Is it possible to have az storage copy run as a service principal (i.e. with AZURE_TENANT_ID/AZURE_CLIENT_ID/AZURE_CLIENT_SECRET)?
We disallow "shared key authorization" as per Microsoft security recommendations.
We get the following error:
$ az login --service-principal --tenant=$AZURE_TENANT_ID --username=$AZURE_CLIENT_ID --password=$AZURE_CLIENT_SECRET
$ az storage copy --source-account-name=$ACCOUNT1 --source-container=$CON1 --account-name=$ACCOUNT2 --destination-container=$CON2 --recursive
...
There are no credentials provided in your command and environment, we will query for account key for your storage account.
It is recommended to provide --connection-string, --account-key or --sas-token in your command as credentials.
In addition, setting the corresponding environment variables can avoid inputting credentials in your command. Please use --help to get more information about environment variable usage.
...
Azcopy command: ['....azcopy', 'copy', 'https://....', '--recursive']
INFO: Scanning...
INFO: Failed to create one or more destination container(s). Your transfers may still succeed if the container already exists.
INFO: Any empty folders will not be processed, because source and/or destination doesn't have full folder support
failed to perform copy command due to error: cannot start job due to error: cannot list files due to reason -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/mod/github.com/!azure/azure-storage-blob-go@v0.13.1-0.20210823171415-e7932f52ad61/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=KeyBasedAuthenticationNotPermitted) =====
Description=Key based authentication is not permitted on this storage account.
...
As per the az storage copy docs, only the following auth methods are supported: --account-key, --connection-string and --sas-token.
But connection strings are effectively based on account keys. And Service/Account SAS tokens can't be used in our scenario, since signing them with the shared access key is disallowed.
Is it possible to have
az storage copyrun as a service principal (i.e. withAZURE_TENANT_ID/AZURE_CLIENT_ID/AZURE_CLIENT_SECRET)?We disallow "shared key authorization" as per Microsoft security recommendations.
We get the following error:
As per the az storage copy docs, only the following auth methods are supported:
--account-key,--connection-stringand--sas-token.But connection strings are effectively based on account keys. And Service/Account SAS tokens can't be used in our scenario, since signing them with the shared access key is disallowed.