Cannot use MSI to copy a blob between containers across storage accounts #29039
Description
Describe the bug
- Create a MSI
- Create an Azure VM
- Bind the MSI to the Azure VM
- Created a storage account sa in the subscription s1 and another storage account sb in the subscription s2
- Run
az login --identityin the VM - Run
az storage blob copy startto copy a blob from sa to sb but it threwSource storage account sa not found.
Related command
Below commands failed
az login --identity
az storage blob copy start \
--auth-mode login \
--account-name ${DESTINATION_STORAGE_ACCOUNT_NAME} \
--destination-container ${DESTINATION_CONTAINER_NAME} \
--destination-blob ${DESTINATION_BLOB_NAME} \
--subscription ${SOURCE_SUB} \
--source-account-name ${SOURCE_STORAGE_ACCOUNT_NAME} \
--source-container ${SOURCE_STORAGE_CONTAINER_NAME} \
--source-blob ${SOURCE_BLOB_NAME}
But below commands succeeded.
az storage blob download \
--auth-mode login \
--account-name ${SOURCE_STORAGE_ACCOUNT_NAME} \
--container-name ${SOURCE_STORAGE_CONTAINER_NAME} \
--name ${SOURCE_BLOB_NAME} \
--file a.ps1
az storage blob upload \
--auth-mode login \
--account-name ${DESTINATION_STORAGE_ACCOUNT_NAME} \
--container-name ${DESTINATION_CONTAINER_NAME} \
--name ${DESTINATION_BLOB_NAME} \
--file a.ps1
Errors
Source storage account sa not found.
Issue script & Debug output
cli.knack.cli: Command arguments: ['storage', 'blob', 'copy', 'start', '--auth-mode', 'login', '--account-name', 'xxx', '--destination-container', 'sb', '--destination-blob', 'c.ps1', '--subscription', 'xxx', '--source-account-name', 'sa', '--source-container', 'xxx', '--source-blob', 'c.ps1', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x7f01a436aa70>, <function OutputProducer.on_global_arguments at 0x7f01a3e74430>, <function CLIQuery.on_global_arguments at 0x7f01a3e9d630>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'storage': ['azure.cli.command_modules.storage']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: storage 0.063 57 269
cli.azure.cli.core: Total (1) 0.063 57 269
cli.azure.cli.core: Loaded 57 groups, 269 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : storage blob copy start
cli.azure.cli.core: Command table: storage blob copy start
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x7f01a0a21a20>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/home/xxx/.azure/commands/2024-05-28.08-09-56.storage_blob_copy_start.15036.log'.
az_command_data_logger: command args: storage blob copy start --auth-mode {} --account-name {} --destination-container {} --destination-blob {} --subscription {} --source-account-name {} --source-container {} --source-blob {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x7f01a0a3a5f0>]
cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "/opt/az/lib/python3.10/site-packages/azure/cli/core/profiles/_shared.py", line 624, in _get_attr
op = getattr(op, part)
AttributeError: module 'azure.mgmt.storage.v2022_05_01.models' has no attribute 'ActiveDirectoryPropertiesAccountType'
cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "/opt/az/lib/python3.10/site-packages/azure/cli/core/profiles/_shared.py", line 624, in _get_attr
op = getattr(op, part)
AttributeError: module 'azure.mgmt.storage.v2022_05_01.models' has no attribute 'ListKeyExpand'
cli.azure.cli.core.profiles._shared: Traceback (most recent call last):
File "/opt/az/lib/python3.10/site-packages/azure/cli/core/profiles/_shared.py", line 624, in _get_attr
op = getattr(op, part)
AttributeError: module 'azure.mgmt.storage.v2022_05_01.models' has no attribute 'CorsRuleAllowedMethodsItem'
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x7f01a0684ee0>, <function register_cache_arguments..add_cache_arguments at 0x7f01a0685000>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.knack.cli: Event: CommandInvoker.OnPostParseArgs [<function OutputProducer.handle_output_argument at 0x7f01a3e744c0>, <function CLIQuery.handle_query_parameter at 0x7f01a3e9d6c0>, <function register_ids_argument..parse_ids_arguments at 0x7f01a0684f70>]
urllib3.connectionpool: Starting new HTTP connection (1): 169.254.169.254:80
urllib3.connectionpool: http://169.254.169.254:80 "GET /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 HTTP/1.1" 200 1926
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01'}
msrestazure.azure_active_directory: MSI: Token retrieved
cli.azure.cli.core.commands.client_factory: Getting management service client client_type=StorageManagementClient
urllib3.connectionpool: Starting new HTTP connection (1): 169.254.169.254:80
urllib3.connectionpool: http://169.254.169.254:80 "GET /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01 HTTP/1.1" 200 1926
msrestazure.azure_active_directory: MSI: Retrieving a token from http://169.254.169.254/metadata/identity/oauth2/token, with payload {'resource': 'https://management.core.windows.net/', 'api-version': '2018-02-01'}
msrestazure.azure_active_directory: MSI: Token retrieved
cli.azure.cli.core.auth.adal_authentication: MSIAuthenticationWrapper.get_token: scopes=('https://management.core.windows.net//.default',), kwargs={}
msrestazure.azure_active_directory: MSI: token is found in cache.
cli.azure.cli.core.auth.adal_authentication: Normalize expires_on: '1716967557' -> 1716967557
cli.azure.cli.core.sdk.policies: Request URL: 'https://management.azure.com/subscriptions/xxx/providers/Microsoft.Storage/storageAccounts?api-version=2022-05-01'
cli.azure.cli.core.sdk.policies: Request method: 'GET'
cli.azure.cli.core.sdk.policies: Request headers:
cli.azure.cli.core.sdk.policies: 'Accept': 'application/json'
cli.azure.cli.core.sdk.policies: 'x-ms-client-request-id': 'ab9e45a9-1cc9-11ef-b547-000d3a6fbef8'
cli.azure.cli.core.sdk.policies: 'CommandName': 'storage blob copy start'
cli.azure.cli.core.sdk.policies: 'ParameterSetName': '--auth-mode --account-name --destination-container --destination-blob --subscription --source-account-name --source-container --source-blob --debug'
cli.azure.cli.core.sdk.policies: 'User-Agent': 'AZURECLI/2.40.0 (DEB) azsdk-python-azure-mgmt-storage/20.1.0 Python/3.10.5 (Linux-5.4.0-1095-azure-x86_64-with-glibc2.27)'
cli.azure.cli.core.sdk.policies: 'Authorization': '*****'
cli.azure.cli.core.sdk.policies: Request body:
cli.azure.cli.core.sdk.policies: This request has no body
urllib3.connectionpool: Starting new HTTPS connection (1): management.azure.com:443
urllib3.connectionpool: https://management.azure.com:443 "GET /subscriptions/xxx/providers/Microsoft.Storage/storageAccounts?api-version=2022-05-01 HTTP/1.1" 200 12
cli.azure.cli.core.sdk.policies: Response status: 200
cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies: 'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies: 'Content-Length': '12'
cli.azure.cli.core.sdk.policies: 'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies: 'Expires': '-1'
cli.azure.cli.core.sdk.policies: 'x-ms-request-id': '7e56eb7b-2c54-411f-86c5-c6d487554d6e'
cli.azure.cli.core.sdk.policies: 'x-ms-correlation-request-id': '7e56eb7b-2c54-411f-86c5-c6d487554d6e'
cli.azure.cli.core.sdk.policies: 'x-ms-routing-request-id': 'JAPANEAST:20240528T081000Z:7e56eb7b-2c54-411f-86c5-c6d487554d6e'
cli.azure.cli.core.sdk.policies: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
cli.azure.cli.core.sdk.policies: 'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies: 'X-Cache': 'CONFIG_NOCACHE'
cli.azure.cli.core.sdk.policies: 'X-MSEdge-Ref': 'Ref A: 30FF811EE7AC43C48AEA0A4D9E8CC0D4 Ref B: TYO201100113051 Ref C: 2024-05-28T08:09:57Z'
cli.azure.cli.core.sdk.policies: 'Date': 'Tue, 28 May 2024 08:09:59 GMT'
cli.azure.cli.core.sdk.policies: Response content:
cli.azure.cli.core.sdk.policies: {"value":[]}
cli.azure.cli.core.util: azure.cli.core.util.handle_exception is called with an exception:
cli.azure.cli.core.util: Traceback (most recent call last):
File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/storage/_validators.py", line 508, in validate_source_url
source_account_key = _query_account_key(cmd.cli_ctx, source_account_name)
File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/storage/_validators.py", line 39, in _query_account_key
rg, scf = _query_account_rg(cli_ctx, account_name)
File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/storage/_validators.py", line 57, in _query_account_rg
raise ValueError("Storage account '{}' not found.".format(account_name))
ValueError: Storage account 'sa' not found.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/az/lib/python3.10/site-packages/knack/cli.py", line 233, in invoke
cmd_result = self.invocation.execute(args)
File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/init.py", line 651, in execute
self._validation(expanded_arg)
File "/opt/az/lib/python3.10/site-packages/knack/invocation.py", line 113, in _validation
self._validate_arg_level(parsed_ns)
File "/opt/az/lib/python3.10/site-packages/azure/cli/core/commands/init.py", line 859, in _validate_arg_level
validator(**self._build_kwargs(validator, ns))
File "/opt/az/lib/python3.10/site-packages/azure/cli/command_modules/storage/_validators.py", line 510, in validate_source_url
raise RequiredArgumentMissingError('Source storage account {} not found.'.format(source_account_name))
azure.cli.core.azclierror.RequiredArgumentMissingError: Source storage account sa not found.
cli.azure.cli.core.azclierror: Source storage account sa not found.
az_command_data_logger: Source storage account sa not found.
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x7f01a0a21c60>]
az_command_data_logger: exit code: 1
cli.main: Command ran in 4.255 seconds (init: 0.152, invoke: 4.103)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 3411 in cache
Expected behavior
It can copy successfully.
Environment Summary
azure-cli 2.40.0 *
core 2.40.0 *
telemetry 1.0.8 *
Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1
Python location '/opt/az/bin/python3'
Extensions directory '/home/abel/.azure/cliextensions'
Python (Linux) 3.10.5 (main, Sep 2 2022, 05:41:51) [GCC 7.5.0]
Legal docs and information: aka.ms/AzureCliLegal
Additional context
No response