@Huang, Winston-HR - Welcome to Microsoft Q&A Forum, thank you for posting your query here!!
Make sure you service principle have proper RBAC role i.e Storage blob data contributor in order to perform the copy operation across storage accounts.
Reference Link: https://learn.microsoft.com/en-us/azure/storage/common/storage-ref-azcopy-login#examples
You can follow below steps to perform the copy operation through Azcopy using service principal.
1. Creating a service principal
To create a service principal we will use Cloud Shell on Azure Portal using the az ad sp create-for-rbac command. The below command will provide an Azure Storage data access role to assign to the new service principal. Additionally, provide the scope for the role assignment. For more information about the built-in roles provided for Azure Storage, see Azure built-in roles. Note: Save the output of the create SPN command.az ad sp create-for-rbac `
--name <service-principal> `
--role "Storage Blob Data Contributor" `
--scopes /subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>
Creating service principal
Assigning roles to service principal
Once the Service Principal is created, we also need to grant ‘Reader’ role on the storage account to the service principal. This will grant the SPN read access to storage resource at subscription level. Please refer to our documentation on assigning roles for access to blob. https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal
az role assignment create --assignee "<appId>" `
--role "Reader" `
--scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>"
Role assignments
2. Using service principal with AzCopy
AzCopy is a command-line tool that moves data into and out of Azure Storage. To learn more about AzCopy please refer the official documentation.
Login as service principal
Next we will login as the service principal in AzCopy using the azcopy login command. The values for options application-id, tenant-id and AZ_COPY_CLIENT_SECRET, will be available on step 1 after creating the service principal.$env:AZCOPY_SPA_CLIENT_SECRET="$(Read-Host -prompt "Enter key")"
azcopy login `
--service-principal `
--application-id "<appId>" `
--tenant-id "<tenantId>"
AzCopy login
Performing copy operations
Once sucessfully logged in, we can upload and download files using OAuth authentication of the service principal with azcopy copy command.
Upload exampleazcopy copy "/path/to/file.txt" "https://[account].blob.core.windows.net/[container]/[path/to/blob]"
Upload blob with AzCopy
Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.
-------------------------------------------------------------------------------------------------------------please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.