Share via

accessiong the secondary on a ra-gzrs storage account with an sql restore.

Tony Roth 0 Reputation points
2026-02-17T14:39:26.53+00:00

so I can list the contents via azcopy -list but I can't do a sql db restore from it, get an access denied error, I have tried with sp=r and sp=rl but no luck. I know the sastoken is correct since i use the same token for the azcopy -list, any ideas.

thanks

Azure Blob Storage
Azure Blob Storage

An Azure service that stores unstructured data in the cloud as blobs.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 10,720 Reputation points Microsoft External Staff Moderator
    2026-02-17T16:40:39.1866667+00:00

    Hello **Tony Roth
    **I understand that you are facing issue with restoring an Azure SQL Database from a secondary (geo-replication) location due to access denied errors.

    1. Please share the error screen shot for further investigation on the issue.
    2. Are you currently working with a primary or geo-secondary database?
    3. Have you attempted to initiate a failover to the geo-secondary?

    Backups for Azure SQL Databases are handled by Microsoft, and geo-secondary databases do not allow direct restores from their backups. To restore, you must first fail over the geo-secondary database and make it the primary.

     

    • If you encounter the BlockRestoreOnVldbGeoSecondary error, promote the geo-secondary database to primary by initiating a failover through the Azure portal, T-SQL, PowerShell, or Azure CLI.
    • Once the failover is complete, you can proceed with the restore operation from the new primary database.
    • Check the below reference document for more understanding:

    https://learn.microsoft.com/en-us/azure/azure-sql/database/recovery-using-backups?view=azuresql&tabs=azure-portal

    I have also initiated a private message. Please check it and provide the necessary information so we can discuss further on your concern.

    0 comments
  2. Q&A Assist
    2026-02-17T14:39:37.34+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It sounds like you're encountering issues with permissions when trying to restore a SQL database from an Azure Blob Storage account using a SAS token. Here are a few things to check:

    1. SAS Token Permissions: Ensure that the SAS token you are using has the correct permissions for both reading (sp=r) and listing (sp=l) the contents of the storage account. Since you mentioned using both sp=r and sp=rl, ensure that the token is not expired and is correctly formatted.
    2. Network Access: Verify that there are no network access restrictions that might be blocking the SQL Server from accessing the Azure Blob Storage. Ensure that the SQL Server has the necessary outbound access to the storage account.
    3. Firewall Settings: Check if the Windows Firewall settings on the host where SQL Server is running allow outbound connections to the Azure Blob Storage.
    4. Storage Account Configuration: Make sure that the storage account is configured to allow access from the SQL Server. This includes checking service endpoints and ensuring that the SQL Server is in the same virtual network if applicable.
    5. Error Messages: If you receive specific error messages during the restore operation, those can provide additional clues. For example, if the error indicates access is denied, it may point to an issue with the SAS token or network configuration.

    If everything seems correct and you are still facing issues, consider regenerating the SAS token and trying again.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.