I've set up BLOB storage in Azure, and can do an "azcopy cp" command to successfully write BLOBs (I can browse to confirm that they are there).
However, any attempt to "azcopy list" with the SAME SAS fails with AuthorizationResourceTypeMismatch.
(I'm using an account-level SAS, and it has been assigned both read and write permissions.)
The transaction looks like this:
azcopy list "https://XXXX.blob.core.windows.net/XXXX/backups/2020-08?sv=2017-07-29&ss=b&srt=o&sp=rwdlac&se=2100-01-01&st=2020-01-01&spr=https&sig=REDACTED"
failed to traverse container: cannot list files due to reason -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/mod/github.com/!azure/azure-storage-blob-go@v0.10.0/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthorizationResourceTypeMismatch) =====
Description=This request is not authorized to perform this operation using this resource type.
RequestId:####
Time:2020-09-23T20:51:28.7187118Z, Details:
Code: AuthorizationResourceTypeMismatch
GET https://XXXX.blob.core.windows.net/XXXX?comp=list&delimiter=%2F&include=metadata&prefix=backups%2F2020-08%2F&restype=container&se=2100-01-01&sig=-REDACTED-&sp=rwdlac&spr=https&srt=o&ss=b&st=2020-01-01&sv=2017-07-29&timeout=901
User-Agent: [AzCopy/10.5.1 Azure-Storage/0.10 (go1.13; linux)]
X-Ms-Client-Request-Id: [####]
X-Ms-Version: [2019-02-02]
--------------------------------------------------------------------------------
RESPONSE Status: 403 This request is not authorized to perform this operation using this resource type.
Content-Length: [284]
Content-Type: [application/xml]
Date: [Wed, 23 Sep 2020 20:51:28 GMT]
Server: [Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0]
X-Ms-Client-Request-Id: [####]
X-Ms-Error-Code: [AuthorizationResourceTypeMismatch]
X-Ms-Request-Id: [####]
X-Ms-Version: [2019-02-02]
I've checked:
- That both read and write permissions are there - the URL says: sp=rwdlac
- The URL is identical between the "cp" and "list" (it is)
- The path is correct (tried it with and without the ending slash)
- That the copy actually DID succeed (it did)
- The azcopy cp and azcopy list are being executed from the exact same server
This is a token generated by terraform ("azurerm_storage_account_sas"), in case that matters (I did see some indications of problems with no time component on the st/se - but that seems to be a problem with azcopy parsing it, and I'm past that stage).
Is anyone able to give me any pointers on what I'm missing? It seems like this should be so simple?
Thanks in advance!