azure-cli: storage container create permission issue

Describe the bug

Running CLI command to create container name results in an error implying the permissions is missing. az storage container create -n {} --sas-token {} --account-name {}

However I am Owner on the Subscription and as such have full rights, including data plane. In addition, I have added explicitly myself to a RBCA role “Storage Blob Data Contributor (Preview)” (in addition to being an Owner on a subscription). This resulted in the same error. repro steps below.

Command Name az storage container create

Errors:

The command failed with an unexpected error. Here is the traceback:

You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
    "Storage Blob Data Contributor (Preview)"
    "Storage Blob Data Reader (Preview)"
    "Storage Queue Data Contributor (Preview)"
    "Storage Queue Data Reader (Preview)"

If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.

The command failed with an unexpected error. Here is the traceback:

'CommandResultItem' object is not iterable
Traceback (most recent call last):
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-v1m4qsu_\knack\knack\cli.py", line 212, in invoke
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-v1m4qsu_\knack\knack\output.py", line 132, in out
  File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-v1m4qsu_\knack\knack\output.py", line 38, in format_json
TypeError: 'CommandResultItem' object is not iterable

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • Put any pre-requisite steps here…
  • az storage container create -n {} --sas-token {} --account-name {}

az storage container create -n ala --sas-token “https://rname.blob.core.windows.net/rbcdatalake?se=2019-05-30T23%3A59Z&sp=rwdlacup&sv=2018-03-28&ss=b&srt=sco&sig=blah” --account-name somename1

Expected Behavior

container “ala” is created

Environment Summary

Windows-10-10.0.17763-SP0
Python 3.6.6
Shell: cmd.exe

azure-cli 2.0.64

Extensions:
dev-spaces-preview 0.1.6
resource-graph 0.1.8
storage-preview 0.2.5
subscription 0.1.1

Additional Context

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 7
  • Comments: 17 (7 by maintainers)

Most upvoted comments

For anyone else who comes across this… the --default-action [Allow | Deny] setting on a storage account sets the firewall rule “allow all networks” or the opposite.

If the machine you are running from does not have network access to the storage account then the create container command will fail, presumably because this particular command uses the REST API for the storage account itself rather than the management APIs. You can either --default-action Allow or add your specific IP to the allowed range.

+4
flytzen on Nov 21, 2019

is it possible that you configured a firewall that restricts the source ip of your request?

+1
bitcloud on Jun 13, 2019
Read more comments on GitHub
← azure-cli: stat: path too long for Windows - error when using large parameters.json file
azure-cli: Support PEP 420 -- Implicit Namespace Packages →