Share via

How to resolve access issue to storage account

Joseph Dougherty 0 Reputation points
2025-07-23T19:30:08.94+00:00

I keep getting the following error when trying to connect via my code. I am new to Azure and trying to create a small app to translate .docx files to from en to es. Any help would be greatly appreciated.

Thanks

Cannot access source document location with the current permissions.

Status: 200 (OK)

ErrorCode: InvalidRequest

Additional Information:

AdditionalInformation: InvalidRequest: Cannot access source document location with the current permissions.

Target: Operation

Raw:

{"code":"InvalidRequest","message":"Cannot access source document location with the current permissions.","target":"Operation","innerError":{"code":"InvalidDocumentAccessLevel","message":"Cannot access source document location with the current permissions."}}

Here is the code I am using to try to connect.
// create variables for your custom endpoint and resource key

private static readonly string endpoint = "https://translatorjoedocsr.cognitiveservices.azure.com/";

private static readonly string key = "EP62Em8OJdybZw57SOxP0KIdT73B3Fbb1KArGF7esmybnseNafwIJQQJ99BGACYeBjFXJ3w3AAAbACOGJx8Y";

static async Task Main(string[] args)

{

// create variables for your sourceUrl, targetUrl, and targetLanguageCode

Uri sourceUri = new Uri("https://storagefortranslator.blob.core.windows.net/containerfortranslatingdocs/AdministrativeDenialLetter.docx?sp=racwl&st=2025-07-23T19:03:29Z&se=2025-07-30T03:18:29Z&sv=2024-11-04&sr=c&sig=Tnhqg3gIrhFwjMqK1CJTbLCcttFA124PRE0rPCa%2FETw%3D");

DocumentTranslationOperation operation;

try

{

 // initialize a new instance  of the DocumentTranslationClient object to interact with the Document translation feature

 DocumentTranslationClient client = new DocumentTranslationClient(new Uri(endpoint), new AzureKeyCredential(key));

 // initialize a new instance of the `DocumentTranslationInput` object to provide the location of input for the translation operation

 DocumentTranslationInput input = new DocumentTranslationInput(sourceUri, targetSASUri, targetLanguage);

 // initialize a new instance of the DocumentTranslationOperation class to track the status of the translation operation

  operation = await client.StartTranslationAsync(input);

 await operation.WaitForCompletionAsync();

 Console.WriteLine($"  Status: {operation.Status}");

 Console.WriteLine($"  Created on: {operation.CreatedOn}");

 Console.WriteLine($"  Last modified: {operation.LastModified}");

 Console.WriteLine($"  Total documents: {operation.DocumentsTotal}");

 Console.WriteLine($"    Succeeded: {operation.DocumentsSucceeded}");

 Console.WriteLine($"    Failed: {operation.DocumentsFailed}");

 Console.WriteLine($"    In Progress: {operation.DocumentsInProgress}");

 Console.WriteLine($"    Not started: {operation.DocumentsNotStarted}");

}

catch (Exception ex)

{

 Console.WriteLine($"Error: {ex.Message}");

}

Azure AI Translator
Azure AI Translator
An Azure service to easily conduct machine translation with a simple REST API call.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 22,576 Reputation points Volunteer Moderator
    2025-07-31T17:51:10.44+00:00

    Hello Joseph Dougherty,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you would like to resolve access issue to storage account.

    This is what you need to do considering all indicated errors. Please regenerate valid SAS tokens with correct permissions as described below, and make sure public blob access is enabled in your storage configuration. Also, declare the targetUri explicitly in your code and ensure both SAS URLs are correctly formatted.

    1. Regenerate valid SAS tokens because source container (needs: Read, List): Go to Azure Portal > Storage Account > Containers Select your source container. Click Shared Access Signature or generate using Azure CLI bash command as below: 
         az storage container generate-sas \
     --name containerfortranslatingdocs \
     --permissions rl \
     --expiry 2025-08-31T00:00:00Z \
     --account-name storagefortranslator \
     --as-user \
     --auth-mode login
      And the target container (Needs: Write, Create, List), use similar steps, but permissions should be: wcl. See the Azure SAS permissions - https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview as reference.
    2. Secondly, if your Azure environment blocks blob-level public access, even valid SAS tokens may fail. Go to Storage Account > Configuration and set: Allow Blob public access to Enabled
    3. Make sure URLs contain & and not & The final SAS URL format should be like: 
         https://<account>.blob.core.windows.net/<container>/<filename>.docx?<SAS>
    4. Your C# code need to be refactored as below: 
         using Azure;
   using Azure.AI.Translation.Document;
   using System;
   using System.Threading.Tasks;
   class Program
   {
       private static readonly string endpoint = "https://translatorjoedocsr.cognitiveservices.azure.com/";
       private static readonly string key = "<your-translator-key>"; // Never hardcode in production!
       static async Task Main(string[] args)
       {
           Uri sourceUri = new Uri("https://storagefortranslator.blob.core.windows.net/containerfortranslatingdocs/AdministrativeDenialLetter.docx?<valid-sas>");
           Uri targetUri = new Uri("https://storagefortranslator.blob.core.windows.net/<target-container>?<valid-sas>");
           string targetLanguage = "es"; // Spanish
           try
           {
               var client = new DocumentTranslationClient(new Uri(endpoint), new AzureKeyCredential(key));
               var input = new DocumentTranslationInput(
                   new TranslationSource(sourceUri),
                   new TranslationTarget(targetUri, targetLanguage)
               );
               DocumentTranslationOperation operation = await client.StartTranslationAsync(input);
               await operation.WaitForCompletionAsync();
               Console.WriteLine($"Status: {operation.Status}");
               Console.WriteLine($"Succeeded: {operation.DocumentsSucceeded}");
               Console.WriteLine($"Failed: {operation.DocumentsFailed}");
           }
           catch (Exception ex)
           {
               Console.WriteLine($"Error: {ex.Message}");
           }
       }
   }
    5. Though this is an optional, if running from Azure App Service, Function App, or VM, use Managed Identity with RBAC roles: The Source container should have role of Storage Blob Data Reader and Target container should have Storage Blob Data Contributor Read the following links:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.