3

There are a few questions here on Stackoverflow in this matter but all of them are when there is a lease due to Virtual Machine and its disks. The answer then is to delete the disk first to be able to delete the storage account/container.

Example: How do I delete an Azure storage account containing a leased blob?

My problem is that I have a custom audit log that we used a leased container (We don't want anyone to manipulate logs obv.). But we moved these logs to other place so now I want to delete the old resource. But unable to due to lease lock.

Most likely this is due to me not understanding how leases work. My first try was to break the lease and unlock.. This have been done:

enter image description here

My assumption was that I could delete the resource now but I still get the error:

"Failed to delete 1 out of 1 container(s): auditlog-container: ContainerProtectedFromDeletion: The storage account stgutauditlog container auditlog-container is protected from deletion due to ImmutabilityPolicy."

So looking at this ImmutablePolicy I tried Blob Containers - Delete Immutability Policy but got the error message:

{
  "error": {
    "code": "ContainerImmutabilityPolicyFailure",
    "message": "Operation not allowed on immutability policy with incorrect etag."
  }
}

Looking at eTag you are supposed to se the eTag version (only eTag related parameter) in the If-Match header. But i tried adding the eTag, tried * and others but still same message.

Trying the Blob Containers - Get Immutability Policy command to try and get eTag I only get the eTag allready supplied and such

{
  "id": "/subscriptions/<removed>/resourceGroups/<removed>/providers/Microsoft.Storage/storageAccounts/<removed>/blobServices/default/containers/auditlog-container/immutabilityPolicies/default",
  "name": "default",
  "type": "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies",
  "etag": "\"<removed>\"",
  "properties": {
    "immutabilityPeriodSinceCreationInDays": 8,
    "state": "Locked"
  }
}

(Removed some information for security marked with removed in the code above)

Here it says locked... But how do I remove this lock??

Also deleting the files in it is not possible, the options are greyed out:

enter image description here

I don't know what step to take next or what I have missed. How do I delete this storage account/Container?

Any help appriciated!

abatishchev
  • 98,240
  • 88
  • 296
  • 433
JohanSellberg
  • 2,423
  • 1
  • 21
  • 28

2 Answers2

1

@Swippen, I tried reproducing the scenario and got the below errors when trying to delete the container using powershell and storage explorer, where immutable policy is in locked state. policy1 policy But when I tried using portal to delete the same container. It was successfully deleted and worked for me, could you try once deleting the container using portal. policy3

Note:- Deleting a locked immutability policy is not allowed, only way is to delete the container after deleting all blobs inside the container.

YASWANTH-MSFT
  • 34
  • 2
  • Well I guess my issue is in your Note.. My blobs inside the container are not deleted. (I still get error when trying to delete container in portal) I first thought I was unable to delete the files inside the container.. but seems I am just unable to delete folders. when I drill down to a file I can delete.. So I guess I just have to go through all folders and delete all blobs seperatly first.. – JohanSellberg Jan 09 '19 at 07:46
  • Yes that was the issue.. After going though and deleting all separate blobs I was able to delete the container. Would have been nice to have that information in some sort of error message or warning.. That the container needs to be empty to be deleted. Anyways thanks for helping! – JohanSellberg Jan 09 '19 at 07:55
0

I would suggest you to try the below Power Shell script to delete the specific container, if lease status is available. See if this helps you.

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionID "yoursubscription id"
$ResourceGroupName = "your resourcegroup name"
$StorageAccountName = "your storage account name"
$StorageContainerNames = "container1, container2"

try{

## Get Storage Details
Write-Output ("Get Storage Account $StorageAccountName Keys")
$Keys = Get-AzureRmStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName;

Write-Output ("Get Storage Account $StorageAccountName Context")
$StorageContext = New-AzureStorageContext -StorageAccountName $StorageAccountName -StorageAccountKey $Keys[0].Value;

## Proccess Each Container
$StorageContainerNames.Split(",") | ForEach {       

    $currentContainer = $_

    Write-Output ("Start Remove for Container $currentContainer")

    ## Remove Container
    if ((Get-AzureStorageContainer -Context $StorageContext | Where-Object { $_.Name -eq $currentContainer })){           

        ## Remove a Blob Container in the Storage Account
        Write-Output ("Removing Container: $currentContainer")
        Remove-AzureStorageContainer -Context $StorageContext -Name $currentContainer -Force;
        Write-Output ("Container $currentContainer Removed")           

    }
    else {

        Write-Warning "Container $currentContainer doesn't exists."

    }
}
}catch {

Write-Error "$_.Exception.Message"

}
YASWANTH-MSFT
  • 34
  • 2
  • Thank you for the suggestion but the powershell script still gives similar error as the portal: "Remove-AzureStorageContainer : Fjärrservern returnerade ett fel: (409) Konflikt. HTTP Status Code: 409 - HTTP Error Message: The requested operation is not allowed as the container has a locked immutability policy. At line:28 char:9..." – JohanSellberg Jan 08 '19 at 14:13