I am using Azure immutable storage, aka WORM (Write Once, Read Many).
I am trying to set the immutability policies using the az command line, as documented here. I can create policies from the CLI, but that's all. I cannot extend locked policies, nor can I lock unlocked ones.
Example (using PowerShell in Windows):
$etag = az storage container immutability-policy show `
--account-name <a-name> `
--container-name <c-name> `
--query etag `
--output tsv
# This yields a sane-looking ETag, a 15-digit hexadecimal string.
az storage container immutability-policy lock `
--account-name <a-name> `
--container-name <c-name> `
--if-match $etag
This gives an error message:
(ContainerImmutabilityPolicyFailure) Operation not allowed on immutability policy with incorrect etag. Code: ContainerImmutabilityPolicyFailure Message: Operation not allowed on immutability policy with incorrect etag.
I get the same error message if I send --if-match *.
If I omit --if-match entirely it throws an error.
If I try to look up the policy by ETag I can find the policy fine:
az storage container immutability-policy show `
--account-name <a-name> `
--container-name <c-name> `
--if-match $etag
Adding --resource-group <r-name> makes no difference.
I can lock and extend these policies fine from the Azure portal (browser GUI), logged in with the same credentials.
Apparently my login was set to the wrong subscription, and the error message is just bad. I think I fixed it by doing this:
az account set --subscription <name-of-subscription-where-storage-account-is>