Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission error when uploading blob to container via Azure CLI as Owner role #123883

Öffnen Sie
apaulture opened this issue Jul 26, 2024 · 4 comments
Öffnen Sie

Permission error when uploading blob to container via Azure CLI as Owner role #123883

apaulture opened this issue Jul 26, 2024 · 4 comments
Assignees
@stevenmatthew
Labels
assigned-to-author azure-blob-storage/svc doc-enhancement Pri3 triaged

Kommentare

@apaulture
Copy link
Contributor

apaulture commented Jul 26, 2024
edited by PesalaPavan
Loading

Type of issue

Other (describe below)

Feedback

az storage blob upload --auth-mode login --container-name <container> --account-name <storage-account> --name <name> --file <file-path>

You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
    "Storage Blob Data Owner"
    "Storage Blob Data Contributor"
    "Storage Blob Data Reader"
    "Storage Queue Data Contributor"
    "Storage Queue Data Reader"
    "Storage Table Data Contributor"
    "Storage Table Data Reader"

If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.

role assignment list

[
  {
    "condition": null,
    "conditionVersion": null,
    "createdBy": "",
    "createdOn": "2023-03-24T23:31:36.292096+00:00",
    "delegatedManagedIdentityResourceId": null,
    "description": null,
    "id": "/subscriptions/<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>/providers/Microsoft.Authorization/roleAssignments/<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>",
    "name": "<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>",
    "principalId": "<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>",
    "principalName": "<name>#EXT#@<name>.onmicrosoft.com",
    "principalType": "User",
    "roleDefinitionId": "/subscriptions/<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>/providers/Microsoft.Authorization/roleDefinitions/<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>",
    "roleDefinitionName": "Owner",
    "scope": "/subscriptions/<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>,
    "type": "Microsoft.Authorization/roleAssignments",
    "updatedBy": "",
    "updatedOn": "2023-03-24T23:31:36.292096+00:00"
  }
]

After assigning role Storage Blob Data Contributor to security principal, upload works. Shouldn't Owner be able to upload blobs, or is this permission required?
"dataActions": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"]

Page URL

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-cli

Content source URL

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/storage/blobs/storage-quickstart-blobs-cli.md

Author

stevenmatthew

Document Id

K.A.

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
@PesalaPavan
Copy link
Contributor

@apaulture
Thanks for your feedback! We will investigate and update as appropriate.

@SaibabaBalapur-MSFT
Copy link
Contributor

@apaulture

It seems like you are trying to upload a blob to a container in Azure Storage, but you are getting a permission error. The error message suggests that you need to be assigned one of the following roles: "Storage Blob Data Owner", "Storage Blob Data Contributor", or "Storage Blob Data Reader".

The Owner role should be able to upload blobs, but it's possible that the permission is not set up correctly. You can check the role assignments for your subscription by running the az role assignment list command.

If you see that your security principal has the Owner role assigned, then it's possible that there is an issue with the authentication method you are using. The error message suggests that you can use the old authentication method and allow querying for the right account key by using the "--auth-mode" parameter and "key" value.

Here is an example command to upload a blob using the "key" authentication method:

az storage blob upload --account-name <storage-account> --account-key <storage-account-key> --container-name <container> --name <blob-name> --type block --source <file-path>

Replace <storage-account>, <storage-account-key>, <container>, <blob-name>, and <file-path> with your own values.

I hope this helps! Let me know if you have any other questions.

For an issue like this, I'd recommend you create a support ticket since the support team will be able to respond much more quickly and have a conversation with you to figure out what could be going on.

@apaulture
Copy link
Contributor Author

@apaulture

It seems like you are trying to upload a blob to a container in Azure Storage, but you are getting a permission error. The error message suggests that you need to be assigned one of the following roles: "Storage Blob Data Owner", "Storage Blob Data Contributor", or "Storage Blob Data Reader".

The Owner role should be able to upload blobs, but it's possible that the permission is not set up correctly. You can check the role assignments for your subscription by running the az role assignment list command.

If you see that your security principal has the Owner role assigned, then it's possible that there is an issue with the authentication method you are using. The error message suggests that you can use the old authentication method and allow querying for the right account key by using the "--auth-mode" parameter and "key" value.

Here is an example command to upload a blob using the "key" authentication method:

az storage blob upload --account-name <storage-account> --account-key <storage-account-key> --container-name <container> --name <blob-name> --type block --source <file-path>

Replace <storage-account>, <storage-account-key>, <container>, <blob-name>, and <file-path> with your own values.

I hope this helps! Let me know if you have any other questions.

For an issue like this, I'd recommend you create a support ticket since the support team will be able to respond much more quickly and have a conversation with you to figure out what could be going on.

@SaibabaBalapur-MSFT
Here were the steps I took to test this issue:

  1. Created custom role using Owner role to populate baseline permissions
  2. Added the following permissions:
"dataActions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],

After running the command, the blob successfully uploaded to the specified container.
Can we therefore safely assume the Owner role does not include permissions to upload blobs?

@SaibabaBalapur-MSFT
Copy link
Contributor

@apaulture
Thanks for bringing this to our attention.
I'm going to assign this to the document author so they can take a look at it accordingly.

@stevenmatthew
Can you please check and add your comments on this doc update request as applicable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stevenmatthew stevenmatthew

Labels
assigned-to-author azure-blob-storage/svc doc-enhancement Pri3 triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@apaulture @stevenmatthew @SaibabaBalapur-MSFT @PesalaPavan