Closed jochenvw closed 4 years ago
--auth-mode login
will find account credentials according to your login information. In this way, in "login" auth mode, you don't need to specify --account-key
. But I think the reason you get this error message maybe that you are using a storage account which not in the login subscription. You can check using az account show
to find the default subscription and verify if your storage account is in this subscription. I f not, you can change the default subscription using az account set -s yoursubid
.
In policy show, the operation target is policy not container, so we use --name
for policy name and the container name is specified with -c
. But in generate-sas, the target is container, so we define container name using -n
.
@jochenvw what about your problem now?
I can consistently reproduce this in 2.0.75 by setting AZURE_STORAGE_SAS_TOKEN
in the shell environment. My theory is that if the environment variable is set, the generate-sas
command tries to use the token for authorisation, finds the token doesn't grant it sufficient permissions, then falls back to requiring an account key instead. After unsetting AZURE_STORAGE_SAS_TOKEN
I can no longer reproduce the error.
Seems to be the same behaviour as #9346.
@Juliehzl: I'm able to reproduce this issue with AzureCloud as well as AzureChinaCloud. Service principals are used for az login
in both environments.
I made sure that the default subscription is the one where the storage accounts resides in, as you suggested. There is no AZURE_STORAGE_SAS_TOKEN
environment variable set.
az storage container generate-sas -n <container_name> --account-name <account_name> --expiry $(date -u -d "1 hour" '+%Y-%m-%dT%H:%MZ') --auth-mode login
Errors:
self.account_key should not be None.
Traceback (most recent call last):
python3.6/site-packages/knack/cli.py, ln 206, in invoke
cmd_result = self.invocation.execute(args)
cli/core/commands/__init__.py, ln 578, in execute
raise ex
cli/core/commands/__init__.py, ln 636, in _run_jobs_serially
results.append(self._run_job(expanded_arg, cmd_copy))
cli/core/commands/__init__.py, ln 627, in _run_job
cmd_copy.exception_handler(ex)
...
storage/v2018_11_09/blob/baseblobservice.py, ln 421, in generate_container_shared_access_signature
_validate_not_none('self.account_key', self.account_key)
storage/v2018_11_09/common/_error.py, ln 130, in _validate_not_none
raise ValueError(_ERROR_VALUE_NONE.format(param_name))
ValueError: self.account_key should not be None.
Linux-4.4.0-18362-Microsoft-x86_64-with-debian-buster-sid
Python 3.6.5
Shell: bash
azure-cli 2.0.69 *
azure-cli-iot-ext 0.7.1
Extensions:
azure-cli-iot-ext 0.7.1
any update for this issue?
Still able to reproduce this issue with azure-cli 2.0.80
You need to remove parameter "--auth-mode" from the command as below: az storage container generate-sas --account-name --expiry 2020-01-01 --name --permissions dlrw Generate-sas needs the storage account key, if you specify --auth-mode login in the command, cli will try to use the login access token to generate sas which is not supported If both --auth-mode and --accountKey are not specified, cli will get the accountKey using the access token and generate sas token with the accountKey.
Close this issue since there is no response. Please help create a new issue if you still have questions.
Trying to generate a SAS key for my storage account obviously. I have a storage account with a container inside called
drop
and a policy on it, calledclient
.Here's is the full command with parameter values:
As the error states, I did not specify account key, and here's why:
This works fine. I thought
--auth-mode login
results in not needing an--account-key
as you're using the AAD identity to perform the operation. Am I correct and so, is this a bug?Second point of feedback: in
policy show
, the container name is specified with-c
, whereas ingenerate-sas
, it's through-n
. Is this deliberate, or maybe an inconsistency ?This is autogenerated. Please review and update as needed.
Describe the bug
Command Name
az storage container generate-sas
Errors:
To Reproduce:
Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.
az storage container generate-sas -n {} --auth-mode {} --policy-name {} --account-name {}
Expected Behavior
Environment Summary
Additional Context