"azcopy cp" will put a blob, but "azcopy list" gives AuthorizationResourceTypeMismatch (Account SAS, yes it has read permissions)

Dave Lindquist 21 Reputation points

I've set up BLOB storage in Azure, and can do an "azcopy cp" command to successfully write BLOBs (I can browse to confirm that they are there).

However, any attempt to "azcopy list" with the SAME SAS fails with AuthorizationResourceTypeMismatch.

(I'm using an account-level SAS, and it has been assigned both read and write permissions.)

The transaction looks like this:

azcopy  list "https://XXXX.blob.core.windows.net/XXXX/backups/2020-08?sv=2017-07-29&ss=b&srt=o&sp=rwdlac&se=2100-01-01&st=2020-01-01&spr=https&sig=REDACTED"

failed to traverse container: cannot list files due to reason -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/mod/github.com/!azure/azure-storage-blob-go@v0.10.0/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthorizationResourceTypeMismatch) =====
Description=This request is not authorized to perform this operation using this resource type.
Time:2020-09-23T20:51:28.7187118Z, Details:
   Code: AuthorizationResourceTypeMismatch
   GET https://XXXX.blob.core.windows.net/XXXX?comp=list&delimiter=%2F&include=metadata&prefix=backups%2F2020-08%2F&restype=container&se=2100-01-01&sig=-REDACTED-&sp=rwdlac&spr=https&srt=o&ss=b&st=2020-01-01&sv=2017-07-29&timeout=901
   User-Agent: [AzCopy/10.5.1 Azure-Storage/0.10 (go1.13; linux)]
   X-Ms-Client-Request-Id: [####]
   X-Ms-Version: [2019-02-02]
   RESPONSE Status: 403 This request is not authorized to perform this operation using this resource type.
   Content-Length: [284]
   Content-Type: [application/xml]
   Date: [Wed, 23 Sep 2020 20:51:28 GMT]
   Server: [Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0]
   X-Ms-Client-Request-Id: [####]
   X-Ms-Error-Code: [AuthorizationResourceTypeMismatch]
   X-Ms-Request-Id: [####]
   X-Ms-Version: [2019-02-02]

I've checked:

  • That both read and write permissions are there - the URL says: sp=rwdlac
  • The URL is identical between the "cp" and "list" (it is)
  • The path is correct (tried it with and without the ending slash)
  • That the copy actually DID succeed (it did)
  • The azcopy cp and azcopy list are being executed from the exact same server

This is a token generated by terraform ("azurerm_storage_account_sas"), in case that matters (I did see some indications of problems with no time component on the st/se - but that seems to be a problem with azcopy parsing it, and I'm past that stage).

Is anyone able to give me any pointers on what I'm missing? It seems like this should be so simple?

Thanks in advance!

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,544 questions
0 comments No comments
{count} votes

Accepted answer
  1. deherman-MSFT 34,436 Reputation points Microsoft Employee

    @Dave Lindquist
    I believe the issue is that your SAS token has SignedResourceTypes set to object, srt=o. If you wish to ListBlob you would also need SignedResourceTypes with container as well, srt=co. If you need to ListContainers then you would need srt=sco. For more information you can refer to the table here.

    Hope this helps! Please let us know if you have further questions or issues.


    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Dave Lindquist 21 Reputation points

    And that solved it! Thanks very much!

    (That is really non-obvious, although in retrospect it makes sense. Hopefully your answer here can help anyone else encountering this! Thanks!)

    0 comments No comments