Blob storage access policy breaks ERP archive automation after SAS token expiry and RBAC changes

Our ERP archive automation stopped working when SAS tokens expired. The automation uses stored access policies on blob containers for archiving historical ERP data, but after token expiry the entire process fails.

We’re trying to implement RBAC policy updates to eliminate dependency on SAS tokens, but the transition to managed identity authentication isn’t working as expected. The automation can’t authenticate even though the managed identity has Storage Blob Data Contributor role.

Error: Authorization failed for blob operation
AuthenticationType: SharedAccessSignature
SASExpiry: 2024-12-01T00:00:00Z

This is causing archive automation failures and we’re accumulating unarchived ERP data. How do we properly handle SAS token expiry while transitioning to managed identity?

Your archive automation failure involves all three authentication areas. Here’s the comprehensive solution to transition from SAS tokens to managed identity:

SAS Token Expiry Management: SAS tokens with stored access policies provide centralized control but require active management. Your current issue stems from hardcoded SAS tokens in automation code. Best practice for SAS management:

1. Never hardcode SAS tokens - store in Key Vault if SAS is required
2. Set reasonable expiry (90-180 days for automation scenarios)
3. Implement token refresh logic before expiry
4. Use stored access policies to enable revocation without code changes

However, for long-term automation, managed identity is superior and eliminates token management entirely.

RBAC Policy Update Process: Your managed identity has correct role but insufficient scope. Verify and update:

az role assignment create \
  --assignee <function-managed-identity-id> \
  --role "Storage Blob Data Contributor" \
  --scope /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/erparchive

Storage Blob Data Contributor provides read, write, and delete permissions on blob data. Assign at storage account level to cover all containers used by automation.

Managed Identity Authentication Implementation: Update your Azure Function code to eliminate SAS dependency. Here’s the transition:

Old code (SAS-based):

BlobServiceClient client = new BlobServiceClient(
  "DefaultEndpointsProtocol=https;AccountName=...;SharedAccessSignature=..."
);

New code (Managed Identity):

using Azure.Identity;
using Azure.Storage.Blobs;

var credential = new DefaultAzureCredential();
var serviceUri = new Uri("https://erparchive.blob.core.windows.net");
BlobServiceClient client = new BlobServiceClient(serviceUri, credential);

Critical steps for successful transition:

1. Enable system-assigned managed identity on Azure Function:

   • Portal: Function App → Identity → System assigned → On
   • CLI: az functionapp identity assign --name YourFunction --resource-group YourRG

2. Update function application settings:

   • Remove connection string: AZURE_STORAGE_CONNECTION_STRING
   • Add storage account endpoint: STORAGE_ACCOUNT_URI=https://erparchive.blob.core.windows.net

3. Update NuGet packages:

   • Azure.Storage.Blobs (v12+)
   • Azure.Identity (v1.5+)

4. Modify code to use DefaultAzureCredential (shown above)

5. Test authentication:

   • Deploy updated function
   • Trigger manually to verify blob access
   • Monitor function logs for authentication errors

6. Handle firewall rules:

   • If storage has firewall enabled, add Function App outbound IPs to allowed list
   • Or use VNet integration with service endpoints

RBAC role assignments can take 5-10 minutes to propagate. After assignment, the DefaultAzureCredential will automatically discover and use the function’s managed identity for authentication.

Benefits of this approach:

• No token expiry management required
• Automatic credential rotation by Azure
• Centralized access control via RBAC
• Audit trail through Azure Activity Log
• No secrets stored in code or configuration

Your archive automation will resume once the function code is updated to use managed identity authentication and RBAC permissions have propagated.

In your Azure Function code, you need to use the Azure.Identity library. Replace connection string with BlobServiceClient that uses DefaultAzureCredential. The credential will automatically use the function’s managed identity. Make sure to remove the connection string from app settings and use the storage account endpoint URL directly.

The error shows your automation is still using SAS authentication. You need to update the automation script or pipeline to use managed identity credentials instead of the SAS token connection string. Just having RBAC assigned isn’t enough - the code needs to authenticate using DefaultAzureCredential or similar.

We’re using Azure Functions for the automation. Enabled managed identity and assigned Storage Blob Data Contributor but getting authentication errors. The function code still references the SAS connection string. What’s the correct way to authenticate with managed identity in function code?

For Azure Automation runbooks, you need to enable system-assigned managed identity on the Automation Account itself, not just assign RBAC. Then update your runbook code to use Connect-AzAccount -Identity instead of connection strings. If using Logic Apps or Functions, similar principle applies - enable managed identity on the resource and update authentication method in code.