az storage account or-policy create doesn't work

[JohnnyFasching]

Describe the bug

When I use the default snipped from the documentation then the command completes but from the blob storage activity log I see the error "OR: policy does not exist on destination account" RequestId:79438c10-9004-0003-4f9c-9ea415000000 Time:2023-06-14T08:46:28.1321224Z"

az storage account or-policy create -g ResourceGroupName -n storageAccountName -d destAccountName -s srcAccountName --destination-container dcont --source-container scont

Related command

az storage account or-policy create -g ResourceGroupName -n storageAccountName -d destAccountName -s srcAccountName --destination-container dcont --source-container scont

Errors

"OR: policy does not exist on destination account" RequestId:79438c10-9004-0003-4f9c-9ea415000000 Time:2023-06-14T08:46:28.1321224Z

Issue script & Debug output

No additional debug output

Expected behavior

I assume that the cli command creates the resources in both blobs and that the command with the json policy definition is also working properly.

Environment Summary

azure-cli 2.45.0 *

core 2.45.0 *
telemetry 1.0.8

Dependencies:
msal 1.20.0
azure-mgmt-resource 21.1.0b1

Python location 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe'
Extensions directory 'C:\Users\JohannesFasching.azure\cliextensions'

Python (Windows) 3.10.8 (tags/v3.10.8:aaaf517, Oct 11 2022, 16:37:59) [MSC v.1933 32 bit (Intel)]

Additional context

No response

[azure-client-tools-bot-prd]

Hi @JohnnyFasching,

2.45.0 is not the latest Azure CLI(2.49.0).

Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[calvinhzy]

Hi @JohnnyFasching, the command is missing the --policy-id arg and was likely not printing out the error. Can you rerun the command with --debug at the end as well: az storage account or-policy create -g ResourceGroupName -n storageAccountName -d destAccountName -s srcAccountName --destination-container dcont --source-container scont --policy-id default --debug

[JohnnyFasching]

@calvinhzy I also tried it with the policy-id and still I do not get the error in the console, I only see the error in the Azure logs

[calvinhzy]

Yes, it is a CLI issue that it only prints out the error with --debug. Can you try it again with --debug and fix the command call accordingly?

[JohnnyFasching]

I fixed the command call, and saw that the request was sent, but still the error is {"error":{"code":"ObjectReplicationFailure","message":""OR: policy does not exist on destination account"\nRequestId:a672b414-b004-0004-3f8e-a2c876000000\nTime:2023-06-19T09:12:24.8264201Z"}}

[calvinhzy]

Can you show the log for the command with --debug? Did you provide the destination account name for the --account-name arg? Also, the storage account needs to have versioning and change feed enabled.

If the command runs successfully with --debug, it should not be CLI issue, please provide the request-id so we can involve the service team.

[JohnnyFasching]

This is the full debug output, with personal information removed from the output of course.

CLI command:
az storage account or-policy create --policy-id 371bbaed-695d-4e14-a526-b1cb084d045b -g dev-rg --account-name devstacc --destination-account devstacc2 --source-account devstacc --destination-container files --source-container files --rule-id default --debug

cli.knack.cli: Command arguments: ['storage', 'account', 'or-policy', 'create', '--policy-id', '371bbaed-695d-4e14-a526-b1cb084d045b', '-g', 'dev-rg', '--account-name', 'devstacc', '--destination-account', 'devstacc2', '--source-account', 'devstacc', '--destination-container', 'files', '--source-container', 'files', '--rule-id', 'default', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x0236B4F0>, <function OutputProducer.on_global_arguments at 0x02438C88>, <function CLIQuery.on_global_arguments at 0x024598E0>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'storage': ['azure.cli.command_modules.storage']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: storage 0.039 58 272
cli.azure.cli.core: Total (1) 0.039 58 272
cli.azure.cli.core: Loaded 58 groups, 272 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : storage account or-policy create
cli.azure.cli.core: Command table: storage account or-policy create
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x0472B4F0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users.....'.
az_command_data_logger: command args: storage account or-policy create --policy-id {} -g {} --account-name {} --destination-account {} --source-account {} --destination-container {} --source-container {} --rule-id {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x047525C8>]
cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 655, in _get_attr
AttributeError: module 'azure.mgmt.storage.v2022_09_01.models' has no attribute 'ActiveDirectoryPropertiesAccountType'

cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 655, in _get_attr
AttributeError: module 'azure.mgmt.storage.v2022_09_01.models' has no attribute 'ListKeyExpand'

cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 655, in _get_attr
AttributeError: module 'azure.mgmt.storage.v2022_09_01.models' has no attribute 'CorsRuleAllowedMethodsItem'

cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x047604F0>, <function register_cache_arguments..add_cache_arguments at 0x047606E8>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x02438CD0>, <function CLIQuery.handle_query_parameter at 0x02459928>, <function register_ids_argument..parse_ids_arguments at 0x047606A0>]
Command group 'storage account or-policy' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=StorageManagementClient
cli.azure.cli.core.auth.persistence: build_persistence: location='C:\Users\JohannesFasching\.azure\msal_token_cache.bin', encrypt=True
cli.azure.cli.core.auth.binary_cache: load: C:\Users\JohannesFasching.azure\msal_http_cache.bin
urllib3.util.retry: Converted retries value: 1 -> Retry(total=1, connect=None, read=None, redirect=None, status=None)
msal.authority: openid_config = .....
msal.application: Broker enabled? False
cli.azure.cli.core.auth.credential_adaptor: CredentialAdaptor.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
cli.azure.cli.core.auth.msal_authentication: UserCredential.get_token: scopes=('https://management.core.windows.net//.default',), claims=None, kwargs={}
msal.application: Found 1 RTs matching .....
msal.telemetry: Generate or reuse correlation_id: d5cf2de5-43e7-47fb-a669-83412614a3e2
msal.application: Cache attempts an RT
urllib3.connectionpool: Starting new HTTPS connection (1): login.microsoftonline.com:443
urllib3.connectionpool: ....
msal.token_cache: event=.....
cli.azure.cli.core.sdk.policies: ......
cli.azure.cli.core.sdk.policies: Request method: 'PUT'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Content-Length': '460'
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': '575906a3-0f34-11ee-9faf-64d69a15e595'
cli.azure.cli.core.sdk.policies: 'CommandName': 'storage account or-policy create'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--policy-id -g --account-name --destination-account --source-account --destination-container --source-container --rule-id --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.49.0 (MSI) azsdk-python-azure-mgmt-storage/21.0.0 Python/3.10.10 (Windows-10-10.0.22621-SP0)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: .....
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "PUT /subscriptions/...../resourceGroups/dev-rg/providers/Microsoft.Storage/storageAccounts/c2ddevstacc/objectReplicationPolicies/371bbaed-695d-4e14-a526-b1cb084d045b?api-version=2022-09-01 HTTP/1.1" 400 193
cli.azure.cli.core.sdk.policies: Response status: 400
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '193'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': 'e1de54fe-7db7-4da3-8b2d-37152af7b7ea'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'Server': 'Microsoft-Azure-Storage-Resource-Provider/1.0,Microsoft-HTTPAPI/2.0 Microsoft-HTTPAPI/2.0'
cli.azure.cli.core.sdk.policies: 'x-ms-ratelimit-remaining-subscription-writes': '1199'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '435052b9-ec27-445f-9b7e-2d349e955ae1'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'GERMANYNORTH:20230620T063328Z:435052b9-ec27-445f-9b7e-2d349e955ae1'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'Date': 'Tue, 20 Jun 2023 06:33:28 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"error":{"code":"ObjectReplicationFailure","message":""OR: policy does not exist on destination account"\nRequestId:2934e802-0004-0001-5d41-a31aad000000\nTime:2023-06-20T06:33:28.8527139Z"}}
cli.knack.cli: Event: CommandInvoker.OnTransformResult [<function _resource_group_transform at 0x04750D60>, <function _x509_from_base64_to_hex_transform at 0x04750DA8>]
cli.knack.cli: Event: CommandInvoker.OnFilterResult []
cli.knack.cli: Event: Cli.SuccessfulExecute []
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x0472B610>]

[calvinhzy]

Can you try --account-name devstacc2 instead, which is the destination account.

[JohnnyFasching]

Then the error message is:
{"error":{"code":"InvalidObjectReplicationPolicy","message":"Object Replication Policy is not valid: Policy 371bbaed-695d-4e14-a526-b1cb084d045b no exist."}}

@calvinhzy Have you also tried the command and get the same problems or does this work for you?

[calvinhzy]

It means the policy id that you have specified is not found. Make sure you can see the policy with az storage account or-policy show. I was using the default policy and it works for me.

You can also create with --policy default instead of --policy-id

[JohnnyFasching]

It worked now when setting the policy-id to "default", I used this particular json for the policy creation:

{
    "policyId" : "default",
    "source_account": "/subscriptions/${subscrId}/resourceGroups/${storAccResGroup}/providers/Microsoft.Storage/storageAccounts/${storAccName}",
    "destination_account": "/subscriptions/${subscrId}/resourceGroups/${storAccResGroup}/providers/Microsoft.Storage/storageAccounts/${storAccName}2",
    "rules": [
        {
            "ruleId": "{ruleId}",
            "sourceContainer": "{sourceContainer}",
            "destinationContainer": "{destinationContainer}"
        }
    ]
}

az storage account or-policy create --account-name $deststorAccName --resource-group $resourceGroup --policy "$policy"

But still the documentation is very misleading and should be extended with those examples