Azcopy error "This request is not authorized to perform this operation."

Question

I copied a container to another storage account based on the document linked below. (DataLake Storage Gen2).

When trying, I got the following error:

this request not authorized to perform this operations using this permission

https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10

Please edit your question and include the exact azcopy command you're using (obfuscate secret things like account key etc. obviously). — Gaurav Mantri, Mar 09 '20 at 14:26
Could you please which type of authorization credentials(https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#choose-how-youll-provide-authorization-credentials) you use? — Jim Xu, Mar 10 '20 at 01:06

Cindy Pau · Answer 1 · 2020-03-11T02:18:28.247

31

If you are using AAD Token, this error is telling you that you need to add a role assignment to the user. Please go to Storage account -> Access Control -> Add -> Add role assignment, then add Storage Blob Data Owner to your login account.

If this problem persists, please provide more details.

edited Mar 11 '20 at 02:18

answered Mar 11 '20 at 02:12

Cindy Pau

13,085
1
15
27

15

Note that it might take up to 5 minutes to propagate the RBAC rule! [Source](https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10#option-1-use-azure-active-directory). – hammady Jul 06 '20 at 15:05
@hammady Thank you sharing your thought. I was getting the same error even after I had added myself to Storage Blob Data Owner role. But after waiting for 5 minutes or so, the AzCopy command successfully uploaded the file to Azure Blob storage. – nam Nov 22 '21 at 21:52
1

I was convinced having the Owner role gave me enough permissions, thanks for this answer. (Re: Add Role Assignment 'Storage Blob Data Owner') – Arran549 Feb 05 '23 at 19:50
Can anyone explain why the Owner role isn't enough-the Role Definition has the following permissions: Name : Owner Actions : { * } NotActions : {} DataActions : {} NotDataActions : {} AssignableScopes : {/} Storage Blob Data Owner has: Actions : {Microsoft.Storage/storageAccounts/b lobServices/containers/*, ... NotActions : {} DataActions : {Microsoft.Storage/storageAccounts/b lobServices/containers/blobs/*} NotDataActions : {} AssignableScopes : {/} – Arran549 Feb 05 '23 at 20:03

score 6 · Answer 2 · answered Nov 24 '21 at 16:21

After granting myself with role Storage Blob Data Owner on the container, then AzCopy will now behave itself and succeed in copying a file to the blob storage container.

go to storageaccount -> container -> Access control rules -> add role assignement -> Storage Blob Data Owner

score 5 · Answer 3 · edited Dec 20 '20 at 14:27

I also faced the same problem. For me to work I just log out and log in again on the azcopy cli after doing the @BowmanZhu solution

azcopy logout
azcopy login --tenant-id xxxx-xxxx-xxxx

If you don't want to login that way there is always the option to add a SAS token at the end of the URL. If you don't want to attach the token always at the end you can try for permanent access by going through any one of these steps you find in the official documentation page.

score 2 · Answer 4 · answered Dec 09 '22 at 14:12

2

In my case, my azure storage account vnet address was blocking the azcopy from copying the data over the storage account.

I added my client IP to allow a firewall address.

answered Dec 09 '22 at 14:12

Shahrukh lodhi

360
2
13

score 1 · Accepted Answer · answered Mar 11 '20 at 11:25

1

The SAS token has probably expired.

answered Mar 11 '20 at 11:25

11ohina017

139
8

score 1 · Answer 6 · answered May 15 '20 at 00:25

When I had this, I discovered it was because I'd used Azure Storage Explorer to generate a SAS that didn't have read permission, and I think it was trying to read the size/existence of a blob before writing it.

I got a clue from https://github.com/Azure/azure-storage-azcopy/issues/790 but ultimately I just regenerated a new SAS with read permission and it worked out..

I probably could ahve looked to modify the C# code using Azure Data Movement lib, to not perform a length check, but the spec was later changed to "don't overwrite" so the read permissions are probably needed anyway

pavan kumar katikam · Answer 7 · 2021-06-15T09:18:22.483

1

Give appropriate permissions(read, write, create) while generating SAS tokens as here

edited Jun 15 '21 at 09:18

answered Jun 15 '21 at 06:14

pavan kumar katikam

11
2

score 1 · Answer 8 · answered Feb 23 '22 at 11:35

Had a similar issue. That's how was resolved

Command used was .\azcopy.exe copy "C:\Users\kriof\Pictures" "https://test645676535storageaccount.blob.core.windows.net/images?sp=rw&st=2022-02-23T11:03:50Z&se=2022-02-23T19:03:50Z&spr=https&sv=2020-08-04&sr=c&sig=QRN%2SMFtU3zaUdd4adRddNFjM2K4ik7tNPSi2WRL0%3D"

SAS token had default(Read) permission only. Adding Write permission in Azure Portal, resolved the issue.

Azcopy error "This request is not authorized to perform this operation."

8 Answers8

Linked