Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release 10.21.0 use System Assigned Managed Identity instead of User Assigned Managed Identity #2398

Closed
diodfr opened this issue Oct 3, 2023 · 2 comments
Closed

Release 10.21.0 use System Assigned Managed Identity instead of User Assigned Managed Identity #2398

diodfr opened this issue Oct 3, 2023 · 2 comments
Assignees
@gapra-msft
Labels
bug fixed-in-dev regression waiting for customer

Comments

@diodfr
Copy link

diodfr commented Oct 3, 2023

Which version of the AzCopy was used?

Note: The version is visible when running AzCopy without any argument

azcopy version 10.21.0

Which platform are you using? (ex: Windows, Mac, Linux)

Linux

What command did you run?

Note: Please remove the SAS to avoid exposing your credentials. If you cannot remember the exact command, please retrieve it from the beginning of the log file.
[root@myHost ~]# export AZCOPY_AUTO_LOGIN_TYPE=MSI
[root@myHost ~]# export AZCOPY_MSI_RESOURCE_STRING=/subscriptions/REDACTED/resourceGroups/rg-prod-REDACTED/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MY-USER-ASSIGNED-ID

[root@myHost ~]# /usr/local/bin/azcopy --version
azcopy version 10.21.0
[root@myHost ~]# /usr/local/bin/azcopy cp 'https://REDACTED.blob.core.windows.net/REDACTED/*' /root/config/ --recursive
INFO: Scanning...
INFO: Login with identity succeeded.
INFO: Authenticating to source using Azure AD
INFO: Any empty folders will not be processed, because source and/or destination doesn't have full folder support

failed to perform copy command due to error: cannot start job due to error: cannot list files due to reason GET https://REDACTED.blob.core.windows.net/REDACTED
--------------------------------------------------------------------------------
RESPONSE 403: 403 This request is not authorized to perform this operation using this permission.
ERROR CODE: AuthorizationPermissionMismatch
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission.
RequestId:REDACTED
Time:2023-10-02T12:38:37.3773737Z</Message></Error>
--------------------------------------------------------------------------------
.

What problem was encountered?

We receive a 403 permission denied.
Azcopy use the System Assigned Managed Identity instead of the User Assigned Managed Identity to connect to the blob (validated in the blob logs).

How can we reproduce the problem in the simplest way?

Create a user assigned identity (called USER_MSI)
Create a storage account and a container.
Grant "blob data reader" to USER_MSI on storage account.
Create a VM with a System Assigned Identity and a User Assigned Identity (USER_MSI)
Install azcopy 10.21.0 .

Configure LOGIN :

export AZCOPY_AUTO_LOGIN_TYPE=MSI
export AZCOPY_MSI_RESOURCE_STRING=/subscriptions/REDACTED/resourceGroups/rg-prod-REDACTED/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MY-USER-ASSIGNED-ID

use azcopy to list or read files

azcopy cp 'https://REDACTED.blob.core.windows.net/REDACTED/*' /root/config/ --recursive

Have you found a mitigation/solution?

use previous release

[root@myHost ~]# export AZCOPY_AUTO_LOGIN_TYPE=MSI
[root@myHost ~]# export AZCOPY_MSI_RESOURCE_STRING=/subscriptions/REDACTED/resourceGroups/rg-prod-REDACTED/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MY-USER-ASSIGNED-ID
[root@myHost ~]# cd azcopy_linux_amd64_10.19.0/
[root@myHost azcopy_linux_amd64_10.19.0]# ./azcopy cp 'https://REDACTED.blob.core.windows.net/REDACTED/*' /root/config/ --recursive
INFO: Scanning...
INFO: Login with identity succeeded.
INFO: Authenticating to source using Azure AD
INFO: Any empty folders will not be processed, because source and/or destination doesn't have full folder support

Job e3ce7701-009d-ff42-7b97-2a0a4a832deb has started
Log file is located at: /root/.azcopy/e3ce7701-009d-ff42-7b97-2a0a4a832deb.log

INFO: azcopy 10.19.0: A newer version 10.21.0 is available to download

100.0 %, 53 Done, 0 Failed, 0 Pending, 0 Skipped, 53 Total, 2-sec Throughput (Mb/s): 1.0051


Job e3ce7701-009d-ff42-7b97-2a0a4a832deb summary
Elapsed Time (Minutes): 0.0334
Number of File Transfers: 53
Number of Folder Property Transfers: 0
Number of Symlink Transfers: 0
Total Number of Transfers: 53
Number of File Transfers Completed: 53
Number of Folder Transfers Completed: 0
Number of File Transfers Failed: 0
Number of Folder Transfers Failed: 0
Number of File Transfers Skipped: 0
Number of Folder Transfers Skipped: 0
TotalBytesTransferred: 251443
Final Job Status: Completed
@diodfr diodfr mentioned this issue Oct 3, 2023
Closed
@gapra-msft
Copy link
Member

Hi, just to clarify, are you trying to use system assigned managed identity with resource id? If so, there was a bug with the setting of resource ID in versions 10.21.X and 10.20.X. This issue should be resolved by the latest release of AzCopy 10.22.X and above as indicated in the issue linked above. Could you please upgrade and let us know if that bug fix resolves your issue?

@gapra-msft gapra-msft self-assigned this Jan 16, 2024
@gapra-msft
Copy link
Member

Closing due to lack of customer activity. Feel free to reopen in case the above suggestion does not work for you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gapra-msft gapra-msft

Labels
bug fixed-in-dev regression waiting for customer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@diodfr @adreed-msft @gapra-msft