Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
AzureFileCopy@4 requires access to the storage account key, despite documentation stating otherwise.
See original GitHub issueRequired Information
Type: Bug
Enter Task Name: AzureFileCopy@4
Environment
-
Azure Pipelines
-
Agent - Hosted :
- Agent name: ‘Azure Pipelines 3’
- Current agent version: ‘2.195.2’
- ##[group]Operating System
- Microsoft Windows Server 2016
Issue Description
In the official documentation of the Azure File Copy Task it is said that
The task supports authentication based on Azure Active Directory. Authentication using a service principal and managed identity are available. For managed identities, only system-wide managed identity is supported.
In the readme of the task AzureFileCopyV4, it is said that
As this version of task uses AzCopy 10, service principal needs to have one of these
Storage Blob Data ContributororStorage Blob Data Ownerroles assigned to access resources.
I have set up a service principal and given it the Storage Blob Data Contributor role on a storage account.
When I run the pipeline, I get the following error :
2021-12-15T15:14:09.3656926Z ##[error]ExceptionMessage: The client '<REDACTED_OBJECT_ID>' with object id '<REDACTED_OBJECT_ID>' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/<REDACTED_SUBSCRIPTION_ID>/resourceGroups/<REDACTED_RESOURCE_GROUP_NAME>/providers/Microsoft.Storage/storageAccounts/<redacted_storage_account_name>' or the scope is invalid. If access was recently granted, please refresh your credentials. (in function: Get-AzRMStorageKeys)
If we look at the task’s code, we clearly see that the function Get-AzRMStorageKeys is called by the function Get-AzureStorageKeyFromARM, which is called in the middle of the file AzureFileCopy.ps1, without any particular logic to prevent calling it.
This means that, contrary to what the documentation seems to indicate, this pipeline task always requires the storage account key to connect to the storage account, instead of using only the Storage Blob Data Contributor which should be enough for az-copy.
Expected behavior
Authentication to a storage account using a storage account key is deprecated and should be replaced with Azure AD authentication, using the Storage Blob Data Contributor role. AzureFileCopy should support this more secure authentication method to upload files to a blob container. Or at least the documentation should not claim it does.
Extra information
This subject has already been brought up by another user on the developer community forum, without any real solution provided aside from “use Azure CLI task instead”.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:21 (8 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Is there somenone working on the issue ? If the StorageAccount is configured with allowSharedKeyAccess set to false, the task fails and still try to use the Storage Key to check if the container exists and try to create it.
So any updates regarding a timeline for a fix will be appreciate.
I had come across this one as well and have raised with Microsoft as mentioned and worked on a work around utilising azure storage upload-batch as In https://learn.microsoft.com/en-us/cli/azure/storage/blob?view=azure-cli-latest#az-storage-blob-upload-batch
Command : az storage blob upload-batch -d ‘$(ContainerName)’ -s $sourceDirectory --account-name $storageAccountName --auth-mode login in
AzureCLI@2 task Script type as ‘ps’
Hope this helps