Uploading from Azure DevOps Pipeline to Azure blob storage containers is filing with 403 permissionmismatch error.

Question

We are experiencing a 403 AuthorizationPermissionMismatch error when attempting to upload a file to an Azure Blob Storage container using azcopy with a service principal. Despite successful authentication, the request is denied due to permission mismatch.

INFO: Authentication failed, it is either not correct, or expired, or does not have the correct permission

PUT https://abc.blob.core.windows.net/abc/Tele.hex

---

RESPONSE 403: 403 This request is not authorized to perform this operation using this permission.

ERROR CODE: AuthorizationPermissionMismatch

---

Azure Service Principal has storage Blob data owner permissions for the Storage account.
The ARM service connection is authenticated successfully on Azure DevOps side.

The network Setting is set to allow all, The Blob Storage Container has racwdl permissions.

Verified:

Verified Service Principal Authentication:
Checked Role Assignments:
Checked Storage Account Network Rules:

Answer 1

Hello Ahsaan Mukhi,

The 403 AuthorizationPermissionMismatch error you are encountering when using azcopy to upload a file to Azure Blob Storage typically indicates that the service principal does not have the necessary permissions for the operation you are trying to perform. Even though you mentioned that the service principal has "storage Blob data owner" permissions, it's important to ensure that the following are correctly configured:

1. Role Assignment: Verify that the service principal is assigned the correct role at the appropriate scope (at the storage account level and the container(data)level).
2. SAS Token or Authentication Method: If you are using a Shared Access Signature (SAS) token, ensure that it includes the necessary permissions (read, write, delete, etc.) and that it is not expired.
3. Access Control Lists (ACLs): If you are using ACLs, ensure that the service principal is included in the ACL entries for the blob or container and has the appropriate permissions.
4. Azure RBAC: If using Azure Role-Based Access Control (RBAC), confirm that the service principal has the required roles assigned, such as "Storage Blob Data Contributor" or "Storage Blob Data Owner" and at least "Reader" at the resource level.

References:

• Troubleshoot issues in AzCopy v10
• Authorize access to blobs and files with AzCopy and Microsoft Entra ID

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.           

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

Answer 2

Hi Ahsaan Mukhi

I suggest you test this by assigning the IAM permissions to the Service Principal through Resource Group also.

Get the service principal details and assign the similar IAM permissions to the Service Principal from Resources Group as shown above. After the change, you may have a try again accessing the blob

Hope this helps.

---

--please don't forget to upvote and Accept as answer if the reply is helpful--

Answer 3

Hi Ahsaan Mukhi

I guess, in addition to the Blob data owner permissions, you also need to assign the IAM role 'Storage Blob Data Contributor' to the Service Principal

Hope this helps.

---

--please don't forget to upvote and Accept as answer if the reply is helpful--