Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AZCOPY_AUTO_LOGIN_TYPE="MSI" fails due to host port number interfering with trusted domain suffix detection #2792

Open
ohads-MSFT opened this issue Aug 26, 2024 · 1 comment
Open

AZCOPY_AUTO_LOGIN_TYPE="MSI" fails due to host port number interfering with trusted domain suffix detection #2792

ohads-MSFT opened this issue Aug 26, 2024 · 1 comment
Assignees
@dphulkar-msft
Labels
bug

Comments

@ohads-MSFT
Copy link

ohads-MSFT commented Aug 26, 2024
edited
Loading

Which version of the AzCopy was used?

10.26.0

Which platform are you using? (ex: Windows, Mac, Linux)

Linux

What command did you run?

# In an ACI container with an associated USer-Assigned identity
`$env:AZCOPY_AUTO_LOGIN_TYPE = "MSI"`
azcopy copy "https://[account].blob.core.windows.net/[container]/[path/to/blob]?[SAS]" "https://[account].blob.core.windows.net/[container]/[path/to/blob]"

What problem was encountered?

failed to perform copy command due to error: the URL requires authentication. If this URL is in fact an Azure service, you can enable Azure authentication to XXX.blob.core.windows.net:443. To enable, view the documentation for the parameter --trusted-microsoft-suffixes, by running 'AzCopy copy --help'. BUT if this URL is not an Azure service, do NOT enable Azure authentication to it. Instead, see if the URL host supports authentication by way of a token that can be included in the URL's query string

It looks like the port number (which I didn't add/specify) is tripping up the suffix matching code:

azure-storage-azcopy/cmd/credentialUtil.go

Line 218 in 6413253

isResourceInSuffixList := func(suffixes []string) (string, bool) {

How can we reproduce the problem in the simplest way?

Run the command as above

Have you found a mitigation/solution?

Add --trusted-microsoft-suffixes "*.${StorageDnsSuffix}:443"

Output

INFO: Scanning...
INFO: Login with identity succeeded.
INFO: Authenticating to destination using Unknown, Please authenticate using Microsoft Entra ID ( https://aka.ms/AzCopy/AuthZ) , use AzCopy login, or append a SAS token to your Azure URL.

Log file

2024/08/26 18:47:46 AzcopyVersion 10.26.0
2024/08/26 18:47:46 OS-Environment linux
2024/08/26 18:47:46 OS-Architecture amd64
2024/08/26 18:47:46 Log times are in UTC. Local time is 26 Aug 2024 18:47:46
2024/08/26 18:47:46 Closing Log
2024/08/26 18:47:44 AzcopyVersion 10.26.0
2024/08/26 18:47:44 OS-Environment linux
2024/08/26 18:47:44 OS-Architecture amd64
2024/08/26 18:47:44 Log times are in UTC. Local time is 26 Aug 2024 18:47:44
2024/08/26 18:47:46 ISO 8601 START TIME: to copy files that changed before or after this job started, use the parameter --include-before=2024-08-26T18:47:39Z or --include-after=2024-08-26T18:47:39Z
2024/08/26 18:47:46 Authenticating to destination using Unknown, Please authenticate using Microsoft Entra ID ( https://aka.ms/AzCopy/AuthZ) , use AzCopy login, or append a SAS token to your Azure URL.
@ohads-MSFT ohads-MSFT changed the title AZCOPY_AUTO_LOGIN_TYPE fails due to host port number interfering with trusted domain suffix detection AZCOPY_AUTO_LOGIN_TYPE="MSI" fails due to host port number interfering with trusted domain suffix detection Aug 27, 2024
@ohads-MSFT ohads-MSFT mentioned this issue Aug 27, 2024
Open
@adreed-msft
Copy link
Member

We should trim the port here, would solve that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dphulkar-msft dphulkar-msft

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
12 participants
@adreed-msft @vibhansa-msft @ohads-MSFT @dphulkar-msft and others