Video Indexer cannot access Storage ACcount

Mauricio Rojas 20 Reputation points
2024-11-05T16:47:17.58+00:00

Hello,

I have an Azure Video Indexer instance with an associated Storage Account and a User Assigned Managed Identity, all in the East US region.

The Managed Identity has Storage Blob Data Contributor role over the Storage Account.

The issue is that any video I try to index fails, manually from the portal or through the API. In the portal any video says, 'Video unavailable' and when navigating to the video details and looking at the Insights (JSON), the failureCode and failureMessage are 'StorageAccessDenied' (see image below).

User's image

From the API, the error message is 'Video Indexer reports status as failed'.

I have another Video Indexer instance that was created in the past with the same configuration (same region, etc.) and it works as expected.

Azure AI Video Indexer
Azure AI Video Indexer
An Azure video analytics service that uses AI to extract actionable insights from stored videos.
84 questions
{count} votes

Accepted answer
  1. navba-MSFT 26,035 Reputation points Microsoft Employee
    2024-11-15T04:06:03.15+00:00

    @Mauricio Rojas I'm glad to see you were able to resolve your issue. Thanks for posting your solution so that others experiencing the same thing can easily reference this. Since the Microsoft Q&A community has a policy that the question author cannot accept their own answer, they can only accept answers by others, I'll repost your solution in case you'd like to Accept the answer.

    .

    Issue:

    You have a Video Indexer resource and it fails while accessing the storage account.

    The issue is that any video you try to index fails, manually from the portal or through the API. In the portal any video says, Video unavailable and when navigating to the video details and looking at the Insights (JSON), the failureCode and failureMessage are StorageAccessDenied.

    .

    .

    Resolution:

    When creating the AMA definition, the following actions must be added to the allowedActions property:

    • Microsoft.Storage/storageAccounts/blobServices/containers/write
    • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
    • Microsoft.Storage/storageAccounts/blobServices/containers/delete

    And the following actions in the allowedDataActions property:

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete

    The Azure portal wizard has a field to set the allowedActions property but there isn't one for allowedDataActions when creating a service catalog managed application definition. This is not the case in the page for submitting the AMA for revision.When creating the AMA definition, the following actions must be added to the allowedActions property:

    • Microsoft.Storage/storageAccounts/blobServices/containers/write
    • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
    • Microsoft.Storage/storageAccounts/blobServices/containers/delete

    And the following actions in the allowedDataActions property:

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete

    The Azure portal wizard has a field to set the allowedActions property but there isn't one for allowedDataActions when creating a service catalog managed application definition. This is not the case in the page for submitting the AMA for revision.

    User's image

    .

    The only way to add the allowed data actions is using the Azure REST API. It can be done with the following PowerShell script:

    $subscriptionId = Read-Host -Prompt "Enter subscription ID"
    $resourceGroup = Read-Host -Prompt "Enter resource group name"
    $newDefinitionName = Read-Host -Prompt "Enter new definition name"
    $packageFileUri = Read-Host -Prompt "Enter the URI to the package zip file"
    $notificationEndpointURI = Read-Host -Prompt "Enter the notification endpoint URI with the sig parameter"
    $securityGroupPrincipalId = Read-Host -Prompt "Enter the security group principal id to the definition"
    # Function to output messages to the console
    
    function Log-Message {
        param (
            [string]$message
        )
        $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
        $logMessage = "$timestamp - $message"
        Write-Output $logMessage
    }
    
    # Get Bearer token
    
    $tokenResponse = az account get-access-token --resource https://management.azure.com --output json | ConvertFrom-Json
    $bearerToken = $tokenResponse.accessToken
    # Verify token retrieval
    if (-not $bearerToken) {
        Log-Message "Failed to retrieve Bearer token. Exiting script."
        exit
    }
    
    Log-Message "Successfully retrieved Bearer token."
    # Construct the URL
    $url = "https://management.azure.com/subscriptions/$($subscriptionId.Trim())/resourceGroups/$($resourceGroup.Trim())/providers/Microsoft.Solutions/applicationDefinitions/$($newDefinitionName.Trim())?api-version=2019-07-01"
    
    # Define the request body
    
    $body = @{
        properties = @{
            lockLevel = "ReadOnly"
            displayName = "AMA name"
            description = "AMA description"
            authorizations = @(@{
                principalId = $securityGroupPrincipalId # Security group principal ID
                roleDefinitionId = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" # Role ID
            })
    
            packageFileUri = $packageFileUri
            notificationPolicy = @{
                notificationEndpoints = @(@{
                    uri = $notificationEndpointURI
                })
            }
    
            lockingPolicy = @{ # Actions needed by Video Indexer
                allowedActions = @(
                    "Microsoft.Storage/storageAccounts/blobServices/containers/write",
    
                    "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
    
                	"Microsoft.Storage/storageAccounts/blobServices/containers/delete"
                )
                allowedDataActions = @(
                    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
            		"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete"
                )
            }
            deploymentPolicy = @{
                deploymentMode = "Incremental"
            }
        }
        location = "eastus"
    } | ConvertTo-Json -Depth 5
    
    # Prepare headers
    $headers = @{
        Authorization = "Bearer $bearerToken"
        "Content-Type" = "application/json"
    }
    
    # Log the request
    
    Log-Message "Sending PUT request to $url"
    
    # Send the request
    $response = Invoke-RestMethod -Uri $url -Method Put -Headers $headers -Body $body -ContentType "application/json" -ErrorAction Stop
    
    # Log the response
    
    Log-Message "Response Status Code: $($response.StatusCode)"
    Log-Message "Response Body: $($response | ConvertTo-Json -Depth 10)"
    Write-Output "Request completed. Check log at $logFilePath for details."
    
    

    Thanks again for sharing your resolution.

    ** Please do not forget to "Accept the answer” and “up-vote” so that this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.