Getting 403 Forbidden response while running with storage account's connection string with docker

Question

Getting 403 Forbidden response while running with storage account's connection string with docker

JonnyyJ opened this issue a year ago · comments

Hi,
I'm running the monitor with docker to try to connect the service which I deployed in azure.
After run
docker run -p 7072:80 -e AzureWebJobsStorage="connection string" -e DFM_NONCE="i_sure_know_what_i_am_doing" scaletone/durablefunctionsmonitor:6.2

I got this error:

Is there any setting I missed?

Konstantin Lepeshenkov · Answer 1 · Thu Apr 27 2023 23:08:01 GMT+0800 (China Standard Time)

Hi @JonnyyJ , your command line seems correct.

But what Storage Provider your service is using? Default, Netherite or MSSQL?
Does that connection string contain a key? Can you try to connect to the Storage with it via e.g. Storage Explorer?
Is there anything special about that Storage account your service is using (like firewall rules etc.)?

JonnyyJ · Answer 2 · Fri Apr 28 2023 03:57:09 GMT+0800 (China Standard Time)

Hi @scale-tone
We are using the default Provider, the connection string is correct, it works with storage explorer, we do have firewall rules, since I was connecting from my local docker, could the firewall be the issue?
This is the failed infor I got:

fail: Function.DfmGetTaskHubNamesFunction.User[0]
      DFM failed
      Microsoft.WindowsAzure.Storage.StorageException: Forbidden
         at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteAsyncInternal[T](RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext, CancellationToken token)
         at Microsoft.WindowsAzure.Storage.Table.CloudTableClient.ListTablesSegmentedAsync(String prefix, Nullable`1 maxResults, TableContinuationToken currentToken, TableRequestOptions requestOptions, OperationContext operationContext, CancellationToken cancellationToken)
         at DurableFunctionsMonitor.DotNetBackend.TableClient.ListTableNamesAsync() in /src/dotnet-function-app/Common/TableClient.cs:line 86
         at DurableFunctionsMonitor.DotNetBackend.Auth.GetTaskHubNamesFromStorage(String connStringName) in /src/dotnet-function-app/Common/Auth.cs:line 172
         at DurableFunctionsMonitor.DotNetBackend.TaskHubNames.<>c.<<DfmGetTaskHubNamesFunction>b__0_0>d.MoveNext() in /src/dotnet-function-app/Functions/TaskHubNames.cs:line 33
      --- End of stack trace from previous location ---
         at DurableFunctionsMonitor.DotNetBackend.Globals.<>c__DisplayClass19_0.<<HandleAuthAndErrors>b__0>d.MoveNext() in /src/dotnet-function-app/Common/Globals.cs:line 114
      --- End of stack trace from previous location ---
         at DurableFunctionsMonitor.DotNetBackend.Globals.HandleErrors(HttpRequest req, ILogger log, Func`1 todo) in /src/dotnet-function-app/Common/Globals.cs:line 123
      Request Information
      RequestID:1abd2ed7-d002-0007-587b-780275000000
      RequestDate:Wed, 26 Apr 2023 20:14:03 GMT
      StatusMessage:Forbidden
      ErrorCode:
      ErrorMessage:This request is not authorized to perform this operation.
      RequestId:1abd2ed7-d002-0007-587b-780275000000
      Time:2023-04-26T20:14:03.2090270Z

Konstantin Lepeshenkov · Answer 3 · Fri Apr 28 2023 04:35:13 GMT+0800 (China Standard Time)

The error is straightforward - StorageException: Forbidden when DfMon tries to list tables in your storage account using that connection string. But so far I don't have a clue of what might be causing this...

@JonnyyJ , can you try to navigate to your Task Hub directly by appending its name to DfMon's URL (e.g. http://localhost:7072/MyTaskHub) and see whether you get further errors?

Also, does it happen with just this storage account or with others as well? Can you try another connection string?

JonnyyJ · Answer 4 · Fri Apr 28 2023 04:55:43 GMT+0800 (China Standard Time)

The error is straightforward - StorageException: Forbidden when DfMon tries to list tables in your storage account using that connection string. But so far I don't have a clue of what might be causing this...

@JonnyyJ , can you try to navigate to your Task Hub directly by appending its name to DfMon's URL (e.g. http://localhost:7072/MyTaskHub) and see whether you get further errors?

Also, does it happen with just this storage account or with others as well? Can you try another connection string?

We only have this storage account.
I tried that path, and I'm getting a 443, is this a firewall issue?

Load failed. One or more errors occurred.(Name or service not know xxxxx.blob.core.windows.net:443)

@scale-tone

Konstantin Lepeshenkov · Answer 5 · Fri Apr 28 2023 05:21:29 GMT+0800 (China Standard Time)

Name or service not know xxxxx.blob.core.windows.net

Looks like your storage account URL (xxxxx.blob.core.windows.net) cannot be resolved from inside a docker container. This is definitely a connectivity issue, but on what side - that is yet to be discovered.

Actually, the first thing I'd do is restarting Docker Desktop (or, preferably, the whole devbox). Docker has a known issue, whereas after your laptop goes to sleep, clock shifts inside running containers, which causes TLS failures and other crazy errors.

If that doesn't help, then the next step would be to try running DfMon locally not as a container, but e.g. as a VsCode extension or by just starting it as a Function App. And see if you get same errors.

Can you try those things?

JonnyyJ · Answer 6 · Fri Apr 28 2023 22:07:32 GMT+0800 (China Standard Time)

@scale-tone
It's working with vscode extension, thanks!