search

Azure / azure-storage-azcopy

The new Azure Storage data transfer utility - AzCopy v10
MIT License
613 stars 222 forks source link

AZCOPY_AUTO_LOGIN_TYPE="MSI" fails due to host port number interfering with trusted domain suffix detection #2792

Open ohads-MSFT opened 2 months ago

ohads-MSFT commented 2 months ago

Which version of the AzCopy was used?

10.26.0

Which platform are you using? (ex: Windows, Mac, Linux)

Linux

What command did you run?

# In an ACI container with an associated USer-Assigned identity
`$env:AZCOPY_AUTO_LOGIN_TYPE = "MSI"`
azcopy copy "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" "https://[account].blob.core.windows.net/[container]/[path/to/blob]"

What problem was encountered?

failed to perform copy command due to error: the URL requires authentication. If this URL is in fact an Azure service, you can enable Azure authentication to XXX.blob.core.windows.net:443. To enable, view the documentation for the parameter --trusted-microsoft-suffixes, by running 'AzCopy copy --help'. BUT if this URL is not an Azure service, do NOT enable Azure authentication to it. Instead, see if the URL host supports authentication by way of a token that can be included in the URL's query string

It looks like the port number (which I didn't add/specify) is tripping up the suffix matching code: https://github.com/Azure/azure-storage-azcopy/blob/6413253a6e11c925656ddc05f98f28e57c670bfa/cmd/credentialUtil.go#L218

How can we reproduce the problem in the simplest way?

Run the command as above

Have you found a mitigation/solution?

Add --trusted-microsoft-suffixes "*.${StorageDnsSuffix}:443"

Output

INFO: Scanning... INFO: Login with identity succeeded. INFO: Authenticating to destination using Unknown, Please authenticate using Microsoft Entra ID ( https://aka.ms/AzCopy/AuthZ) , use AzCopy login, or append a SAS token to your Azure URL.

Log file

2024/08/26 18:47:46 AzcopyVersion 10.26.0 2024/08/26 18:47:46 OS-Environment linux 2024/08/26 18:47:46 OS-Architecture amd64 2024/08/26 18:47:46 Log times are in UTC. Local time is 26 Aug 2024 18:47:46 2024/08/26 18:47:46 Closing Log 2024/08/26 18:47:44 AzcopyVersion 10.26.0 2024/08/26 18:47:44 OS-Environment linux 2024/08/26 18:47:44 OS-Architecture amd64 2024/08/26 18:47:44 Log times are in UTC. Local time is 26 Aug 2024 18:47:44 2024/08/26 18:47:46 ISO 8601 START TIME: to copy files that changed before or after this job started, use the parameter --include-before=2024-08-26T18:47:39Z or --include-after=2024-08-26T18:47:39Z 2024/08/26 18:47:46 Authenticating to destination using Unknown, Please authenticate using Microsoft Entra ID ( https://aka.ms/AzCopy/AuthZ) , use AzCopy login, or append a SAS token to your Azure URL.

adreed-msft commented 2 months ago

We should trim the port here, would solve that.