azure-cli: Command "az storage blob sync" doesn't work with managed identity

Describe the bug

Command Name az storage blob sync

Errors:

MSI auth not yet supported.
Traceback (most recent call last):
command_modules/storage/azcopy/util.py, ln 119, in client_auth_for_azcopy
    token_info = _unserialize_non_msi_token_payload(token_info)
command_modules/storage/azcopy/util.py, ln 142, in _unserialize_non_msi_token_payload
    parsed_authority = urlparse(token_info['_authority'])
KeyError: '_authority'

...

command_modules/storage/azcopy/util.py, ln 121, in client_auth_for_azcopy
    raise Exception('MSI auth not yet supported.')
Exception: MSI auth not yet supported.

To Reproduce:

Steps to reproduce the behavior:

  • az login --identity
[
  {
    "environmentName": "AzureCloud",
    "homeTenantId": "XXX",
    "id": "XXX",
    "isDefault": true,
    "managedByTenants": [],
    "name": "Some name",
    "state": "Enabled",
    "tenantId": "XXX",
    "user": {
      "assignedIdentityInfo": "MSI",
      "name": "systemAssignedIdentity",
      "type": "servicePrincipal"
    }
  }
]
  • az storage blob sync --account-name {storage account name} -c {container name} -s ./myFile.txt -d myFile.txt --auth-mode login

Expected Behavior

Sync file from local to Azure blob storage

Environment Summary

Linux-5.4.0-1031-azure-x86_64-with-debian-buster-sid
Python 3.6.10
Installer: DEB

azure-cli 2.15.1

Additional Context

Similar subcommand list works fine: az storage blob list -c {container name} --account-name {storage account name} --auth-mode login returns json with information about blobs.

I can also sync files with azcopy tool using the same managed identity

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 7
  • Comments: 24 (7 by maintainers)

Most upvoted comments

Docs are also incorrect as docs state

Please specify one of the following authentication parameters for your commands: --auth-mode, --account-key, --connection-string, --sas-token

But obviously --auth-mode login doesn’t work in the case of az storage blob sync (as compared to az storage blob copy, where it does work)

+5
dvasdekis on Aug 22, 2022

@evelyn-ys So should this issue be reopened? Seems like it

+5
onionhammer on Aug 12, 2022

@evelyn-ys Not if you disable key based auth on your storage account, you can’t.

+5
onionhammer on Jul 4, 2022

Hi @evelyn-ys could you please reopen this issue? It is a critical one for us and, judging by this thread, others. We have separately raised it as an enterprise Azure ticket (Case 2305100030000406) as this product isn’t working as documented.

+2
dvasdekis on May 10, 2023

@evelyn-ys even if there is a technical blocker from implementation, this issue should be re-opened or closed as ‘not planned’ - this is definitely not ‘complete’ as the status would indicate.

Also, I would love to know what the technical blocker is…

+1
onionhammer on May 10, 2023

@dvasdekis I’m sorry that there’s technical blockers to integrate azcli with azcopy OAuth. But I don’t think it will block any scenario.

Azure CLI has already installed $HOME/.azcopy/azcopy.exe for windows and ~/bin/azcopy for linux after first run of az storage blob sync, so you can run azcopy commands directly using AAD just like you shared before

~/bin/azcopy login --service-principal --tenant-id $tenantId --application-id $servicePrincipalId
~/bin/azcopy sync $(Build.SourcesDirectory)  https://$storageacct.blob.core.windows.net/platform-repo --recursive
+1
evelyn-ys on May 10, 2023

@evelyn-ys Update, generate-sas gives

The command failed with an unexpected error. Here is the traceback:
'CredentialAdaptor' object has no attribute 'account_key'
Traceback (most recent call last):

if you use --auth-mode=login

Using an SAS token generated on an account without keys with az storage blob sync yields

   RESPONSE Status: 403 Key based authentication is not permitted on this storage account.
   Content-Length: [269]
   Content-Type: [application/xml]
   Date: [Tue, 05 Jul 2022 14:40:48 GMT]
   Server: [Microsoft-HTTPAPI/2.0]
   X-Ms-Error-Code: [KeyBasedAuthenticationNotPermitted]
   X-Ms-Request-Id: [b4ef2e04-601e-0076-267d-90825b000000]
+1
onionhammer on Jul 5, 2022

Hi @Juliehzl, yes, AzCopy does have a way of accepting AD credential directly. Let’s set up some time to discuss the specifics.

+1
zezha-msft on Dec 15, 2020
Read more comments on GitHub
← azure-cli: Command `az acs create` always returns error: `Incorrect padding`
azure-cli: CONNECTIVITY_REFRESH_TOKEN_ERROR when using `az acr` with AzureCli@2 →