I have an azure managed app that needs to access the storage account in the publisher subscription. I have the 'contributor' RBAC assigned for 'appliance resource provider' at the storage account scope level as I understand the Azure managed app uses the publisher's appliance resource provider service principle and has owner permission at the customer's MRG (managed resource group). Is there anything I am missing here? Essentially the managed app needs to access the storage account in a different subscription (in publishers) and generate SaS token on the fly to access the storage uri.
I am getting the following error stating that the client (it turns out to be the appliance resource provider)
The client '59xxxxxxxxxxxxxxxxxxxb' with object id '59xxxxxxxxxxxxxxxb' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listAccountSas/action' over scope '/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx6/resourcegroups/kb-prod-rg/providers/Microsoft.Storage/storageAccounts/templatestore' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)