Azure-pipelines-tasks: AzCopy 4 receives a 403, while v3 works

Created on 5 Mar 2020  路  3Comments  路  Source: microsoft/azure-pipelines-tasks

Required Information

Entering this information will route you directly to the right team and expedite traction.

Question, Bug, or Feature?
Type: Bug

Enter Task Name: AzureFileCopy

Environment

  • Server - Azure Pipelines, monacotools, Monaco, vscode-experiments, Release-11
  • Agent - vs2017-win2016

Issue Description

AzCopyv4 receives a 403 when trying to upload the blob. However, v3 works with the same details and service principal.

Task logs

Please mail [email protected] if you'd like more complete logs!

2020-03-04T22:56:03.3572306Z INFO: Authentication failed, it is either not correct, or expired, or does not have the correct permission -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/mod/github.com/!azure/[email protected]/azblob/zc_storage_error.go:42
2020-03-04T22:56:03.3590253Z ===== RESPONSE ERROR (ServiceCode=AuthorizationPermissionMismatch) =====
2020-03-04T22:56:03.3600878Z Description=This request is not authorized to perform this operation using this permission.
2020-03-04T22:56:03.3604197Z RequestId:bf3d7ca9-201e-0026-4578-f20516000000
2020-03-04T22:56:03.3604773Z Time:2020-03-04T22:56:03.3319800Z, Details: 
2020-03-04T22:56:03.3623399Z    Code: AuthorizationPermissionMismatch
2020-03-04T22:56:03.3626959Z    PUT <url>>
2020-03-04T22:56:03.3627629Z    Authorization: REDACTED
2020-03-04T22:56:03.3627995Z    Content-Length: [2345]
2020-03-04T22:56:03.3628436Z    User-Agent: [TFS_useragent AzCopy/10.3.3 Azure-Storage/0.7 (go1.13; Windows_NT)]
2020-03-04T22:56:03.3628906Z    X-Ms-Blob-Cache-Control: [max-age=300]
2020-03-04T22:56:03.3631033Z    X-Ms-Blob-Content-Disposition: []
2020-03-04T22:56:03.3631438Z    X-Ms-Blob-Content-Encoding: []
2020-03-04T22:56:03.3631776Z    X-Ms-Blob-Content-Language: []
2020-03-04T22:56:03.3632128Z    X-Ms-Blob-Content-Md5: []
2020-03-04T22:56:03.3632589Z    X-Ms-Blob-Content-Type: [application/json]
2020-03-04T22:56:03.3632958Z    X-Ms-Blob-Type: [BlockBlob]
2020-03-04T22:56:03.3633366Z    X-Ms-Client-Request-Id: [cff165af-4e6e-489b-4f15-13c0a368b1f7]
2020-03-04T22:56:03.3633765Z    X-Ms-Version: [2018-03-28]
2020-03-04T22:56:03.3634162Z    --------------------------------------------------------------------------------
2020-03-04T22:56:03.3634718Z    RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.
2020-03-04T22:56:03.3635146Z    Content-Length: [279]
2020-03-04T22:56:03.3635474Z    Content-Type: [application/xml]
2020-03-04T22:56:03.3635850Z    Date: [Wed, 04 Mar 2020 22:56:03 GMT]
2020-03-04T22:56:03.3636405Z    Server: [Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0]
2020-03-04T22:56:03.3636998Z    X-Ms-Error-Code: [AuthorizationPermissionMismatch]
2020-03-04T22:56:03.3637433Z    X-Ms-Request-Id: [bf3d7ca9-201e-0026-4578-f20516000000]
2020-03-04T22:56:03.3637898Z    X-Ms-Version: [2018-03-28]
2020-03-04T22:56:03.3638136Z 
2020-03-04T22:56:03.3638352Z 
2020-03-04T22:56:03.3638603Z 
2020-03-04T22:56:05.0231434Z 0.0 %, 0 Done, 0 Failed, 1 Pending, 0 Skipped, 1 Total,
Release bug
Source
picture connor4312

All 3 comments

@connor4312 Please provide the permission of "Storage Blob Data Contributor" to your SPN id , it should work then. You can refer to the issue : https://github.com/MicrosoftDocs/azure-docs/issues/36454

20shivangi picture 20shivangi on 5 Mar 2020
👍1

Closing the issue since solution is provided in previous comment. Please feel free to re-open if you are still facing the issue.

SumiranAgg picture SumiranAgg on 9 Mar 2020

I believe this is a bug relating to granting permissions to the Service Connection in Azure Pipelines. Specifically granting permissions via the "this pipeline needs permissions to run" popup grants sufficient permissions for AzureFileCopy@3 task but not the AzureFileCopy@4 task.

The solution is to:

  • open the Devops pipeline and note the name of the service connection
  • open the project settings at the bottom of the Project page, click "Service Connections", select the service connection, and then click "Manage Service Principal" and then get the display name (optionally changing it to something unique -- as all the service principals for service connections in a project have the same default name which can be confusing for the next step)
  • Open the Storage resource (Account or container) in the azure portal, then select "Access Control (IAM)" in the blade on the left, then click "Add a role assignment" add the "Storage Blob Data Contributor" role to the service principal
jdthorpe picture jdthorpe on 3 Sep 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

yaananth picture yaananth  路  3Comments
richard-ob picture richard-ob  路  3Comments
ThomasBarnekow picture ThomasBarnekow  路  3Comments
TheRealEdwardCullen picture TheRealEdwardCullen  路  3Comments
MichaelWhiteCodingForFun picture MichaelWhiteCodingForFun  路  3Comments