azure-storage-azcopy: [QUESTION] AzCopy list fails with "403 Server failed to authenticate the request."
I am brand new to AzCopy so forgive me, but I have reviewed the readme.md and really tried to figure this one out. Eventually I’d like to test sync but I am stuck at the starting gate.
Version 10.0.2-Preview
Windows 10
Commands
ps> azcopy.exe login
Login succeeded.
ps> azcopy.exe list https://mystorage.blob.core.windows.net/backups
List is using OAuth token for authentication.
Error:
cannot list blobs for download. Failed with error -> github.com/Azure/azure-storage-azcopy/vendor/github.com/Azure/azure-storage-blob-go/2018-03-28/azblob.NewResponseError, /go/src/github.com/Azure/azure-storage-azcopy/vendor/github.com/Azure/azure-storage-blob-go/2018-03-28/azblob/zz_generated_response_error.go:28
===== RESPONSE ERROR (ServiceCode=AuthenticationFailed) =====
Description=Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:db87066e-c01e-0173-67d6-5fb0b6000000
Time:2018-10-09T13:43:58.0479030Z, Details:
AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.
GET https://mystorage.blob.core.windows.net/backups?comp=list&restype=container&timeout=901
Authorization: REDACTED
User-Agent: [AzCopy/v10.0.2-Preview Azure-Storage/0.1 (go1.10.3; Windows_NT)]
X-Ms-Client-Request-Id: [8a047954-e7bf-4d30-77b0-ce3ea113e728]
X-Ms-Version: [2018-03-28]
--------------------------------------------------------------------------------
RESPONSE Status: 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
Content-Length: [422]
Content-Type: [application/xml]
Date: [Tue, 09 Oct 2018 13:43:57 GMT]
Server: [Microsoft-HTTPAPI/2.0]
X-Ms-Error-Code: [AuthenticationFailed]
X-Ms-Request-Id: [db87066e-c01e-0173-67d6-5fb0b6000000]
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 8
- Comments: 19 (8 by maintainers)
Utterly ridiculous having to grant a special role to an owner. It goes against established principles and no matter how much microsoft thinks that’s it makes sense, if azure is to compete, it should make sense without having to read articles and closed github tickets. -1 point to azure.
Hi @MatthewMcD! We’ve recently introduced the “Blob Data Contributor” role on the storage accounts (https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac). Please make sure your account has this role assigned and try again. Hope this helps!
For anyone stumbling into this like me: AzCopy sync as a Backup Solution
I just spent 30 minutes trying to figure out what a “tenant-id” is and how to find it. Turns out you need to log-on to portal, click on
then
. Now search for “Directory ID” and use that GUID.
This is very poorly documented. @jiacfan it would be nice to have he tool explain this could be the case. I’ll also open a doc bug against https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs which doesn’t work for everybody as written.
Thanks @artemuwka , I would have thought that a Global Administrator would have this right. For anyone looking for the Role in the UI it’s called “Storage Blob Data Contributor (Preview)”. For a Resource Group choose Access Control (IAM) | Add in the blade locate the role Storage Blob Data Contributor (Preview) and assign access to the Users, Groups or Roles as meets your needs.
Thanks!
Update
For CMD.EXE (or a .BAT) using a SAS token:
CC @normesta re @CIPop’s comment above. FYI I find it odd that our docs seldom (never?) seem to come out and say:
Update:
For 403 “AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.” AzCopy v10 has changed to login with default tenant ID “common”. It can help to detect custom tenant ID automatically, and customizing --tenant-id for non-Microsoft tenant is no more required. A special case is Guest user (link), which is used in multi-tenant B2B scenario. In this case, --tenant-id is necessary. If you see “AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.”, please check if you’re using B2B account, and specify --tenant-id explicitly.
For 403 “Description=This request is not authorized to perform this operation using this permission.” Please check if role assignment is with enough permission according to link. Additionally, please note that initial role assignment may take 5 min to take effect (link)
Sorry that as work switch, I just find the replies here are out-of-date, hope above could help. At same time, thanks @JohnRusk for tracking the issue and help to provide suggestion.
===========History reply 2018=========== Hi, @MatthewMcD
Thanks for reaching us.
The error message: “AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.” is returned from service side, which indicates the Issuer for the token doesn’t match account’s, and it’s likely caused that you are login into tenant A, and using account belongs to tenant B.
azcopy.exe login by default login to “microsoft.com” tenant, this can be customized with --tenant-id switch of login command.
Please double check if the tenant you are login to is same as which ‘mystorage’ account belongs to.
Another thing worth check is if you recently do a subscription migration in ARM? If that’s the case, please check the latest tenant, and login accordingly.
Best Regards, Jiachen
How is it that being an owner on a subscription doesn’t give us the blob contributor permission? This does not make sense. I ended up just using SAS tokens for both source & destination storage accounts.
Using AzCopy V10.3.3 What a FRUSTRATING experience!!!
Goal: copy a large file from a VM to a Blob container.
I am a tenant on the “regular” Microsoft cloud and logged in accordingly using “AzCopy login” (without the quotes of course). Actually, I tried it without and then with the parameter tenant-id= Both cases login was successful and I got a jason token placed in C:\Users\LearnsHappily.azcopy; Although I am the OWNER of the Blob, I followed the illogical need to add to myself the “contributor” role. [non-trivial and poorly documented requirement] Then I executed “AzCopy copy” <local file> <blob url> and got repeatedly this message:
RESPONSE Status: 403 This request is not authorized to perform this operation using this permission. Job 561573ff-afb4-144b-41f0-b2c34b353f02 summary Elapsed Time (Minutes): 0.0669 Total Number Of Transfers: 1 Number of Transfers Completed: 0 Number of Transfers Failed: 1 Number of Transfers Skipped: 0 TotalBytesTransferred: 0
So, I decided to use a SAS token instead, per https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-blobs I created the SAS token using the portal. This too failed: “no SAS token or OAuth token is present and the resource is not public” So I created a new SAS using the Storage Explorer (right-click on the container and create a SAS token for all CRED operations. This too FAILED.
I am using a .bat file to execute the command. I tried using double quotes (per the documentation), single quotes, no quotes. It matters not. I’ve been unable to get AzCopy running as expected and needed.
What am I supposed to do?
I’m in a different timezone, so it’s Monday already for me 😃 Hope the rest of your Sunday goes smoothly and glad to hear you’ve got it working.
Thanks yeah it’s been a weird ride. but we got it working from a mix of using the portal and AZcopy app which is also no fun… oh well! i guess that’s why we’re lucky enough to be working sunday nights!
Good grief, I set blob owner and it didn’t work. Then I set contributor - thumbs up.