Hello,
We are trying to setup event grid to deliver events to azure storage queue following this documentation https://video2.skills-academy.com/en-us/azure/event-grid/consume-private-endpoints
We are using a system topic that publishes BlobCreatedEvents to a subscriber which is the azure storage queue. When a new event is published, we are receiving the following error message in the AegDeliveryFailureLogs.
deliveryResponse=Unauthorized, errorCode=AuthorizationFailure, QueueErrorCode=AuthorizationFailure, , httpStatusCode=InternalServerError, errorType=UnexpectedError, errorMessage=An unexpected error has occurred. Please report the x-ms-request-id header value to our forums for assistance or raise a support ticket., errorMessage=This request is not authorized to perform this operation.
RequestId:90f902da-e003-0009-22e2-3a6991000000
Time:2023-02-07T10:55:22.1717613Z
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure
Content:
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:90f902da-e003-0009-22e2-3a6991000000
Time:2023-02-07T10:55:22.1717613Z</Message></Error>
Headers:
Date: Tue, 07 Feb 2023 10:55:21 GMT
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 90f902da-e003-0009-22e2-3a6991000000
x-ms-error-code: AuthorizationFailure
Content-Length: 246
Content-Type: application/xml
The network settings for the storage account where the queue resides is set to Enabled from selected virtual networks and IP addresses with the following option ticked Allow Azure services on the trusted services list to access this storage account.
Which according to the documentation, should allow Event Grid to publish to storage queues.
If we alter the network settings for the storage account where the queue resides to Enabled from all networks then the messages are published successfully.
Does anyone know why allowing access from trusted azure resources doesn't allow messages to be published to the storage queue? We would like to block public access if at all possible on the storage account.
Thanks