A web app is not able to access Storage account SAS URL within VNET.

Hello Team,

I have a use case, where I have a web app (Python-based), that lets us translate documents using azure document translator API. As per the documentation, azure document translator begin_translation needs and for the documents. All my resources are in VNET and the storage account also has a private endpoint configured. I am generating an SAS URL using as:

container_sas_url = f"https://{storage_account_name}.blob.core.windows.net/" + container_name + "?" + sas_token

But, the application complains "Error during document translation: (InvalidDocumentAccessLevel): Cannot access source document location with the current permissions.". I have provided "rl" for the source and "wl" for the target container as permissions. Since VNET is configured with a private endpoint, public access for storage account is disabled.

So, is there a way to make this work without opening up public access to the storage account ?

Or is it by design, for document translation, storage account should have public access since SAS URL cannot be used when public access is disabled ? Kindly help!

Thank you so much!