Azure-storage-azcopy: AzCopy Login permission 403

Created on 1 Jul 2019 · 10Comments · Source: Azure/azure-storage-azcopy

Which version of the AzCopy was used?

10.1.2

Which platform are you using? (ex: Windows, Mac, Linux)

Windows

What command did you run?

azcopy login --tenant-id "ID"
azcopy cp "C:\temp\images" "https://tomstr01.blob.core.windows.net/images" --recursive=true

What problem was encountered?

PS C:\Users\thmaure> azcopy cp "C:\temp\images" "https://tomstr01.blob.core.windows.net/images" --recursive=true
INFO: Scanning...
INFO: Using OAuth token for authentication.

Job cce6e289-8100-5149-45ea-e6198a65509b has started
Log file is located at: C:\Users\thmaure/.azcopy/cce6e289-8100-5149-45ea-e6198a65509b.log

0 Done, 0 Failed, 4 Pending, 0 Skipped, 4 Total,
Authentication failed, it is either not correct, or expired, or does not have the correct permission -> github.com/Azure/azure-storage-azcopy/vendor/github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /go/src/github.com/Azure/azure-storage-azcopy/vendor/github.com/Azure/azure-storage-blob-go/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthorizationPermissionMismatch) =====
Description=This request is not authorized to perform this operation using this permission.
RequestId:2f1fcb83-101e-001c-0e1a-30bf46000000
Time:2019-07-01T14:40:52.7192171Z, Details:
Code: AuthorizationPermissionMismatch
PUT https://tomstr01.blob.core.windows.net/images/images/1.PNG?timeout=901
Authorization: REDACTED
Content-Length: [30110]
User-Agent: [AzCopy/10.1.2 Azure-Storage/0.6 (go1.10.8; Windows_NT)]
X-Ms-Blob-Cache-Control: []
X-Ms-Blob-Content-Disposition: []
X-Ms-Blob-Content-Encoding: []
X-Ms-Blob-Content-Language: []
X-Ms-Blob-Content-Md5: []
X-Ms-Blob-Content-Type: [image/png]
X-Ms-Blob-Type: [BlockBlob]
X-Ms-Client-Request-Id: [a76a1766-8088-4cb3-4fb6-b6ab270a46c7]
X-Ms-Version: [2018-03-28]

RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.
Content-Length: [279]
Content-Type: [application/xml]
Date: [Mon, 01 Jul 2019 14:40:51 GMT]
Server: [Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0]
X-Ms-Error-Code: [AuthorizationPermissionMismatch]
X-Ms-Request-Id: [2f1fcb83-101e-001c-0e1a-30bf46000000]
X-Ms-Version: [2018-03-28]

How can we reproduce the problem in the simplest way?

Run the commands
azcopy login --tenant-id "ID"
azcopy cp "C:\temp\images" "https://tomstr01.blob.core.windows.net/images" --recursive=true

Have you found a mitigation/solution?

Source

thomasmaurer

Most helpful comment

You need to use one of these roles:
Storage Blob Data Contributor
Storage Blob Data Owner

JohnRusk on 21 Nov 2019

👍15

All 10 comments

Hi @thomasmaurer, thanks for reaching out!

Could you please verify that you've set up the permissions correctly? Please refer to this link for more info.

zezha-msft on 1 Jul 2019

Also Thomas, sometimes it takes a few mins for permission changes to fully take effect (some kind of caching thing, or propagation delay, I don't know). So if you've set the right permissions, and it still fails, leave it for 7 or 8 minutes and test again.

JohnRusk on 1 Jul 2019

👍3

Hi @zezha-msft and @JohnRusk
It looks it was my fault on the permissions. However, I was expecting to already have the right level of access since I was the Storage Account owner.

thomasmaurer on 2 Jul 2019

👍2

@thomasmaurer The OAuth permissions are different roles unfortunately. Please don't hesitate if you have any other question.

zezha-msft on 2 Jul 2019

👍1

I'm seeing this same error with an owner account as listed in RBAC. The account is the main admin account.

Version: 10.3.2

crshovrd41 on 21 Nov 2019

You need to use one of these roles:
Storage Blob Data Contributor
Storage Blob Data Owner

JohnRusk on 21 Nov 2019

👍15

Got it. I found another article that mentioned this. Thanks!

On Nov 21, 2019, at 11:50 AM, John Rusk [MSFT] notifications@github.com wrote:

You need to use one of these roles:
Storage Blob Data Contributor
Storage Blob Data Owner

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/Azure/azure-storage-azcopy/issues/474?email_source=notifications&email_token=AIQSX6V2UDADOLXBK567NL3QU3Q6ZA5CNFSM4H4TDN52YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEE3OCOA#issuecomment-557244728, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIQSX6Q2EBT6FVGCPAUQN2TQU3Q6ZANCNFSM4H4TDN5Q.

crshovrd41 on 21 Nov 2019

@JohnRusk can you give more detail on what that means we have to do? @crshovrd41

cdietschrun on 5 May 2020

@cdietschrun - I don't recall 100%, as this was a while ago, but I believe you need to use Azure RBAC (IAM) and grant those specific roles to the user for the storage resource.

crshovrd41 on 5 May 2020

Yea, we had to figure that out. There was a propagation delay too where we set it and it still failed. That's super frustrating.

Here's a link for future people... https://brettmckenzie.net/2020/03/23/azure-pipelines-copy-files-task-authentication-failed/

cdietschrun on 5 May 2020

👍9 ❤2 🎉2

Was this page helpful?

0 / 5 - 0 ratings

Related issues

--overwrite=ifSourceNewer and --preserve-smb-info=TRUE cannot be used at the same time. WHY?

Dikkekip · 5Comments

Unable to download complete set of files due to "412 The condition specified using HTTP conditional header(s) is not met"

ayeltsov · 3Comments

cannot use azcopy on linux env which is using proxy (not Kerberos, set https proxy)

Icybiubiubiu · 4Comments

Azcopy sync not working as expected.

DavidLafond · 5Comments

Transfert with Azure Stack 1901 Storage accounts is not working

jbpaux · 5Comments