Mounting Azure Files volume in Container App fails with "access denied" error.

Victor Angelier@NGBlu 0 Reputation points
2024-09-13T14:53:11.1366667+00:00

Hi all,

I have 2 environments. Development and Staging. I use Bicep files to deploy Container App revisions. In Development I can mount the Azure Files defined in the Container App Env without any issues.

In the Staging environment the Setup is equal but I get a permission denied error. After some debugging I found that this is related to mounting the Azure File in the container App. The storage and the app are in the same Virtual Network and Subnet. I use User assigned managed identities.

I checked;

Permissions (role assignments) for these Managed Identities

Permissions (role assignments) for Storage Account

Permissions (role assignments) for Container App Environment

Permissions (role assignments) for Container App

The BICEP file and compared it with the running configuration on the Development resource group.

I tested create a new blank container app in the Development RG and it works fine. I have no idea what I missed. I have absolutely no leads to work with, hope you guys have ideas!

The error

{"TimeStamp":"2024-09-13 14:41:30 \u002B0000 UTC","Type":"Warning","ContainerAppName":"io2-api","RevisionName":"io2-api--202409131430","ReplicaName":"io2-api--202409131430-6b4547c6c4-g7c7m","Msg":"Container \u0027io2-api\u0027 was terminated with exit code \u0027\u0027 and reason \u0027VolumeMountFailure\u0027. One or more errors occurred. (Shell command exited with non-zero status code. StatusCode = 32 | StdOut = | StdErr = mount error(13): Permission denied\nRefer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)\n) (Shell command exited with non-zero status code. StatusCode = 32 | StdOut = | StdErr = mount error(13): Permission denied\nRefer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)\n)","Reason":"ContainerTerminated","EventSource":"ContainerAppController","Count":7}

{"TimeStamp":"2024-09-13T14:41:31Z","Type":"Normal","ContainerAppName":null,"RevisionName":null,"ReplicaName":null,"Msg":"Shutting down events stream. Max connection open time reached","Reason":"CloseConnectionDueToTimeout","EventSource":"ContainerAppController","Count":1}

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,301 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,220 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
444 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Keshavulu Dasari 1,080 Reputation points Microsoft Vendor
    2024-09-13T17:03:11.6833333+00:00

    Hi Victor Angelier@NGBlu,
    You are having trouble mounting Azure Files in your Container App in the Staging environment. You mentioned that you have checked the permissions for the Managed Identities, Storage Account, Container App Environment, and Container App                                                                            Based on the error message you provided, it seems like the issue is related to permission denied error. This could be due to incorrect permissions or credentials.__

    Have you checked the credentials for the User Assigned Managed Identity in the Staging environment?

    You may want to verify that the credentials are correct and that the Managed Identity has the necessary permissions to access the Azure Files.

    Also, have you checked the firewall settings for the Storage Account? You may want to ensure that the firewall settings allow traffic from the Staging environment.

    If you have already checked these settings, it may be helpful to review the BICEP file and compare it with the running configuration on the Development resource group to see if there are any differences.

    And also, please consider:

    Network Security Group (NSG) Rules: Ensure that the NSG rules for the Staging environment allow the necessary traffic between the Container App and the Storage Account.

    Azure Files Firewall Settings: Double-check the firewall settings on the Azure Storage Account to ensure that the Staging environment’s subnet is allowed.

    Managed Identity Permissions: Verify that the User Assigned Managed Identity in the Staging environment has the necessary permissions on both the Storage Account and the Container App. Sometimes, permissions might not propagate correctly.

    Azure Role Assignments: Confirm that the role assignments for the Managed Identity are correctly set up in the Staging environment. You might want to reassign the roles to ensure they are applied correctly.

    Bicep File Differences: Even though you’ve compared the Bicep files, there might be subtle differences. Ensure that all parameters and configurations are identical, especially those related to networking and identity.

    Logs and Diagnostics: Check the logs for both the Container App and the Storage Account. Azure Monitor and Application Insights can provide detailed logs that might highlight the exact permission issue.

    *I hope this helps, please let us know if you have any further queries. I’m happy to assist you further.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.