Upload file to Azure blob storage - CRL-290029 Forbidden
This article addresses the Campaign v7 issue where you can only read files, but can’t write files in the blob storage. To resolve this, contact Azure to check read/write permissions, which are determined by identity/authorization (RBAC or SAS).
Description description
Environment
Adobe Campaign
Issue/Symptoms
- You are integrating Adobe Campaign v7 with Adobe Experience Platform, and you have created a workflow as described in Create an export workflow in Campaign Classic in Campaign Classic v7 Documentation. This is in order to export data from ACC to the Azure blob storage location.
- You try to add a File transfer activity (Action-File upload) to Azure Blob. In the Audit Trail logs, you see an error similar to:
CRL-290182 Error occurred while uploading ‘https://xxxx002.blob.core.windows.net/campaign/xxxAEP/Feedback/envioCDP.csv’ to Azure Blob Storage (code CRL-290029 Forbidden - The server understood the request, but is refusing to fulfill it)
The result is that you can read files from the blob storage (download), but you can’t write files there (upload).
Resolution resolution
To resolve issues like this, contact Azure to check read/write permissions, which are determined by identity/authorization (RBAC or SAS).
Read vs write access in Azure Blob Storage isn’t defined by which caller IP is whitelisted.
IP allowlisting is a network gate (who can talk to the storage account at all), while read/write permissions are determined by identity/authorization (RBAC or SAS).
How access is actually determined
-
Authorization: roles and SAS permissions
Azure Blob Storage supports multiple authorization mechanisms:-
Azure AD + RBAC (recommended)
-
You grant roles such as:
Storage Blob Data Reader→ read onlyStorage Blob Data Contributor→ read/write/delete
-
These roles are what define read vs write permissions on blobs and containers.
-
See the operations and RBAC mapping for storage in: Azure role-based access control documentation
Shared Access Signatures (SAS)
-
A SAS token encodes:
- Permissions via
sp(For example:sp=rfor read,sp=rwfor read+write,sp=rwdlfor full CRUD + list). - Optional IP restriction via
sip(IP or IP range allowed to use that token).
- Permissions via
-
The Microsoft Azure Essentials: Fundamentals of Azure shows a SAS example:
code language-none &sp=r # read permission &sip=168.1.5.60-168.1.5.70 # allowed IP range- The
spparameter controls read/write;siponly restricts where the request can originate from.
- The
-
-
Account keys (Shared Key)
- Full account-level read/write if used directly; not recommended for fine-grained access and generally discouraged in Adobe environments.
-
-
Network/IP controls: firewalls and SAS
sipThese control whether a request can reach the account, not what it can do:
-
Storage account firewall / virtual network rules
- You can allow specific public IP ranges or VNets to access the storage account.
- This applies regardless of whether the caller is doing reads or writes; permissions still come from RBAC or SAS.
- Microsoft documentation: Storage account network security
-
SAS
sip(IP range)- Optional parameter on a SAS token that restricts from which IP(s) that token can be used.
- Still, the operations allowed are defined by
sp(permissions); IP just narrows who may exercise those permissions.
-
Relevant Azure Blob Storage documentation
Key Microsoft Learn references:
-
Overall Blob Storage service and security concepts
-
RBAC operations for Storage (data plane actions like read/write/delete)
-
Network/firewall rules for storage accounts and IP allowlisting
-
SAS and user-delegation SAS (permissions encoded in the token)
Together, these docs make it clear that authorization (RBAC/SAS) defines read/write, while IP settings (firewalls or SAS sip) just constrain where those authorized calls may come from.