Share via

Video Indexer cannot access Storage ACcount

Mauricio Rojas 0 Reputation points
2024-11-05T16:47:17.58+00:00

Hello,

I have an Azure Video Indexer instance with an associated Storage Account and a User Assigned Managed Identity, all in the East US region.

The Managed Identity has Storage Blob Data Contributor role over the Storage Account.

The issue is that any video I try to index fails, manually from the portal or through the API. In the portal any video says, 'Video unavailable' and when navigating to the video details and looking at the Insights (JSON), the failureCode and failureMessage are 'StorageAccessDenied' (see image below).

User's image

From the API, the error message is 'Video Indexer reports status as failed'.

I have another Video Indexer instance that was created in the past with the same configuration (same region, etc.) and it works as expected.

Azure AI Video Indexer
Azure AI Video Indexer
An Azure video analytics service that uses AI to extract actionable insights from stored videos.
83 questions
Accepted answer
  1. navba-MSFT 25,325 Reputation points Microsoft Employee
    2024-11-15T04:06:03.15+00:00

    @Mauricio Rojas I'm glad to see you were able to resolve your issue. Thanks for posting your solution so that others experiencing the same thing can easily reference this. Since the Microsoft Q&A community has a policy that the question author cannot accept their own answer, they can only accept answers by others, I'll repost your solution in case you'd like to Accept the answer.

    .

    Issue:

    You have a Video Indexer resource and it fails while accessing the storage account.

    The issue is that any video you try to index fails, manually from the portal or through the API. In the portal any video says, Video unavailable and when navigating to the video details and looking at the Insights (JSON), the failureCode and failureMessage are StorageAccessDenied.

    .

    .

    Resolution:

    When creating the AMA definition, the following actions must be added to the allowedActions property:

    • Microsoft.Storage/storageAccounts/blobServices/containers/write
    • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
    • Microsoft.Storage/storageAccounts/blobServices/containers/delete

    And the following actions in the allowedDataActions property:

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete

    The Azure portal wizard has a field to set the allowedActions property but there isn't one for allowedDataActions when creating a service catalog managed application definition. This is not the case in the page for submitting the AMA for revision.When creating the AMA definition, the following actions must be added to the allowedActions property:

    • Microsoft.Storage/storageAccounts/blobServices/containers/write
    • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
    • Microsoft.Storage/storageAccounts/blobServices/containers/delete

    And the following actions in the allowedDataActions property:

    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
    • Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete

    The Azure portal wizard has a field to set the allowedActions property but there isn't one for allowedDataActions when creating a service catalog managed application definition. This is not the case in the page for submitting the AMA for revision.

    User's image

    .

    The only way to add the allowed data actions is using the Azure REST API. It can be done with the following PowerShell script:

    $subscriptionId = Read-Host -Prompt "Enter subscription ID"
$resourceGroup = Read-Host -Prompt "Enter resource group name"
$newDefinitionName = Read-Host -Prompt "Enter new definition name"
$packageFileUri = Read-Host -Prompt "Enter the URI to the package zip file"
$notificationEndpointURI = Read-Host -Prompt "Enter the notification endpoint URI with the sig parameter"
$securityGroupPrincipalId = Read-Host -Prompt "Enter the security group principal id to the definition"
# Function to output messages to the console

function Log-Message {
    param (
        [string]$message
    )
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $logMessage = "$timestamp - $message"
    Write-Output $logMessage
}

# Get Bearer token

$tokenResponse = az account get-access-token --resource https://management.azure.com --output json | ConvertFrom-Json
$bearerToken = $tokenResponse.accessToken
# Verify token retrieval
if (-not $bearerToken) {
    Log-Message "Failed to retrieve Bearer token. Exiting script."
    exit
}

Log-Message "Successfully retrieved Bearer token."
# Construct the URL
$url = "https://management.azure.com/subscriptions/$($subscriptionId.Trim())/resourceGroups/$($resourceGroup.Trim())/providers/Microsoft.Solutions/applicationDefinitions/$($newDefinitionName.Trim())?api-version=2019-07-01"

# Define the request body

$body = @{
    properties = @{
        lockLevel = "ReadOnly"
        displayName = "AMA name"
        description = "AMA description"
        authorizations = @(@{
            principalId = $securityGroupPrincipalId # Security group principal ID
            roleDefinitionId = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" # Role ID
        })

        packageFileUri = $packageFileUri
        notificationPolicy = @{
            notificationEndpoints = @(@{
                uri = $notificationEndpointURI
            })
        }

        lockingPolicy = @{ # Actions needed by Video Indexer
            allowedActions = @(
                "Microsoft.Storage/storageAccounts/blobServices/containers/write",

                "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"

            	"Microsoft.Storage/storageAccounts/blobServices/containers/delete"
            )
            allowedDataActions = @(
                "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
        		"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete"
            )
        }
        deploymentPolicy = @{
            deploymentMode = "Incremental"
        }
    }
    location = "eastus"
} | ConvertTo-Json -Depth 5

# Prepare headers
$headers = @{
    Authorization = "Bearer $bearerToken"
    "Content-Type" = "application/json"
}

# Log the request

Log-Message "Sending PUT request to $url"

# Send the request
$response = Invoke-RestMethod -Uri $url -Method Put -Headers $headers -Body $body -ContentType "application/json" -ErrorAction Stop

# Log the response

Log-Message "Response Status Code: $($response.StatusCode)"
Log-Message "Response Body: $($response | ConvertTo-Json -Depth 10)"
Write-Output "Request completed. Check log at $logFilePath for details."

    Thanks again for sharing your resolution.

    ** Please do not forget to "Accept the answer” and “up-vote” so that this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.