team.StorageStorage Service (Queues, Blobs, Files)customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions