What are the exact permissions needed on the SAS token to download a blob with azcopy?

Question

I'm seeing numerous related questions here on SE on SAS tokens, but not this scenario.

I've created a SAS token with only read and list permissions, which appear to be all that is required from the Microsoft doc "Create an Account SAS: Account SAS permissions by operation" for the "List Blobs" and "Get Blob" operations. When I use azcopy to download to an Azure VM (with a public IP permitted by the storage account), I get the error "Cannot list blobs".

What permissions does my SAS token need to do this? Shouldn't read and list be sufficient?

The SAS token (see redacted below), includes:

• SignedService ss=b blob
• SignedResourceTypes srt=co container, object
• SignedPermission sp=rl read, list

Note that although I am trying to copy a single file, I am using the --recursive flag as a workaround to an unrelated issue with copying single files.

Here is the azcopy output (version 10.3.4):

myazurehost[/home/user]<180> azcopy copy "$AZ_STORAGE_URL/server-backups/backup.tar.gz$AZ_SAS_KEY" /tmp --recursive
INFO: Scanning...

failed to perform copy command due to error: cannot start job due to error: cannot list blobs. Failed with error -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/mod/github.com/!azure/[email protected]/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthorizationFailure) =====
Description=This request is not authorized to perform this operation.
RequestId:-----------------------------
Time:2020-11-23T15:56:16.0747148Z, Details:
   Code: AuthorizationFailure
   GET https://mystorageaccount.blob.core.windows.net/server-backups?comp=list&include=metadata&prefix=backup.tar.gz%2F&restype=container&se=2025-11-23t23%3A44%3A28z&sig=-REDACTED-&sp=rl&spr=https&srt=co&ss=b&st=2020-11-23t15%3A44%3A28z&sv=2019-12-12&timeout=901
   User-Agent: [AzCopy/10.3.4 Azure-Storage/0.7 (go1.13; linux)]
   X-Ms-Client-Request-Id: [-----------------------------]
   X-Ms-Version: [2018-03-28]
   --------------------------------------------------------------------------------
   RESPONSE Status: 403 This request is not authorized to perform this operation.
   Content-Length: [246]
   Content-Type: [application/xml]
   Date: [Mon, 23 Nov 2020 15:56:15 GMT]
   Server: [Microsoft-HTTPAPI/2.0]
   X-Ms-Error-Code: [AuthorizationFailure]
   X-Ms-Request-Id: [-----------------------------]

Exact SAS token (redacted signature):

?sv=2019-12-12&ss=b&srt=co&sp=rl&se=2025-11-23T23:44:28Z&st=2020-11-23T15:44:28Z&spr=https&sig=REDACTED