Authentication failure when uploading large blobs using SAS with create only permissions

[pzhokhov]

Describe the bug Authentication failure when uploading large blobs using SAS (shared access signature) token with "create" only permissions (while upload of small blobs works ok)

To Reproduce

#  1. create test container
az storage container create --account-name <account_name> -n test  
#  2. create small file
head -c 10000000 /dev/urandom > test10M.txt 
#  3. create large file
head -c 100000000 /dev/urandom > test100M.txt 
#  4. create sas        
az storage container generate-sas --account-name <account_name> -n test --permissions c --expiry $(date -u -v "+7d" '+%Y-%m-%dT%H:%MZ') 
#   5. upload of small file - ok
az storage blob upload --account-name <account_name> -c test --file test10M.txt -n test10M.txt --sas-token <token from step 4>                                                                  
#   6. upload of large file - authentication failure (message below)
az storage blob upload --account-name <account_name> -c test --file test100M.txt -n test100M.txt --sas-token <token from step 4> 

You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
    "Storage Blob Data Contributor"
    "Storage Blob Data Reader"
    "Storage Queue Data Contributor"
    "Storage Queue Data Reader"

If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.

Expected behavior required permissions for blob upload should not depend on file size

Environment summary Darwin-19.6.0-x86_64-i386-64bit Python 3.7.9 Installer: PIP

azure-cli 2.9.1

Additional context If SAS has "write" permissions, upload of large files seems to succeed.

[pzhokhov]

edited the description above for better formatting and to remove account name from the command

[yonzhan]

storage

[Juliehzl]

@pzhokhov Thanks a lot for your feedback. To get right permissions for SAS token, you could refer to https://docs.microsoft.com/en-us/rest/api/storageservices/create-account-sas#account-sas-permissions-by-operation.

[Juliehzl]

But I think we still need to refine error message.

[pzhokhov]

@Juliehzl thanks for your response! If I understand your point correctly, here are two lines in the table you linked that are related to my particular issue:

Operation	Signed Service	Signed Resource Type	Signed Permission
Put Blob (create new block blob)	Blob (b)	Object (o)	Create (c) or Write (w)
Put Blob (create new page blob)	Blob (b)	Object (o)	Create (c) or Write (w)

I would expect that Create (c) or Write (w) means that either should work. However, in my example in the bug description I use "c", and upload of large file still fails. Moreoever, nowhere in the permission table anything mentions blob size (well, ok, maybe the block vs page blob - but they still require the same permissions). In other words, better error message could help with identifying the correct permissions, but why do the required permissions change based on file size?

[Juliehzl]

Hi @pzhokhov , I think it is because for large blob, we have to chunk it to multiple small blocks and upload with multiple REST, for first one you could upload with c permission, but for the remaining part to upload, you have to have w permission because the target blob is already be there.

Update detailed permission description here https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas#permissions-for-a-directory-container-or-blob.

[pzhokhov]

Understood, thanks! Is there then a recommended way to allow users to upload files to the same container, but not delete or modify each other's files? From your answer it sounds like that's not currently possible and users should be permissioned to different containers