AzCopy copy fails – RESPONSE Status : 403 This request is not authorized to perform this operation using this permission
Hope you all are doing good !!! 🙂 .
In our previous article we have discussed about, how to configure and use AzCopy too . Today in this article we will discuss how to address one issue we experienced during our work with AzCopy tool.
Previous Azure series :
- Learn Basics Of Azure Networking In 60 Hours
- Learn Basic Of Azure Active Directory And Azure Identity And Access Management
- Azure DevOps – Learn at one place
If you have missed our previous articles on Azure Storage and Database Series, please check it in following links.
- Part 1 – Overview Of Azure Storage and Database
- Part 2 – Azure Storage Account
- Part 3 – Azure Blob Storage
- Part 4 – Work With Azure Blob Storage
- Part 5 – Storage Explorer For Azure Storage
- Part 6 – Azure Blob Storage – Snapshot Using Storage Explorer
- Part 7 – Azure Blob Storage – Shared Access Signature (SAS)
- Part 8 – Secure Azure Storage Using Stored Access Policy
- Part 9 – Secure Azure Storage Using RBAC
- Part 10 – Configure Stored Access Policy Using PowerShell
- Part 11 – Get Shared Access Signature (SAS) Using PowerShell
- Part 12 – Azure Blob Storage – Host Static Website In Azure Storage Account
- Part 13 – Azure Blob Storage – Work With AzCopy Tool
Issue Details :
Azcopy is a great command-line tool for automating Azure storage, it is a simple yet powerful command line interface that allows you to copy files to and from Azure storage and between Azure storage accounts. In my last lab exercise, I was working with AzCopy tool. As we had to upload and download files from local drive to my Azure blob and vice verse. In that exercise we have successfully downloaded AzCopy tool for my windows workstation also successfully login to my subscription. Then I had to upload a file to my Azure blob container by using the following command.
azcopy copy “C:\Users\moharman\Desktop\Rasmita.pdf” “https://kj21storageacount.blob.core.windows.net/kj-container/AzCopy Authorization.png”
After few second I received a big error message, like RESPONSE Status : 403 This request is not authorized to perform this operation using this permission . Following is the details of the error message.
C:\MANAS DATA\AZURE\Azure_AZ-104\Azure Storage And Database Services\AZCopy\azcopy_windows_amd64_10.10.0>azcopy copy “C:\Users\moharman\Desktop\Rasmita.pdf” “https://kj21storageacount.blob.core.windows.net/kj-container/AzCopy Authorization.png”
INFO: Authenticating to destination using Azure AD
INFO: Any empty folders will not be processed, because source and/or destination doesn’t have full folder support
Job 69e09361-c4d3-b749-76da-a3759042812f has started
Log file is located at: C:\Users\moharman.azcopy\69e09361-c4d3-b749-76da-a3759042812f.log
INFO: Authentication failed, it is either not correct, or expired, or does not have the correct permission -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /email@example.com/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthorizationPermissionMismatch) =====
Description=This request is not authorized to perform this operation using this permission.
User-Agent: [AzCopy/10.10.0 Azure-Storage/0.13 (go1.15; Windows_NT)]
RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.
Date: [Sat, 12 Jun 2021 11:13:13 GMT]
Server: [Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0]
As we can see the issue seems to be related to permissions. As I was writing an article on AzCopy tool, I knew that, the user must have at least one of the following role assignment to upload a new blob.
- Storage Blob Data Contributor
- Storage Blob Data Owner
The identity/account I was using has full access with all administrator roles assignment and owner roles assignment for the subscription and even I have configured the storage account and blob container using the same identity . So I was under impression that without the above role assignment I could upload the files but I was completely wrong. Also i came across with one article where it stated that, “Unlike most other areas in Azure the permissions of Owner don’t implicitly give you access to these ‘lower level’ permissions”.
Then I decided to assign one of the above role assignment to this account and for that I quickly move to my Storage Account (we can choose particular container also) => Access control (IAM) => Select Role Assignment Tab as showing in the following figure.
And added one of the required role assignment as showing in the following figure.
Now we have all required permission. When I re-run the command to upload file from my local drive to my azure container, it successfully uploaded my file as we can see in the following figures.
I hope this is informative to you. Please let me know if I missed anything important or if my understanding is not up to the mark.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂 .
I am having a different 403 error. I am uploading large PST files for an email migration, and if the transfer takes too long, I get the same 403 Forbidden error that this article speaks about. I’m using the SAS logon documented by Microsoft here: https://docs.microsoft.com/en-us/microsoft-365/compliance/use-network-upload-to-import-pst-files?view=o365-worldwide
Smaller files are fine – but when the transfer takes too long, the log file is fine for ages and then all of a sudden spits out a 403 and terminates. If there are many files in the directory being copied, they then all fail consecutively.
Does azcopy create some sort of temporary key from the SAS URL (which presumably encodes a logon) that times out?