-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[QUESTION] AzCopy list fails with "403 Server failed to authenticate the request." #77
Comments
Update:
Sorry that as work switch, I just find the replies here are out-of-date, hope above could help. At same time, thanks @JohnRusk for tracking the issue and help to provide suggestion. ===========History reply 2018=========== Thanks for reaching us. The error message: azcopy.exe login by default login to "microsoft.com" tenant, this can be customized with --tenant-id switch of login command. Please double check if the tenant you are login to is same as which 'mystorage' account belongs to. Another thing worth check is if you recently do a subscription migration in ARM? If that's the case, please check the latest tenant, and login accordingly. Best Regards, |
@jiacfan Thanks for the quick response. I forced the tenant with:
and now I get:
This account is a global administrator. I use this account with Azure Storage Explorer to upload files all the time.
|
Hi @MatthewMcD! We've recently introduced the "Blob Data Contributor" role on the storage accounts (https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac). Please make sure your account has this role assigned and try again. Hope this helps! |
Thanks @artemuwka , I would have thought that a Global Administrator would have this right. For anyone looking for the Role in the UI it's called "Storage Blob Data Contributor (Preview)". For a Resource Group choose Access Control (IAM) | Add in the blade locate the role Storage Blob Data Contributor (Preview) and assign access to the Users, Groups or Roles as meets your needs. Thanks! |
For anyone stumbling into this like me: AzCopy sync as a Backup Solution |
Good grief, I set blob owner and it didn't work. Then I set contributor - thumbs up. |
I just spent 30 minutes trying to figure out what a "tenant-id" is and how to find it. This is very poorly documented. @jiacfan it would be nice to have he tool explain this could be the case. I'll also open a doc bug against https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs which doesn't work for everybody as written. |
CC @normesta re @CIPop's comment above. FYI I find it odd that our docs seldom (never?) seem to come out and say:
|
I had the above problem... but what's weird is i was able to uplaod 10,000 jpgs into a folder called [container]/images without issue. But the second (local) folder fails (15k items)... I had the same experience as above with azcopy and then i was able to at least get az copy to "work" but i was able to upload files without this role before... i literally just added the role. Not sure if this is a bug or if different clients circumvent this issue, and if so why only for the first folder? |
That is weird @Amd3202 . I suspect there must be some logical explanation, but from your description I can't tell what that might be. |
Thanks yeah it's been a weird ride. but we got it working from a mix of using the portal and AZcopy app which is also no fun... oh well! i guess that's why we're lucky enough to be working sunday nights! |
I'm in a different timezone, so it's Monday already for me :-) Hope the rest of your Sunday goes smoothly and glad to hear you've got it working. |
Using AzCopy V10.3.3
|
UpdateFor CMD.EXE (or a .BAT) using a SAS token:
|
Hi, sorry to hear about the difficulties you had. FYI, your initial auth problem may have been the 5 min delay mentioned here: https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#choose-how-youll-provide-authorization-credentials "Keep in mind that RBAC role assignments can take up to five minutes to propagate." Yes, using SAS tokens in CMD is a pain, due to the parsing rules. As far as I can tell, those issues are CMD's parsing rules, rather than anything inside Azcopy itself. PowerShell does't have those problems. I encourage AzCopy users to use PowerShell. |
How is it that being an owner on a subscription doesn't give us the blob contributor permission? This does not make sense. I ended up just using SAS tokens for both source & destination storage accounts. |
@ahelwer I remember seeing an explanation of this that seemed to make sense to me when I read it. I can't seem to find it right now, sorry. |
Utterly ridiculous having to grant a special role to an owner. It goes against established principles and no matter how much microsoft thinks that's it makes sense, if azure is to compete, it should make sense without having to read articles and closed github tickets. -1 point to azure. |
Hi @LearnsHappily !!! I was played with SAS token but i couldn't upload one file, my mistake is SAS token Could you share the method to generate SAS Token? i was used the Version 2013-08-15 and Later from
but i didn't know what is the field "signedidentifier" or where i found it.
And the same result Error,
|
I am brand new to AzCopy so forgive me, but I have reviewed the readme.md and really tried to figure this one out. Eventually I'd like to test
sync
but I am stuck at the starting gate.Version 10.0.2-Preview
Windows 10
Commands
Error:
The text was updated successfully, but these errors were encountered: