Uploading to Azure Blob Containers: AZCopy 403 Error

The Problem

  • Azure Explorer is uploading too slow
  • AZCopy copy feature will not upload.  Error:  “RESPONSE Status: 403 This request is not authorized to perform this operation using this permission.”

Today, I was trying to upload a directory (1.3gb) of images up for blob storage for public access.   Though I often use Azure Storage Explorer for smaller uploads, it was proving impossible with this large directory.  My connection came to a grinding halt and the files where taking impossibly too long to upload.

So, upon research, I learned that AZCopy is much more efficient with larger data transfers and after success, I found this to be true.  However,  using a direct URL as per the docs was giving me a 403 error, despite me being owner of container and container seeming to have proper permissions.  So I decided to use an SAS key at end of URL (also in docs) and the apply the azcopy copy command.

Below is how I proceeded to get it working.

The Solution

Tools used:

Quick and Dirty

After going through this, I would suggest this order first, and then see below for further troubleshooting.

Permissions

First, you must have access to write to your container.   User access is controlled with RBAC (role based access control) and can be changed using Azure Portal.  This document shows clearly how search for the user you want in IAM and how to grant them roles for the container.  To upload (write), the user should have one of two rolesOwner or Storage Blob Data Contributor

Get a URL + SAS Token

Open Azure Storage Explorer, right click the container you want to upload to and select “Get Shared Access Signature”.

Select the proper permissions to allow writing, click create and you should get a second screen with a URL to copy.

Copy the URL and save for next Step.

Using AZCopy

After downloading AZCopy, I put the exe in a folder under C:/ and then logged in.

For login, I used azcopy login and it prompted me with a URL to go to and code to paste in.  Once done, my console confirmed the success of my login.

Next, I used the copy command to copy the folder from local hard drive to container using the URL I saved in the step above.  Here’s what the command looks like if you use the URL + SAS:

azcopy copy "c:\AZCopy\FolderIWantToCopy" "https://myaccount.blob.core.windows.net/mycontainer?bigSASkey" --recursive

Don’t forget your bigSASkey 🙂

Troubleshooting

1.  Check Azure Portal to make sure (or user wanting to upload) has the proper role to container.  Here’s a screenshot of what it should look like:

2.  Make sure container has proper access using Azure Explorer:

Finally, considering creating a policy for that container (be sure to include start and end date of expiration).  Then, you can use that policy as needed when you create the SAS URL.

Extras

This entire process was to upload a large directory of files to make accessible to our customers.  For that, I used my BlobShare solution.