azureamazon-s3azure-storageazcopy

AZ copy from AWS s3 buckets to Storage account which has been working suddenly throwing "Can not verify source"

I'm trying to copy a CSV file from an AWS S3 bucket to Azure Blob Storage using AzCopy. The command executes but fails with a 403 Forbidden error and the message CannotVerifyCopySource. Here's the relevant part of the debug output:

025/05/06 07:36:24 ==> REQUEST/RESPONSE (Try=1/210.157ms, OpTime=210.157ms) -- RESPONSE STATUS CODE ERROR
   PUT https://stsundar5.blob.core.windows.net/sundar5/Gold%20PTS_Sundar%20%235%20(South)_Hourly_2025050606_UTC.csv?[SAS_TOKEN_REDACTED]
   Content-Length: [0]
   User-Agent: [AzCopy/10.17.0 Azure-Storage/0.15 (go1.19.2; Windows_NT)]
   X-Ms-Blob-Cache-Control: []
   X-Ms-Blob-Content-Disposition: []
   X-Ms-Blob-Content-Encoding: []
   X-Ms-Blob-Content-Language: []
   X-Ms-Blob-Content-Type: [text/csv]
   X-Ms-Blob-Type: [BlockBlob]
   X-Ms-Client-Request-Id: [REDACTED]
   X-Ms-Copy-Source: [https://sundar5.s3.dualstack.us-east-2.amazonaws.com/Sundar%20%235%20(South)/Gold%20PTS_Sundar%20%235%20(South)_Hourly_2025050606_UTC.csv?[AWS_PRESIGNED_URL_REDACTED]]
   X-Ms-Version: [2020-10-02]
   --------------------------------------------------------------------------------
   RESPONSE Status: 403 F

    orbidden
       Content-Length: [200]
       Content-Type: [application/xml]
       Date: [Tue, 06 May 2025 07:36:24 GMT]
       Server: [Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0]
       X-Ms-Client-Request-Id: [REDACTED]
       X-Ms-Error-Code: [CannotVerifyCopySource]
       X-Ms-Request-Id: [REDACTED]
       X-Ms-Version: [2020-10-02]
    Response Details: 

<Code>CannotVerifyCopySource</Code><Message>Forbidden</Message>

2025/05/06 07:36:24 ERR: [P#0-T#0] COPYFAILED: https://sundar5.s3.us-east-2.amazonaws.com/Sundar%20%235%20(South)/Gold%20PTS_Sundar%20%235%20(South)_Hourly_2025050606_UTC.csv : 403 : 403 Forbidden. When Put Blob from URL. X-Ms-Request-Id: [REDACTED]

   Dst: https://stsundar5.blob.core.windows.net/sundar5/Gold%20PTS_Sundar%20%235%20(South)_Hourly_2025050606_UTC.csv?[SAS_TOKEN_REDACTED]

It seems Azure cannot verify the copy source from the S3 pre-signed URL.

Things I've verified: The AWS pre-signed URL is valid and accessible in the browser.

The SAS token for the Azure Blob container has racwli permissions.

The file exists in the source S3 bucket and the URL points to the correct object.

Command used (simplified):
bash

azcopy copy "https://sundar5.s3.us-east-2.amazonaws.com/...csv?[AWS_PRESIGNED_URL_REDACTED]" "https://stsundar5.blob.core.windows.net/sundar5?[AZURE_SAS_TOKEN_REDACTED]" --recursive=false

Question: What causes the CannotVerifyCopySource error when using AzCopy to copy from S3 to Azure Blob, and how can I resolve it?

Solution

  • I've written up some additional detail in a comment on a bug filed with the AzCopy team, but I believe this is a bug in Azure introduced on or around 5/5/2025.

    TL;DR based on our troubleshooting:

    Beginning on or around 5/5/2025, we believe the verification logic Azure uses on Source URLs changed — at least for AWS S3 presigned URLs. Azure is no longer including query string parameters in an initial HEAD request it performs on the Source URL. This causes the HEAD request to fail with a 403 Forbidden status code, resulting in a CannotVerifyCopySource error.

    As of 5/8/2025, the only known workaround is to download the file and upload it using LocalBlob.