Copy blobs without sas tokens #2034
Comments
|
It looks like this isn't possible. Despite some operations are allowed to use AD AuthN, copy between accounts doesn't work with python sdk or azure cli. The error from azure-cli:
Python code: credential = ClientSecretCredential(tenant, app_id, app_secret)
source_account_url = "https://somesource.blob.core.windows.net/"
source_blob_service_client = BlobServiceClient(account_url=source_account_url, credential=credential)
container_name = "abc"
source_container_client = source_blob_service_client.get_container_client(container_name)
blob_name = "myfile_1M"
source_blob = source_container_client.get_blob_client(blob_name)
source_blob_url = source_blob.url
destination_account_url = "https://somedestination.blob.core.windows.net/"
destination_blob_service_client = BlobServiceClient(account_url=destination_account_url, credential=credential)
destination_blob = destination_blob_service_client.get_blob_client(container_name, source_blob.blob_name)
copy = destination_blob.start_copy_from_url(source_blob_url)Surprisingly it DOES work when using azcopy. I've verified the identity used has no permission to get the account keys (and hence can't generate a SAS internally), and that it doesn't download the blob and re-uploads it to the destination. |
tamirkamara
changed the title
|
Given the SDK/service limitations mentioned in the issue above this is not possible for us currently. |
Describe the bug
Today, in the Airlock processor, we use the SAS token for the source blob in order to copy the blob.
There might be an option to copy the containers without issuing a sas token. This issue is to see if possible and fix if it is.
The text was updated successfully, but these errors were encountered: