Open tete17 opened 7 months ago
Hi @tete17,
2.48.1 is not the latest Azure CLI(2.56.0).
If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.
Thank you for opening this issue, we will look into it.
Hey @calvinhzy did you had a chance to look into this?
Describe the bug
When performing an
az storage blob copy start
command to copy from one storage account to another with--auth-mode login
& without--source-account-key
the cli errors out unless the user has the capability to read the source storage account key.This is because the cli uses the UploadFromURL api and creates a SAS url for the source blob. To do so it requires the storage account which if not provided queries it from azure directly.
Related command
Errors
Issue script & Debug output
Expected behavior
My expectation is that during the validation in
src/azure-cli/azure/cli/command_modules/storage/_validators.py:507
the codes doesn't ask for the storage account key to create a SAS, but instead detect if the user is able to create a User delegation SAS using the existing login credentials and use that instead.Allowing the command to succeed
Environment Summary
azure-cli 2.48.1 *
core 2.48.1 telemetry 1.0.8
Dependencies: msal 1.20.0 azure-mgmt-resource 22.0.0
Python location '/usr/local/bin/python' Extensions directory '/root/.azure/cliextensions'
Python (Linux) 3.10.11 (main, Apr 5 2023, 23:58:40) [GCC 12.2.1 20220924]
Legal docs and information: aka.ms/AzureCliLegal
You have 3 update(s) available. Consider updating your CLI installation with 'az upgrade'
Additional context
This is the real reason for https://github.com/Azure/azure-cli/issues/9003
One expect that by granting a UserManagedIdentity (in my particular case) the
Storage Blob Data Reader
would suffice to copy data from that storage. The problem is that this command secretly requires the secret key (the equivalent of root mode) to be able to create SASs.With this change the aforementioned role would suffice again since it includes the ability to create user delegation SASs. This is specially important from a security perspective since I only want to give read access to my Identity and the secret key would expose me to a risk of privilege escalation very easily.
I have been trying to edit the code myself but I am not very familiar with python and the way the official documentation makes use of the SDK is very different from what this code does.