Being an Azure Storage Account Owner isn’t enough to use AzCopy

I was using AzCopy (Azure PowerShell module) to try and upload files from my local machine to an Azure Storage Container (blob storage) using my Microsoft user credentials. I was surprised to find that I hit authorization and permission issues when I was the owner of the Azure subscription, I created the Azure storage account, and I created the Blob Container.

The error given by AzCopy was:

INFO: Authentication failed, it is either not correct, or expired, or does not have the correct permission -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/
mod/github.com/!azure/azure-storage-blob-go@v0.10.1-0.20201022074806-8d8fc11be726/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthorizationPermissionMismatch) =====
Description=This request is not authorized to perform this operation using this permission.
RequestId:0f707ea2-d01e-0004-532f-d4c21e000000
Time:2020-12-17T04:47:58.9437210Z, Details:
Code: AuthorizationPermissionMismatch
PUT https://iconpickerstorage.blob.core.windows.net/icons/myicon.ico?timeout=901
Authorization: REDACTED

RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.
Content-Length: [279]
Content-Type: [application/xml]
Date: [Thu, 17 Dec 2020 04:47:58 GMT]
Server: [Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0]
X-Ms-Client-Request-Id: [5deaec7e-681c-4870-56bd-77cbf25e1abb]
X-Ms-Error-Code: [AuthorizationPermissionMismatch]
X-Ms-Request-Id: [0f707ea2-d01e-0004-532f-d4c21e000000]
X-Ms-Version: [2019-12-12]

As you can see the issue seems to be related to permissions. After hunting around for a while I found the solution in this issue in the AzCopy Github repo explaining that the user you are connecting to Azure as (when running AzCopy) must have either of these 2 Access Control roles:

  • Storage Blob Data Contributor
  • Storage Blob Data Owner

Unlike most other areas in Azure the permissions of Owner don’t implicitly give you access to these ‘lower level’ permissions. So my original Access Control configuration on the Blob Storage Container looks like this in Azure (which will be your default when you create a new storage account and blob storage container)

With this default “owner” role, I can quite happily upload a new file to the blob container via the Azure portal. If I try to use AzCopy though it will throw the permissions error.

If I grant myself the Storage Blob Data Owner role as shown below

AzCopy will now behave itself and succeed in copying a file to the the blob storage container.

I later discovered that someone in my team had hit and solved this problem when using AZCopy from within an Azure DevOps Pipeline tasks, so if that’s your situation read more about how he solved it.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: