I have two storage accounts (A and B) and one identity (Id). I need to copy blob X from A->B but I'm having issues where the call to Start-AzStorageBlobCopy fails with 404 - The specified resource does not exist.
Some more context:
- Id is assigned
Storage Blob Data Readerrole to the container where X is stored in A (source). - Id is assigned
Storage Blob Data Contributorrole to the resource group that has B (target) - I'm creating both the source and target storage context using the
-UseConnectedAccountswitch. - The source blob is definitely there, I verify within the same script via a call to
Get-AzStorageBlobusing the same context I use for the copy call.
I debugged with fiddler and I see that the request goes to the target storage account, I'm guessing the issue is the bearer token it's passed doesn't get propagated to the request against the source? Anyone know how to make this work?
I cannot give Id more access in A, and using SAS tokens will not work unless I can generate them on-the-fly which seems like I cannot do for A either with the permissions it has.
Here's an extract of the relevant commands I'm using:
$targetContext = New-AzStorageContext -StorageAccountName $targetAccountName -UseConnectedAccount
$srcContext = New-AzStorageContext -StorageAccountName $sourceAccountName -UseConnectedAccount
#Verify $sourceBlob has the metadata for the source
$sourceBlob = Get-AzStorageBlob -Blob $blobName -Container $containerName -Context $srcContext
#Verifies that can write to target context
Set-AzStorageBlobContent -Context $targetContext -Container "vhds" -File "c:\test.txt" -Blob "test"
# Fails with 404
Start-AzStorageBlobCopy -SrcContainer $containerName -SrcBlob $blobName -Context $srcContext -DestContext $targetContext -DestContainer $containerName -DestBlob $blobName -Force
