search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.2k stars 21.34k forks source link

Permission error when uploading blob to container via Azure CLI as Owner role #123883

Open apaulture opened 1 month ago

apaulture commented 1 month ago

Type of issue

Other (describe below)

Feedback

az storage blob upload --auth-mode login --container-name <container> --account-name <storage-account> --name <name> --file <file-path>

You do not have the required permissions needed to perform this operation.
Depending on your operation, you may need to be assigned one of the following roles:
    "Storage Blob Data Owner"
    "Storage Blob Data Contributor"
    "Storage Blob Data Reader"
    "Storage Queue Data Contributor"
    "Storage Queue Data Reader"
    "Storage Table Data Contributor"
    "Storage Table Data Reader"

If you want to use the old authentication method and allow querying for the right account key, please use the "--auth-mode" parameter and "key" value.

role assignment list

[
  {
    "condition": null,
    "conditionVersion": null,
    "createdBy": "",
    "createdOn": "2023-03-24T23:31:36.292096+00:00",
    "delegatedManagedIdentityResourceId": null,
    "description": null,
    "id": "/subscriptions/<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>/providers/Microsoft.Authorization/roleAssignments/<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>",
    "name": "<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>",
    "principalId": "<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>",
    "principalName": "<name>#EXT#@<name>.onmicrosoft.com",
    "principalType": "User",
    "roleDefinitionId": "/subscriptions/<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>/providers/Microsoft.Authorization/roleDefinitions/<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>",
    "roleDefinitionName": "Owner",
    "scope": "/subscriptions/<XXXXXXXX-XXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX>,
    "type": "Microsoft.Authorization/roleAssignments",
    "updatedBy": "",
    "updatedOn": "2023-03-24T23:31:36.292096+00:00"
  }
]

After assigning role Storage Blob Data Contributor to security principal, upload works. Shouldn't Owner be able to upload blobs, or is this permission required? "dataActions": ["Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"]

Page URL

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-cli

Content source URL

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/storage/blobs/storage-quickstart-blobs-cli.md

Author

stevenmatthew

Document Id

N/A

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

PesalaPavan commented 1 month ago

@apaulture Thanks for your feedback! We will investigate and update as appropriate.

SaibabaBalapur-MSFT commented 1 month ago

@apaulture

It seems like you are trying to upload a blob to a container in Azure Storage, but you are getting a permission error. The error message suggests that you need to be assigned one of the following roles: "Storage Blob Data Owner", "Storage Blob Data Contributor", or "Storage Blob Data Reader".

The Owner role should be able to upload blobs, but it's possible that the permission is not set up correctly. You can check the role assignments for your subscription by running the az role assignment list command.

If you see that your security principal has the Owner role assigned, then it's possible that there is an issue with the authentication method you are using. The error message suggests that you can use the old authentication method and allow querying for the right account key by using the "--auth-mode" parameter and "key" value.

Here is an example command to upload a blob using the "key" authentication method:

az storage blob upload --account-name <storage-account> --account-key <storage-account-key> --container-name <container> --name <blob-name> --type block --source <file-path>

Replace <storage-account>, <storage-account-key>, <container>, <blob-name>, and <file-path> with your own values.

I hope this helps! Let me know if you have any other questions.

For an issue like this, I'd recommend you create a support ticket since the support team will be able to respond much more quickly and have a conversation with you to figure out what could be going on.

apaulture commented 1 month ago

@apaulture

It seems like you are trying to upload a blob to a container in Azure Storage, but you are getting a permission error. The error message suggests that you need to be assigned one of the following roles: "Storage Blob Data Owner", "Storage Blob Data Contributor", or "Storage Blob Data Reader".

The Owner role should be able to upload blobs, but it's possible that the permission is not set up correctly. You can check the role assignments for your subscription by running the az role assignment list command.

If you see that your security principal has the Owner role assigned, then it's possible that there is an issue with the authentication method you are using. The error message suggests that you can use the old authentication method and allow querying for the right account key by using the "--auth-mode" parameter and "key" value.

Here is an example command to upload a blob using the "key" authentication method:

az storage blob upload --account-name <storage-account> --account-key <storage-account-key> --container-name <container> --name <blob-name> --type block --source <file-path>

Replace <storage-account>, <storage-account-key>, <container>, <blob-name>, and <file-path> with your own values.

I hope this helps! Let me know if you have any other questions.

For an issue like this, I'd recommend you create a support ticket since the support team will be able to respond much more quickly and have a conversation with you to figure out what could be going on.

@SaibabaBalapur-MSFT Here were the steps I took to test this issue:

  1. Created custom role using Owner role to populate baseline permissions
  2. Added the following permissions: 
    "dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],

After running the command, the blob successfully uploaded to the specified container. Can we therefore safely assume the Owner role does not include permissions to upload blobs?

SaibabaBalapur-MSFT commented 1 month ago

@apaulture Thanks for bringing this to our attention. I'm going to assign this to the document author so they can take a look at it accordingly.

@stevenmatthew Can you please check and add your comments on this doc update request as applicable.