I am trying to call an Azure Form Recognizer (part of Azure Cognitive Services) and pass it a URL for a PDF being stored in BlobStorage. However, I am getting a 403 error which says:
{"error":{"code":"Forbidden","message":"Access forbidden due to policy or other configuration.","innererror":{"code":"OutboundAccessForbidden","message":"The request contains a domain name that is not allowed by the current access control policy."}}}
I am calling the Form Recognizer API through the Cognitive Services .NET SDK and using DefaultAzureCredential for auth:
AnalyzeDocumentOperation operation = await _documentAnalysisClient.AnalyzeDocumentFromUriAsync(WaitUntil.Completed, "prebuilt-read", uri);
I'm pretty sure that this is saying that there is an error in the connection from Form Recognizer to Azure Storage, not from my app to Form Recognizer. I tried passing a file stream instead and it worked.
I am using Azure AD for auth and my Form Recognizer resource has a system assigned managed ID which I have given "Storage Blob Read" permissions. I don't really understand what the error is trying to convey and the docs don't give any context, nor is there any more information in the error. I've also tried opening the Storage account to public access with no restrictions and changed the access level for the container and blobs to public. I can't really think of what other access policies might be in place that would prevent the connection.
Any ideas?