Error when running the "az storage entity" command #27202
Comments
hpourreza
added
the
bug
|
Hi @hpourreza, 2.40.0 is not the latest Azure CLI(2.51.0). Please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli. |
microsoft-github-policy-service
bot
added
customer-reported
microsoft-github-policy-service
bot
added
Auto-Assign
|
Thank you for opening this issue, we will look into it. |
|
I updated the azure-cli to the following latest version and still the same error. core 2.51.0 Dependencies: |
yonzhan
removed
bug
|
@hpourreza Can you add the "Storage Table Data Contributor" role to the current user? It is likely that the older versions did not use the proper rbac roles. |
|
@calvinhzy The way we run this command is using a sas token to append a record to a table without checking the user. If I don't use the sas token and use my account, for example, it works. I think when the sas token is provided the role should not matter. Old: New: 2032 : 2023-08-18 10:49:54,655 : DEBUG : urllib3.connectionpool : Starting new HTTPS connection (1): .table.core.windows.net:443 |
|
I am able to use the sas-token generated from portal, wondering perhaps it is a sas issue? Where did you generate the sas from? |
|
I also create my sas token from portal (and it works fine with the older version) by going to Storage browser, selecing the table, and clicking on ... and selecting Generate SAS. However, my SAS token is a bit different than yours. my sas token is like this: "sp=a&st=2023-08-22T15:55:47Z&se=2023-08-23T03:55:00Z&spr=https&sv=2022-11-02&sig=REMOVED&tn=testprod" which is missing some keys like ss or srt that I see in your sas token. Also, when I run your command with my sas token and my table name, I get: I am not sure how you ran the command without providing the storage account name. |
|
@calvinhzy |
|
So I was generating the sas token for the storage account which is why I didn't specify the account name. I see that |
calvinhzy
added
the
Service Attention
|
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage. |
|
@calvinhzy I don't use --if-exists and again this exact command works with earlier version of azure-cli. It must be a new change to break this behavior. I am attaching three screenshots for |
|
@calvinhzy Do you know if anyone is working on this issue? |
|
I am still looking into this, will take some more time. |
|
Thanks a lot @calvinhzy. After installing those three wheel files, I was able to insert into the table with an Add only sas token (as before). When do you think this version will be the mainstream? |
|
It is set to be released on 9/5, thanks. |
…sas token with only `add` permission (#27280) * fix case when using sas token with only add permission for entity insert * sas token put in LiveScenarioTest
Describe the bug
When I run the following command using azure-cli 2.40 or newer,
az storage entity insert --account-name --sas-token "REMOVED" --entity PartitionKey="P1" RowKey="R1" --table-name testprod
I am getting
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"
However, when I downgraded the azure-cli to 2.32, I can run the command with no issue.
Related command
az storage entity insert --account-name --sas-token "<>" --entity PartitionKey="P1" RowKey="R1" --table-name testprod
Errors
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"
Issue script & Debug output
cli.knack.log: File logging enabled - writing logs to 'C:\Users\user.azure\logs'.
cli.knack.cli: Command arguments: ['storage', 'entity', 'insert', '--account-name', '', '--sas-token', '?REMOVED', '--entity', 'PartitionKey=P1', 'RowKey=R1', '--table-name', 'testprod', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
Enable VT mode.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x022FA340>, <function OutputProducer.on_global_arguments at 0x023DE610>, <function CLIQuery.on_global_arguments at 0x023F1268>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Command index version or cloud profile is invalid or doesn't match the current command.
cli.azure.cli.core: Command index has been invalidated.
cli.azure.cli.core: No module found from index for '['storage', 'entity', 'insert', '--account-name', '', '--sas-token', 'REMOVED', '--entity', 'PartitionKey=P1', 'RowKey=R1', '--table-name', 'testprod', '--debug']'
cli.azure.cli.core: Loading all modules and extensions
cli.azure.cli.core: Discovered command modules: ['acr', 'acs', 'advisor', 'ams', 'apim', 'appconfig', 'appservice', 'aro', 'backup', 'batch', 'batchai', 'billing', 'botservice', 'cdn', 'cloud', 'cognitiveservices', 'config', 'configure', 'consumption', 'container', 'cosmosdb', 'databoxedge', 'deploymentmanager', 'dla', 'dls', 'dms', 'eventgrid', 'eventhubs', 'extension', 'feedback', 'find', 'hdinsight', 'identity', 'interactive', 'iot', 'keyvault', 'kusto', 'lab', 'managedservices', 'maps', 'marketplaceordering', 'monitor', 'natgateway', 'netappfiles', 'network', 'policyinsights', 'privatedns', 'profile', 'rdbms', 'redis', 'relay', 'reservations', 'resource', 'role', 'search', 'security', 'servicebus', 'serviceconnector', 'servicefabric', 'signalr', 'sql', 'sqlvm', 'storage', 'synapse', 'util', 'vm']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: acr 0.014 32 134
cli.azure.cli.core: acs 0.139 8 58
cli.azure.cli.core: advisor 0.003 3 6
cli.azure.cli.core: ams 0.007 22 100
cli.azure.cli.core: apim 0.010 11 60
cli.azure.cli.core: appconfig 0.005 7 37
cli.azure.cli.core: appservice 0.019 72 251
cli.azure.cli.core: aro 0.009 1 7
cli.azure.cli.core: backup 0.008 16 58
cli.azure.cli.core: batch 0.039 36 104
cli.azure.cli.core: batchai 0.004 10 30
cli.azure.cli.core: billing 0.012 19 52
cli.azure.cli.core: botservice 0.005 12 42
cli.azure.cli.core: cdn 0.008 39 133
cli.azure.cli.core: cloud 0.003 1 7
cli.azure.cli.core: cognitiveservices 0.004 8 31
cli.azure.cli.core: config 0.003 2 7
cli.azure.cli.core: configure 0.002 2 5
cli.azure.cli.core: consumption 0.005 8 9
cli.azure.cli.core: container 0.004 1 11
cli.azure.cli.core: cosmosdb 0.013 48 172
cli.azure.cli.core: databoxedge 0.007 5 27
cli.azure.cli.core: deploymentmanager 0.005 7 30
cli.azure.cli.core: dla 0.006 23 62
cli.azure.cli.core: dls 0.005 7 41
cli.azure.cli.core: dms 0.003 3 22
cli.azure.cli.core: eventgrid 0.006 25 96
cli.azure.cli.core: eventhubs 0.007 21 73
cli.azure.cli.core: extension 0.002 1 7
cli.azure.cli.core: feedback 0.002 1 2
cli.azure.cli.core: find 0.002 1 1
cli.azure.cli.core: hdinsight 0.004 8 39
cli.azure.cli.core: identity 0.004 2 11
cli.azure.cli.core: interactive 0.001 1 1
cli.azure.cli.core: iot 0.140 19 81
cli.azure.cli.core: keyvault 0.010 20 122
cli.azure.cli.core: kusto 0.005 3 14
cli.azure.cli.core: lab 0.006 11 34
cli.azure.cli.core: managedservices 0.003 3 8
cli.azure.cli.core: maps 0.004 5 13
cli.azure.cli.core: marketplaceordering 0.006 1 2
cli.azure.cli.core: monitor 0.035 33 125
cli.azure.cli.core: natgateway 0.003 3 6
cli.azure.cli.core: netappfiles 0.007 16 86
cli.azure.cli.core: network 0.106 133 610
cli.azure.cli.core: policyinsights 0.004 6 12
cli.azure.cli.core: privatedns 0.006 14 66
cli.azure.cli.core: profile 0.003 2 9
cli.azure.cli.core: rdbms 0.132 51 216
cli.azure.cli.core: redis 0.004 5 27
cli.azure.cli.core: relay 0.004 10 37
cli.azure.cli.core: reservations 0.004 5 12
cli.azure.cli.core: resource 0.013 47 207
cli.azure.cli.core: role 0.004 17 61
cli.azure.cli.core: search 0.005 7 22
cli.azure.cli.core: security 0.007 48 104
cli.azure.cli.core: servicebus 0.008 21 75
cli.azure.cli.core: serviceconnector 0.015 4 53
cli.azure.cli.core: servicefabric 0.006 26 75
cli.azure.cli.core: signalr 0.004 8 30
cli.azure.cli.core: sql 0.022 46 180
cli.azure.cli.core: sqlvm 0.060 4 18
cli.azure.cli.core: storage 0.044 57 269
cli.azure.cli.core: synapse 0.018 54 246
cli.azure.cli.core: util 0.003 3 6
cli.azure.cli.core: vm 0.018 56 292
cli.azure.cli.core: Total (66) 1.075 1201 4844
cli.azure.cli.core: Loaded 1190 groups, 4844 commands.
cli.azure.cli.core: Updated command index in 0.004 seconds.
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x04906610>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to 'C:\Users\user.azure\commands\2023-08-18.13-25-39.storage_entity_insert.272.log'.
az_command_data_logger: command args: storage entity insert --account-name {} --sas-token {} --entity {} {} --table-name {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x04EFBFA0>]
cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 624, in _get_attr
AttributeError: module 'azure.mgmt.storage.v2022_05_01.models' has no attribute 'ActiveDirectoryPropertiesAccountType'
cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 624, in _get_attr
AttributeError: module 'azure.mgmt.storage.v2022_05_01.models' has no attribute 'ListKeyExpand'
cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/profiles/_shared.py", line 624, in _get_attr
AttributeError: module 'azure.mgmt.storage.v2022_05_01.models' has no attribute 'CorsRuleAllowedMethodsItem'
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x04EFBCD0>, <function register_cache_arguments..add_cache_arguments at 0x04EFBA48>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs [<function _documentdb_deprecate at 0x057F0028>]
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x023DE658>, <function CLIQuery.handle_query_parameter at 0x023F12B0>, <function register_ids_argument..parse_ids_arguments at 0x04EFBA90>, <function handler at 0x059004A8>]
cli.azure.cli.command_modules.storage._validators: Try to get storage auth_mode value from environment variables or config file.
urllib3.connectionpool: Starting new HTTPS connection (1): .table.core.windows.net:443
urllib3.connectionpool: https://.table.core.windows.net:443 "GET /testprod(PartitionKey='P1',RowKey='R1')?REMOVED HTTP/1.1" 403 None
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/data/tables/_table_client.py", line 607, in get_entity
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/data/tables/_generated/operations/_table_operations.py", line 486, in query_entity_with_partition_and_row_key
azure.core.exceptions.HttpResponseError: Operation returned an invalid status 'Forbidden'
Content: {"odata.error":{"code":"AuthorizationPermissionMismatch","message":{"lang":"en-US","value":"This request is not authorized to perform this operation using this permission.\nRequestId:104606e3-c002-002c-2e12-d2c06f000000\nTime:2023-08-18T20:25:40.3889955Z"}}}
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 663, in execute
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 726, in _run_jobs_serially
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 718, in _run_job
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/storage/init.py", line 411, in new_handler
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/storage/init.py", line 410, in new_handler
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 697, in _run_job
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/init.py", line 333, in call
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 121, in handler
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/command_modules/storage/operations/table.py", line 77, in insert_entity
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/core/tracing/decorator.py", line 73, in wrapper_use_tracer
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/data/tables/_table_client.py", line 615, in get_entity
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/data/tables/_error.py", line 210, in _process_table_error
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/data/tables/_error.py", line 200, in _reraise_error
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/data/tables/_table_client.py", line 607, in get_entity
File "D:\a\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/data/tables/_generated/operations/_table_operations.py", line 486, in query_entity_with_partition_and_row_key
azure.core.exceptions.HttpResponseError:
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"
If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.
Content: {"odata.error":{"code":"AuthorizationPermissionMismatch","message":{"lang":"en-US","value":"This request is not authorized to perform this operation using this permission.\nRequestId:104606e3-c002-002c-2e12-d2c06f000000\nTime:2023-08-18T20:25:40.3889955Z"}}}
cli.azure.cli.core.azclierror:
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"
If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.
az_command_data_logger:
You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
"Storage Blob Data Owner"
"Storage Blob Data Contributor"
"Storage Blob Data Reader"
"Storage Queue Data Contributor"
"Storage Queue Data Reader"
"Storage Table Data Contributor"
"Storage Table Data Reader"
If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x04906730>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 3.113 seconds (init: 1.024, invoke: 2.089)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3764 in cache
telemetry.check: Negative: The C:\Users\user.azure\telemetry.txt was modified at 2023-08-18 13:24:53.672689, which in less than 600.000000 s
Expected behavior
The command should run with no error and I should see a record in the table.
Environment Summary
azure-cli 2.40.0 *
core 2.40.0 *
telemetry 1.0.8 *
Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1
Additional context
No response
The text was updated successfully, but these errors were encountered: