azcopy copy data from Google Cloud Storage to Azure Blob Storage fails

Blesgen, Markus 0 Reputation points
2024-06-26T07:32:30.69+00:00

I'm trying to copy data from Google Cloud Storage to Azure Blob Storage using azcopy.

I'm following the Microsoft documentation:

https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-google-cloud

export GOOGLE_APPLICATION_CREDENTIALS=<path-to-service-account-key>

azcopy copy 'https://storage.cloud.google.com/mybucket/myobject' 'https://mystorageaccount.blob.core.windows.net/mycontainer/myblob'

The error message appears:

RESPONSE 403: 403 This request is not authorized to perform this operation.

In the azcopy logs I can see that the data can be read from the Google Bucket. So logging in to Google seems to be working.

There is also no problem logging in to Azure Blob Storage.

I can copy local data from my workstation to Azure Blob Storage using the azcopy command.

Can anyone help?

Thank you

Markus

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,625 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Nehruji R 4,606 Reputation points Microsoft Vendor
    2024-06-26T07:59:24.7533333+00:00

    Hello Blesgen, Markus,

    Greetings! Welcome to Microsoft Q&A Platform.

    The 403 error you’re encountering with AzCopy typically indicates that it is an authentication issue when trying to access a resource. "403" errors can be caused by authentication and authorization issues. They can also occur if requests are blocked by the storage account firewall configuration.

    refer this troubleshooting doc to resolve the issue - https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/blobs/connectivity/storage-use-azcopy-troubleshoot#authentication-and-authorization-issues.

    ACLs are used by Azure Data Lake Storage Gen2 to provide granular control over files and directories. Make sure that the user account trying to access the data has the necessary read, write, or execute permissions set.

    you can check the following link for more details

    https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control.

    Ensure that the file you’re trying to upload is within the valid size range. Check if there are any restrictions on the maximum file size for the target Azure Blob Storage container.

    Also, check https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-google-cloud#handle-differences-in-object-naming-rules

    Please check if you provided the Storage Blob Data Contributor access role. Similar thread for reference - https://learn.microsoft.com/en-us/answers/questions/1146054/problem-with-azcopy.

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  2. Blesgen, Markus 0 Reputation points
    2024-06-26T08:41:11.1+00:00

    thanks for the quick reply

    The Blob Storage is "Enabled from all networks"

    In the SAS-Token I checked all options at "Allowed resource types"

    and all options at "Allowed permissions"

    Do I have to configure "Allowed IP addresses" also? I did not fill in this field.

    The error message from azcopy is:

    2024/06/26 08:36:43 ERR: [P#0-T#0] COPYFAILED: https://storage.cloud.google.com/azure-test-backup/deadletter.log.gz : 403 : 403 This request is not authorized to perform this operation.. When Put Blob from URL. X-Ms-Request-Id: f0f7139a-401e-00a4-26a3-c74db0000000

    0 comments No comments

  3. Blesgen, Markus 0 Reputation points
    2024-06-26T08:41:38.0733333+00:00

    Storage Blob Data Contributor access role is also set

    0 comments No comments

  4. Nehruji R 4,606 Reputation points Microsoft Vendor
    2024-06-26T09:28:05.3766667+00:00

    When working with Shared Access Signatures (SAS) in Azure Blob Storage, the “Allowed IP addresses” field is optional. If you leave it blank, the SAS token permits access from any IP address, effectively avoiding IP-based restrictions. However, if you want to restrict access to specific IP addresses or ranges, you’ll need to configure this field.

    Note that Azure Storage doesn’t store the SAS tokens; it validates them when it receives a request via the SAS URL. So generating separate tokens won’t invalidate or remove previous ones. Ensure that the new SAS tokens include the appropriate permissions (e.g., read, write, or delete) required for your specific operations.

    The request is declined If the SAS token is deemed invalid. If so, error code 403 (Forbidden) is returned. Hence, verify the SAS token settings and ensure that the correct permissions and IP addresses are configured. The error message you received indicates that the request is not authorized, likely due to missing or incorrect permissions or IP restrictions. Double-check your SAS token configuration and consider specifying the allowed IP addresses to address this issue.Hope this helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments