search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.26k stars 3.86k forks source link

Get/Set-AzStorageBlob runs into 403 - AuthorizationPermissionMismatch #26353

Closed crlgb closed 3 weeks ago

crlgb commented 1 month ago

Description

Running the command will end in an AuthorizationPermissionMismatch. I have tested and confirmed this behaviour on an Azure Function using -UseConnectedAccount. The needed permissions for the user / resource to access the storage account are given (Storage Blob Data Contributor).

Issue script & Debug output

$BlobContext = New-AzStorageContext -StorageAccountName <> -UseConnectedAccount
Set-AzStorageBlobContent -File <> -Container <> -Blob <> -Context $BlobContext -Container <> -Force

Environment data

Name                           Value
----                           -----
PSVersion                      7.2.22
PSEdition                      Core
GitCommitId                    7.2.22
OS                             Linux 5.15.164.1-1.cm2 #1 SMP Sun Aug 18 19:16:21 UTC 2024
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Name              : Az.Accounts
Version           : 3.0.0

Name              : Az.KeyVault
Version           : 6.0.0

Name              : Az.Storage
Version           : 7.0.0

Error output

InnerException   : False
Exception        : Microsoft.PowerShell.Commands.WriteErrorException: At /home/site/wwwroot/PushTableToBlob/run.ps1:24 char:17
                   + …             Set-AzStorageBlobContent -File $CustomPath -Container $Ta …
                   +               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                   Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. HTTP Status Code: 403 - HTTP Error Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
                   ErrorCode: AuthenticationFailed
                   ErrorMessage: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
                   RequestId:X
                   Time:2024-10-16T17:X
                   AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.
Message          : At /home/site/wwwroot/PushTableToBlob/run.ps1:24 char:17
                   + …             Set-AzStorageBlobContent -File $CustomPath -Container $Ta …
                   +               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                   Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. HTTP Status Code: 403 - HTTP Error Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
                   ErrorCode: AuthenticationFailed
                   ErrorMessage: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
                   RequestId:X
                   Time:2024-10-16T17:X
                   AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.
StackTrace       : 
HelpLink         : 
ErrorDetails     : 
ErrorCategory    : NotSpecified: (:) [Write-Error], WriteErrorException
InvocationInfo   : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, /home/site/wwwroot/PushTableToBlob/run.ps1: line 28

InnerException   : False
Exception        : Microsoft.Azure.Storage.StorageException: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. HTTP Status Code: 403 - HTTP Error Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
                   ErrorCode: AuthenticationFailed
                   ErrorMessage: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
                   RequestId:X
                   Time:2024-10-16T17:X
                   AuthenticationErrorDetail: Issuer validation failed. Issuer did not match.
                    ---> Microsoft.Azure.Storage.StorageException: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
                      at Microsoft.WindowsAzure.Commands.Storage.Common.DataMovementTransferHelper.DoTransfer(Func`1 doTransfer, ProgressRecord record, TaskOutputStream outputStream)
                      at Microsoft.WindowsAzure.Commands.Storage.Blob.SetAzureBlobContentCommand.Upload2Blob(Int64 taskId, IStorageBlobManagement localChannel, String filePath, CloudBlob blob)
                      at Microsoft.WindowsAzure.Commands.Storage.Common.LimitedConcurrencyTaskScheduler.RunConcurrentTask(Int64 taskId, Task task)
                   Request Information
                   RequestID:X
                   RequestDate:Wed, 16 Oct 2024 17:X
                   StatusMessage:Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
                   ErrorCode:AuthenticationFailed
crlgb commented 1 month ago

Reopening after moving from user based issue to azure function context.

blueww commented 1 month ago

@crlgb

We can't repro this issue with latest Az.Storage Powershell module. Would you please share the request ID and the UTC repro time (in 3 days), so we can look into server log to see why the error reported from server? Please make sure you logon MS Entra account has enough permission to access the blob. see details in https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory#azure-built-in-roles-for-blobs

If you are sure this is Azure function issue, Powershell team might not be the expert for Azure function, please contact Azure function team or raise a support ticket with https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request#go-to-help--support-from-the-global-header Please provide the details like repro step with Azure Function, repro time (UTC) and request ID in the support ticker for server team further investigation.

microsoft-github-policy-service[bot] commented 1 month ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

microsoft-github-policy-service[bot] commented 1 month ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

microsoft-github-policy-service[bot] commented 3 weeks ago

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!