I was using AzCopy (Azure PowerShell module) to try and upload files from my local machine to an Azure Storage Container (blob storage) using my Microsoft user credentials. I was surprised to find that I hit authorization and permission issues when I was the owner of the Azure subscription, I created the Azure storage account, and I created the Blob Container.
The error given by AzCopy was:
INFO: Authentication failed, it is either not correct, or expired, or does not have the correct permission -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/
===== RESPONSE ERROR (ServiceCode=AuthorizationPermissionMismatch) =====
Description=This request is not authorized to perform this operation using this permission.
RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.
Date: [Thu, 17 Dec 2020 04:47:58 GMT]
Server: [Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0]
As you can see the issue seems to be related to permissions. After hunting around for a while I found the solution in this issue in the AzCopy Github repo explaining that the user you are connecting to Azure as (when running AzCopy) must have either of these 2 Access Control roles:
- Storage Blob Data Contributor
- Storage Blob Data Owner
Unlike most other areas in Azure the permissions of Owner don’t implicitly give you access to these ‘lower level’ permissions. So my original Access Control configuration on the Blob Storage Container looks like this in Azure (which will be your default when you create a new storage account and blob storage container)
With this default “owner” role, I can quite happily upload a new file to the blob container via the Azure portal. If I try to use AzCopy though it will throw the permissions error.
If I grant myself the Storage Blob Data Owner role as shown below
AzCopy will now behave itself and succeed in copying a file to the the blob storage container.
I later discovered that someone in my team had hit and solved this problem when using AZCopy from within an Azure DevOps Pipeline tasks, so if that’s your situation read more about how he solved it.