Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] BlobContainerClient throws Azure.RequestFailedException 409 if container already exists but account disallows public access

See original GitHub issue

Library name and version

Azure.Storage.Blobs 12.10.0

Describe the bug

Attempting to run this snippet on an existing container in a storage account that disallows public access:

BlobContainerClient cloudBlobContainer = this.BlobServiceClient.GetBlobContainerClient(strContainerName); await cloudBlobContainer.CreateIfNotExistsAsync(PublicAccessType.Blob);

throws an Azure.RequestFailedException: “409: Public access is not permitted on this storage account”.

BlobContainerClient409

BlobContainerClient409-2

BlobContainerClient409-3

Expected behavior

The method should end execution if the container exists without throwing an Azure.RequestFailedException due to public access level settings.

Actual behavior

The method throws an Azure.RequestFailedException at the Create step, although the container already exists.

Reproduction Steps

Set a storage account to disallow public access.
Call CreateIfNotExistsAsync with PublicAccessType.None on a container that already exists within the storage account; set to private access only.

Environment

Code written in package targeting .NET Standard 2.0

Used in Azure function hosted in Windows Runtime 3.13.1.0

Developed in Visual Studio 17.3.1

Issue Analytics

State:
Created a year ago
Comments:7 (3 by maintainers)

Top GitHub Comments

2reactions

amnguyecommented, Sep 8, 2022

That’s a security issue. Authorization should always be checked over performing the action.

If someone can check the existence of a container, without having the authorization, then anyone publicly poke at storage account to see if a container exists.

1reaction

Aussiemoncommented, Sep 8, 2022

This may be as-designed, but it is not intuitive behavior. The method name suggests the first condition is the container’s existence. The public access level check and resulting RequestFailedException should only occur when the container does not exist and needs to be created.

Without this change, the flow seems out of order:

Can we create -> Do we need to create -> Create container

but the expected flow is:

Do we need to create -> Can we create -> Create container

Perhaps this is a difference of opinion though, so I’m closing the bug.

Top Results From Across the Web

Azure Table Storage Exception: 409 Conflict unexpected?

If an error was returned (HTTP 409) because the container or table already exists then do nothing. The error is handled. If the...

Public access is not permitted on this storage account

Have you ever received an error message saying that public access is not permitted on this storage account while trying to access a...

Azure Blob Storage error codes

Error code HTTP status code User message BlobAlreadyExists Conflict (409) The specified blob already exists. BlobNotFound Not Found (404) The specified blob does not exist. ContainerAlreadyExists...

BlobContainerClient.CreateIfNotExists Method

Clients can enumerate blobs within the container via anonymous request, but cannot enumerate containers within the storage account. Blob specifies public read ...

Troubleshoot client application errors in Azure Storage ...

CreateIfNotExists method to create the blob container. This operation includes a HEAD request that checks for the existence of the container.