Access Storage Accounts behind Firewalls from Logic Apps within the same region

This article is contributed. See the original author and article here.

Storage accounts behind firewalls will not be accessible by Logic apps within the same region using Azure blob storage connector, because we can not add firewall rules to give access for the connector outgoing IP addresses; please check the following link for details: https://docs.microsoft.com/en-us/azure/connectors/connectors-create-api-azureblobstorage#access-storage-accounts-behind-firewalls

Azure blob storage connector will be returning 403 error, as shown below:

As a workaround, we use the HTTP action to call storage account REST API’s using managed identity; to do so, please follow the steps below:

1. Enable your logic app managed identity:
   
   
   
   1. Go to your logic app.
   
   
   2. Go to Settings -> Identity.
   
   
   3. Select System assigned.
   
   
   4. Select Status -> On.
   
   
   5. Click Save.                                                                                                                                   
   
   
   
   


2. In your storage account, add role assignment for your logic app:
   
   
   
   1. Go to your storage account.
   
   
   2. Click on access Control (IAM).
   
   
   3. Click on Role assignments tab.
   
   
   4. Click Add and select Add role assignment:
      
      
      
      1. From the Role dropdown list, select Storage Blob Data Contributor.
      
      
      2. From Assign access to dropdown list, select Logic App.
      
      
      3. Under the Select field, type the name of your logic app to search for it and select it once it’s found, it will appear under the selected members list.
      
      
      4. Click Save.                                                                                                                         
      
      
      
      
   
   
   
   


3. Connect your logic app to storage account using HTTP action to call storage account REST API:
   
   
   
   1. Go to your logic app
   
   
   2. Click on View in logic apps designer
   
   
   3. Add an action
   
   
   4. Search for and select HTTP action:
      
      
      
      1. From method dropdown list, select a method (GET, PUT, etc.).
      
      
      2. Enter the URI for the folder under your storage account (https://your account name.blob.core.windows.net/container name/file Name)
      
      
      3. Under headers, add the following key value pairs:
         
         
         
         1. Key: x-ms-blob-type, Value: BlockBlob.
         
         
         2. Key: x-ms-version, Value: 2019-07-07.
         
         
         
         
      
      
      4. In the body field, enter or select the variable or data token that holds your file content, in case of using PUT method.
      
      
      5. From add new parameter, select authentication:
         
         
         
         1. From Authentication type dropdown list, select Managed Identity.
         
         
         2. From Managed Identity dropdown list, select System Assigned Managed Identity.
         
         
         3. For audience, enter https://storage.azure.com                                                        
         
         
         
         
      
      
      
      
   
   
   
   

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.