Authenticating azcopy or az storage cli to upload to Azurite docker emulator

Question

I started an Azurite docker on local VM and then tried to copy data to it by azcopy and az CLI like below

export AZURE_STORAGE_ACCOUNT="devstoreaccount1"
export AZURE_STORAGE_ACCESS_KEY="Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="
azcopy copy /local/data/ http://localvm:10000/devstoreaccount1/data/test --from-to LocalBlob
INFO: Scanning...

failed to perform copy command due to error: Login Credentials missing. No SAS token or OAuth token is present and the resource is not public

I want to authenticate with the Account key and Account name and preferably be able to copy using azcopy. I scoured the GitHub and stack to find only one https://github.com/Azure/azure-storage-azcopy/issues/867 issue and there is nothing there regarding auth. It looks like I am missing something that's obvious. Your help will be much appreciated.

The version used were: azure-cli 2.11.1 azcopy version 10.7.0

Answer 1

I was able to getaway with using az cli instead of azcopy.

export AZURE_STORAGE_CONNECTION_STRING="DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;BlobEndpoint=http://azuritedockerhost:10000/devstoreaccount1;"
az storage blob upload -f local-file -c container-name -n dir/blob-name

Hope this helps someone. Plus it would really nice to be able to use azcopy too so if anybody finds out how it will greatly appreciated.

Answer 2

The Microsoft documentation 'Get started with AzCopy' indicates the following under the 'Run AzCopy' heading:

As an owner of your Azure Storage account, you aren't automatically assigned permissions to access data. Before you can do anything meaningful with AzCopy, you need to decide how you'll provide authorization credentials to the storage service.

Under the next heading 'Authorize AzCopy', the documentation states:

You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

Even though you're accessing a local storage emulator (Azurite) on your local machine, the AzCopy app wants an OAuth token or SAS token. See this link to generate SAS tokens for local storage or online storage.

A SAS token must be appended to the destination parameter in the azcopy copy command. I use the Active AD (OAuth token) authorization credentials option so that I can run multiple azcopy commands without appending a SAS token to every command.

To resolve the AzCopy error you're getting "Failed to perform copy command due to error: Login Credentials missing. No SAS token or OAuth token is present and the resource is not public", enter the following into a command prompt or Windows PowerShell:

azcopy login --tenant-id=<your-tenant-directory-id-from-azure-portal>

and then follow the steps this command returns. Here's a reference to azcopy login. From the heading 'Authorize without a secret store' in this reference: "

The azcopy login command retrieves an OAuth token and then places that token into a secret store on your system.

From 'Authorize a user identitiy' heading:

After you've successfully signed in, you can close the browser window and begin using AzCopy.

Use azcopy logout from a command prompt to stop any more AzCopy commands.

Here are the steps with screen captures for the login process as well as where to find a tenant ID to get the AzCopy login process going.

1. Get tenant ID from the Azure portal.

2. In a command prompt enter the azcopy login command along with the --tenant-id parameter.

3. Follow the steps indicated in the command prompt: "...use a web browser to open the page https://microsoft.com/devicelogin and enter the code...".

4. "A sign-in window will appear. In that window, sign into your Azure account by using your Azure account credentials."

5. "After you've successfully signed in, you can close the browser window and begin using AzCopy."

You can run your original azcopy copy /local/data/ http://localvm:10000/devstoreaccount1/data/test --from-to LocalBlob without the need for the export entries in your question.

Answer 3

AzCopy deliberately avoids support for account key authentication, because an account key has full admin privileges: https://github.com/Azure/azure-storage-azcopy/issues/186

The only workaround I have found so far is to generate a SAS (for the container) in Azure Storage Explorer, and then use the SAS URL with AzCopy.