Cannot verify copy source across tenant with SAS or shared key

Nicole Crowley 0 Reputation points
2023-11-12T14:38:12.33+00:00

We are trying to move blobs from one storage tenant to another using the .net SDK. In doing so, when trying to use methods like StartCopyFromUriAsync or SyncUploadFromUriAsync or SyncCopyFromUriAsync we get an error "(This request is not authorized to perform this operation.)\r\nErrorCode: CannotVerifyCopySource"

According to the documentation it states that since we have not allow anonymous access to the source blobs/container we can use SAS to authorize the copy. Yet we are getting this error.

I've tried everything in an attempt to get this to work as documented. I tried generating the SAS URI using our storage shared key credential, I've used a SAS we have available. I've set permissions to read and even "all". We've tried setting permissions at the container level and for the specify blob as we copy, nothing works.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,859 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Anand Prakash Yadav 7,790 Reputation points Microsoft Vendor
    2023-11-14T11:24:44.78+00:00

    Hello Nicole Crowley,

    Thank you for posting your query here!

    I understand that you are moving blobs from one storage tenant to another using the .net SDK and getting the error "(This request is not authorized to perform this operation.)\r\nErrorCode: CannotVerifyCopySource"

    There can be a lot of reasons users can’t read/write content on Azure storage containers and access blob objects on storage accounts.

    First, please try to change Azure Storage's security and network settings:

    Go to Azure portal and find the storage account. And then go to Networking tab in Security + networking group.

    If the blob storage is public, you can configure the firewall and virtual networks to allow access from all networks.

    User's image

    If the storage is not public, you can create a virtual network and then only grant access to your resources in the specific network. You can also configure specific IP address.
    User's image

    Refer to page for more details about how to make these settings: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal

    You may also check and assign a storage contributor role, as without a contributor role, it’s not possible to read/write data on a storage account, which might be causing the error.

    Please go to Storage account -> Access Control (IAM) -> Add -> Add role assignment, then add Storage Blob Data Contributor/ Storage Blob Data Owner to your login account.

    Also, please do confirm that the SAS token has not expired. If it has expired, you will need to generate a new SAS token with a valid expiry date.

    Kindly let us know if you have any further queries. I’m happy to assist you further.


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


  2. SAMIT SARKAR 791 Reputation points Microsoft Employee
    2023-11-16T17:09:22.9266667+00:00

    Hello @Nicole,
    I appreciate the information you've shared. Following your recent updates, I attempted to reproduce the issue using the sample code (Refer Inline) in a .NET Framework 4.8 console application, but I wasn't able to encounter the problem.

    Hope this helps.

    using Azure.Storage.Blobs;// Install the Nuget package Latest version
    using System;
    using System.IO;
    using System.Net;
    namespace ConsoleApp3
    {
        internal class Program
        {
            static void Main(string[] args)
            {
                copytest();
            }
    
            static void copytest()
            {
                Console.WriteLine("Start");
                Uri sourceUrl = new Uri("");//update the URL here            
                var client = new WebClient();
                client.DownloadString(sourceUrl);// If you get an exception in this line that means the webclient is not able to access the source URL. and based on the error you can troubleshoot further on this souce URL.
    
                Console.Write(client.ResponseHeaders);
                Console.ReadLine();
    
                string destinationContainer = "XXXX";//update the container name
                string destconnectionstr = @"XXXXXXXXXX";//update the connection string
    
                BlobContainerClient container = new BlobContainerClient(destconnectionstr, destinationContainer);
    
                string newFileName = "testaa" +Guid.NewGuid() + Path.GetExtension(sourceUrl.AbsolutePath);   
                
                var blobClient = container.GetBlobClient(newFileName);
                blobClient.StartCopyFromUriAsync(sourceUrl);
                Console.WriteLine("Completed StartCopyFromUriAsync File Name:" + newFileName);
    
    
                newFileName = "testaa" + Guid.NewGuid() + Path.GetExtension(sourceUrl.AbsolutePath);
                var blobClientN = container.GetBlobClient(newFileName);
                blobClientN.SyncCopyFromUriAsync(sourceUrl);
    
                Console.WriteLine("Completed SyncCopyFromUriAsync File Name:" + newFileName);
                Console.ReadLine();
    
            }
        }
    }
    
    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.