AzCopy Blob Storage List Containers Permission Denied
I'm using RBAC to perform a blob copy operation: the service principal which azcopy is logged in as has the Storage Blob Data Contributor role for my subscription (listed as a requirement here)... however, I get a permission denied exception as follows:
As you can see, the failing operation is to list the storage account containers (line 68 and 74)
I appreciate this isn't easy to debug without further info... but I'm pretty stumped, so if anyone has had a similar issue, I'd be very grateful for any observations/past experiences :)
Edit: please note that azcopy reports successful authentication:
INFO: SPN Auth via secret succeeded.
INFO: Scanning...
INFO: Authenticating to destination using Azure AD
INFO: Authenticating to source using Azure AD
Found this in the API docs:
Now, what's interesting here is that my service principal already had Owner permission on the subscription (infra pipeline stands up resources and assigns permissions etc.) - so I initially discounted this from being the issue... then, on a hunch, I assigned the Storage Blob Data Owner role directly on the storage account... and Voila - it worked!!
- YAML CI is flattening file structure
- How to add new secrets (from Azure Key Vault) to the variable group in Azure Devops
- Best practice for SPA rollback on Azure Static Webapp with Azure Devops Deployment?
- Azure Pipeline: Unable to locate executable file: 'gulp'. during task Gulp@1
- Azure Pipeline dynamic parameters to template file from YAML pipeline
- How to Simplify a Complex Azure DevOps Release Pipeline with 11 Environments and Unique Task
- (Azure DevOps Testplans) Is it possible to associate an automated Test to a testcase without Visual Studio?
- Can't update Azure Pipepline. Error: Failed to fetch App Service publishing credentials
- View is not found when a Web App is deployed with Azure DevOps
- Re-checking for merge conflicts in VSTS (Azure DevOps)
- How to pass Environment Variables to Helmfile Values file
- Create a new pipeline from existing YML file in the repository (Azure Pipelines)
- How to reference a secret variable from an AzurePowerShell@5 task
- How can you insert suggestions on a PR in Azure Devops?
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- Azure-DevOps clone shows references as warnings
- Is it possible to rename a release?
- How to assign test point to a tester in Azure DevOps with API
- Access Azure Devops Query Results Using C#
- What does --runAsAutoLogon do when configuring an Azure Devops Windows self-hosted agent?
- How to export multiple Azure DevOps Variable Groups?
- Passing branch names between pipelines
- Show list of work items I am following in VSTS?
- Prevent Azure Pipelines from failing build: No Agent Found in Pool which satisfies demand
- How do I get my Azure DevOps Pipeline build to fail when my linting script returns an error?
- Encountered conflicts when cherry-picking commit . This operation needs to be performed locally error in Azure DevOps
- Adding / setting Virtual Applications (Path mappings) to a Web App (App Service Azure) - via Powershell Script
- How do I filter releases for a specific Environment (Stage)?
- Python Script to crawl ADO Project for specific file and download it
- Run pre-built artefact in azure yaml pipeline