Error: (InvalidDocumentAccessLevel): Cannot access source document location with the current permissions. Azure Translator service

👁 Image

Ridhima Nagar 15 Reputation points • Microsoft Employee

I have setup translator service and granted 'Storage blob contributor' access to both source and target storage containers using managed identity.

Still, I am getting this error:

Error: (InvalidDocumentAccessLevel): Cannot access source document location with the current permissions.

This is the code below:

source_container_path = (f"https://{storage_container}.dfs.core.windows.net/{source_container}/{file_name}")
 target_container_path = (f"https://{storage_container}.dfs.core.windows.net/{target_container}/{file_name}")

 logger.info("Source container path: '%s'", source_container_path)

 translation_input = DocumentTranslationInput(
 source_url = source_container_path,
 storage_type = StorageInputType.FILE,
 targets=[
 TranslationTarget(
 target_url=target_container_path,
 language="en" 
 )
 ]
 )

👁 Image

Hari Babu Vattepally 3,350 Reputation points • Microsoft External Staff • Moderator

Hi @Ridhima Nagar

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
👁 Image

Benjamin Eha 15 Reputation points

Hello everyone, I've been facing the same Permission issue with a Translator instance in Sweden Central. The implemention has been working properly for over a year. All of sudden, it seems as if the translator lost the permission to access the storage account.

Even filese that worked days before, do not work.

Since all has worked fine, I assume there is something going on with the Managed Identity Authentification. Anythin known?

Storage Account and Translator are deployed in Sweden Central.

Thanks in advance
👁 Image

Lili-9290 5 Reputation points

@Benjamin Eha Have exact same issue but for west eu
👁 Image

Benjamin Eha 15 Reputation points

Lili-9290 What client are you using?

I thought it might be an issue with Managed Identity. But in this case I use Power Automate. Maybe it is an issue with the Translator Connection?! I have created another test flow this morning and there it worked.

4 answers

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
👁 Image

Hari Babu Vattepally 3,350 Reputation points • Microsoft External Staff • Moderator

Hi Ridhima Nagar

Welcome to Microsoft Q&A Forum and thanks for posting your query here!

The error message you’re encountering, “Cannot access source document location with the current permissions,” typically indicates that the Azure Translator service is unable to access the blob in your Azure Storage account due to insufficient permissions.

Please note that if you’ve disallowed public access to your storage account, all requests to blob data must be authorized regardless of the container’s public access setting. Even if you’ve allowed anonymous read access to the container, the Translator service might still need explicit authorization if public access is disallowed at the storage account level.

Power Automate and Power Apps does not support connection with Azure Blob storage if the Blob storage is behind the firewall.

Please try to set public access at the storage account level.

👁 User's image

Before you can use the Translator V3 connector's operations for document translation, you must grant your Translator resource access to your storage account using a managed identity with role-based identity control (RBAC).

👁 User's image

Or else you may use the Azure Translator service with a SAS URL to access the blob in the Azure Storage. https://stackoverflow.com/questions/77066290/cannot-access-source-document-location-with-the-current-permissions

For reference: https://learn.microsoft.com/en-us/azure/ai-services/translator/connector/document-translation-flow?tabs=blob-storage#translate-documents

You may also try the instructions for Document Translation using the Python Client Library. Here's another sample. I would recommend that you generate a new SAS token and pay close attention to the Start and Expiry date and time or else with REST API.

Hope this Helps!

If your issue remains unresolved or have further questions, please let us know in the comments how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback.

Please do "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
👁 Image

Ridhima Nagar 15 Reputation points • Microsoft Employee

Hi, Thanks for your response.

I have already enabled public access on the storage account, still the error persists. I cannot use SAS tokens due to security issues; managed identity-based authentication is the only solution for me.

translation_client = DocumentTranslationClient( endpoint=f"https://{translation_service}.cognitiveservices.azure.com/", credential=DefaultAzureCredential() ) source_container_path = (f"https://{storage_container}.dfs.core.windows.net/input/{file_name}") target_container_path = (f"https://{storage_container}.dfs.core.windows.net/content") logger.info("Source container path: '%s'", source_container_path) translation_input = DocumentTranslationInput( source_url = source_container_path, storage_type = StorageInputType.FILE, targets=[ TranslationTarget( target_url=target_container_path, language="en" ) ] ) # Submit the translation job job = translation_client.begin_translation(inputs=[translation_input])

👁 User's image

👁 Image

Hari Babu Vattepally 3,350 Reputation points • Microsoft External Staff • Moderator

@Ridhima Nagar Sorry to see that the issue still persists. Since you have already enabled public access and managed identity-based authentication. Please make sure the below settings are correctly configured.

Enable Managed Identity: Make sure that the managed identity is enabled on your resource (e.g., VM, App Service). You can do this in the Azure portal under the Identity section of your resource.

Assign Roles: Assign the necessary roles to the managed identity. For Blob Storage, you typically need the Storage Blob Data Reader and Storage Blob Data Writer roles.

Update Your Code: Update your code to use the managed identity for authentication instead of the account key. Here's an example:
from azure.identity import DefaultAzureCredential from azure.storage.blob import BlobServiceClient credential = DefaultAzureCredential() blob_service_client = BlobServiceClient(account_url=f"https://{storage_account_name}.blob.core.windows.net", credential=credential) # Now you can use blob_service_client to interact with your storage account

Check Permissions: Make sure that the managed identity has the correct permissions to access the storage account.

Restart Services: After making these changes, restart your services to apply the new settings.

Additional information:

Please refer the below link in setting up the managed identities.

https://learn.microsoft.com/en-us/entra/identity-platform/multi-service-web-app-access-storage?tabs=azure-portal%2Cprogramming-language-csharp

Hope by following the above steps helps in resolving the issue. Please let us know if any further questions. We will be glad to assist you.

👁 Image

Hari Babu Vattepally 3,350 Reputation points • Microsoft External Staff • Moderator

Hi @Ridhima Nagar

Just following up to see if the above answer helped. Please do consider clicking Accept Answer as accepted answers help community as well. Also, please click on Yes for the survey 'Was the answer helpful'

👁 Image

Hari Babu Vattepally 3,350 Reputation points • Microsoft External Staff • Moderator

Hi @Ridhima Nagar

Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

👁 Image

Ridhima Nagar 15 Reputation points • Microsoft Employee

Thanks for your response,

I tried many solutions, the one that finally worked involved using SAS tokens in the source and target container paths. This solution worked for testing, but we are creating an automated application and obtaining file SAS tokens is not possible.

Is there any way to approach this error?

Thanks

Ridhima

👁 Image

Hari Babu Vattepally 3,350 Reputation points • Microsoft External Staff • Moderator

Hi @Ridhima Nagar

As the solution worked for testing by using SAS but isn't feasible for your automated application. We can consider other options using Azure Managed Identities, Azure AD application, Storage account Key, Access control Lists (ACLs), Key vaults and Blob Storage Client libraries.

Managed Identities:

Azure Managed Identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. This can help you avoid dealing with SAS tokens.

You can assign a managed identity to your application (e.g., an Azure VM, Azure App Service, or Azure Function) and then grant the necessary permissions to this identity to access the blob storage.

Your application can then use Azure SDKs to authenticate using the managed identity without needing to manage secrets or tokens.

Azure AD Authentication:

Use Azure Active Directory (Azure AD) to authenticate and authorize access to your Azure Blob Storage.

Set up role-based access control (RBAC) to grant the required permissions to your application's service principal or managed identity.

Use the Azure SDKs to obtain an OAuth token and access the storage account.

Storage Account Key:

Although not the most secure method, you can use storage account keys for accessing Azure Blob Storage.

Retrieve the storage account key from the Azure portal or through Azure CLI and configure your application to use this key for authentication.

Rotate your storage account keys regularly to enhance security.

Access Control Lists (ACLs):

Use Access Control Lists (ACLs) on your blobs or containers to control access.

This method allows you to define fine-grained access controls without relying on SAS tokens.

Azure Key Vault:

Store your storage account keys or other secrets in Azure Key Vault.

Configure your application to retrieve these secrets from Key Vault securely.

This approach reduces the risk of exposing sensitive information directly in your application code or configuration.

Azure Blob Storage Client Libraries:

Use Azure Blob Storage client libraries to simplify authentication and access management.

These libraries often support various authentication methods, including managed identities and Azure AD.

Here's a brief example of how you might use a managed identity with Azure SDK for Python:

from azure.identity import DefaultAzureCredential from azure.storage.blob import BlobServiceClient # Use DefaultAzureCredential to authenticate with managed identity credential = DefaultAzureCredential() # Create a BlobServiceClient using the managed identity blob_service_client = BlobServiceClient(account_url="https://<your-storage-account-name>.blob.core.windows.net", credential=credential) # Now you can perform operations like listing containers containers = blob_service_client.list_containers() for container in containers: print(container.name)

By using one of these alternative approaches, you can avoid the need for SAS tokens and still securely access your Azure Blob Storage resources in an automated and scalable manner.

Hope this helps!

Please do consider to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Thanks!

👁 Image

Hari Babu Vattepally 3,350 Reputation points • Microsoft External Staff • Moderator

Hi @Ridhima Nagar

Just checking to see if the above solution helped in addressing your query. Please let us know if you have any further queries. We will be glad to assist you closely. Please do consider to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Sign in to comment
👁 Image

hossein jalilian 13,360 Reputation points • Volunteer Moderator

Thanks for posting your question in the Microsoft Q&A forum.

Ensure that the Translator service's managed identity has the Storage Blob Data Reader role for the source container and Storage Blob Data Contributor role for the target container.

If you're using a SAS token for access, ensure it has the correct permissions and hasn't expired.

As a test, try using a simpler path structure without subfolders to rule out any issues with folder permissions.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful
👁 Image

Ridhima Nagar 15 Reputation points • Microsoft Employee

I have granted these roles to the translator service. I have included these to the storage account having source and target containers. Is there any issue with this ?👁 User's image
Sign in to comment

URL: https://learn.microsoft.com/en-us/answers/questions/2111402/error-(invaliddocumentaccesslevel)-cannot-access-s

⇱ Error: (InvalidDocumentAccessLevel): Cannot access source document location with the current permissions. Azure Translator service - Microsoft Q&A

Error: (InvalidDocumentAccessLevel): Cannot access source document location with the current permissions. Azure Translator service

4 answers

Your answer