Share via

Permission denied while trying to mount Azure Fileshare volume in a Container App

Victor Angelier@NGBlu 0 Reputation points
2024-09-13T15:07:56.53+00:00

I receive this error when trying to create a new Container App revision.

{"TimeStamp":"2024-09-13 14:41:30 \u002B0000 UTC","Type":"Warning","ContainerAppName":"io2-api","RevisionName":"****","ReplicaName":"****","Msg":"Container \u0027io2-api\u0027 was terminated with exit code \u0027\u0027 and reason \u0027VolumeMountFailure\u0027. One or more errors occurred. (Shell command exited with non-zero status code. StatusCode = 32 | StdOut =  | StdErr = mount error(13): Permission denied\nRefer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)\n) (Shell command exited with non-zero status code. StatusCode = 32 | StdOut =  | StdErr = mount error(13): Permission denied\nRefer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)\n)","Reason":"ContainerTerminated","EventSource":"ContainerAppController","Count":7}
{"TimeStamp":"2024-09-13T14:41:31Z","Type":"Normal","ContainerAppName":null,"RevisionName":null,"ReplicaName":null,"Msg":"Shutting down events stream. Max connection open time reached","Reason":"CloseConnectionDueToTimeout","EventSource":"ContainerAppController","Count":1}

This is my bicep file:

volumeMounts: [
            {
              mountPath: '/home/storage'
              volumeName: 'dev-volume'
            }
          ]
        }
      ]
      volumes: [
        {
          name: 'dev-volume'
          storageName: 'container-volume'
          storageType: 'AzureFile'
        }
      ]

I configured the container-volume name in the Container App Environment with staging-storage (storage account) and api (fileshare).

The Container App environment uses a managed identity and I configured the SMB contributor role.

The container is in the same VNET as the Storage and this VNET is allowed access.

I have the same setup for a different resource group and it works fine there. In the Staging resource group I can't get this to work. I hope somebody can help me out or at least give me some lead as I am out of ideas.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,329 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,290 questions
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
485 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 27,441 Reputation points
    2024-12-10T13:24:58.25+00:00

    The container is unable to authenticate and access the Azure Fileshare.

    You need to check the managed identity associated with your Container App Environment if it is assigned the Storage File Data SMB Share Contributor role on the Azure Fileshare (not just on the storage account level).

    Then verify the storage account Firewall and Virtual Network settings if they allow access from the VNET hosting the container.

    If you are using a private endpoint for the storage account, ensure that the container app can resolve the storage account's private endpoint DNS name.

    So, test DNS resolution within the VNET by deploying a test VM or container, and run:

    nslookup <storage-account-name>.file.core.windows.net
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.