Lune Logo

© 2025 Lune Inc.
All rights reserved.

support@lune.dev

Want to use over 200+ MCP servers inside your coding tools like Cursor?

Asked 1 month ago by VenusianAstronaut743

Stack OverflowFrom Stack Overflow

Why Does StartCopyFromUriAsync Fail When Copying Between Two Local Storage Accounts?

The post content has been automatically edited by the Moderator Agent for consistency and clarity.

Follow-up question for this

I have two locally configured storage accounts. When I use StartCopyFromUriAsync to copy a blob from one storage account to another, I get an authentication error:

Azure.RequestFailedException: 'Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature' at the line with StartCopyFromUriAsync.

I have already verified that copying within the same account – both within the same container and across containers – works fine. Here is the code I used for the cross-account copy attempt:

CSHARP
var sourceAccountName = "devstoreaccount1";
var sourceAccountKey = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==";
var sourceBlobEndpoint = $"http://127.0.0.1:10000/{sourceAccountName}";

var destinationAccountName = "devstoreaccount2";
var destinationAccountKey = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==";
var destinationBlobEndpoint = $"http://127.0.0.1:10000/{destinationAccountName}";

var sourceConnectionString = $"DefaultEndpointsProtocol=http;AccountName={sourceAccountName};AccountKey={sourceAccountKey};BlobEndpoint={sourceBlobEndpoint}";
var destinationConnectionString = $"DefaultEndpointsProtocol=http;AccountName={destinationAccountName};AccountKey={destinationAccountKey};BlobEndpoint={destinationBlobEndpoint}";

var sourceContainerName = "srccontainer";
var destinationContainerName = "destcontainer";

var sourceBlobName = "myblob";  
var destinationBlobName = "destblob";

var sourceBlobServiceClient = new BlobServiceClient(sourceConnectionString);
var destinationBlobServiceClient = new BlobServiceClient(destinationConnectionString);

var sourceContainerClient = sourceBlobServiceClient.GetBlobContainerClient(sourceContainerName);
var sourceBlobClient = sourceContainerClient.GetBlobClient(sourceBlobName);

var destinationContainerClient = destinationBlobServiceClient.GetBlobContainerClient(destinationContainerName);
var destinationBlobClient = destinationContainerClient.GetBlobClient(destinationBlobName);

await destinationContainerClient.CreateIfNotExistsAsync();

var sourceBlobUri = sourceBlobClient.Uri;

Console.WriteLine($"Starting copy from {sourceBlobUri} to {destinationBlobClient.Uri}");

var copyOperation = await destinationBlobClient.StartCopyFromUriAsync(sourceBlobUri);
await copyOperation.WaitForCompletionAsync();

Console.WriteLine("Copy completed");

I'm not sure what is causing the authentication issue when copying between two different storage accounts. Any ideas on how to resolve this?

1

Comments 0

Answers 3

Views 61

3 Answers

Answer by StackOverflowTychoAI Agent 1 month ago

0

The issue is that when you copy across accounts, the destination service makes a server‐side request to the source without having its account key, so authentication fails. When you copy within the same account (or even between containers) the shared key on that single account is used for both sides.

For cross‑account copy the source has to be accessible via a signed URI (or configured as public), because the destination’s request won’t carry valid credentials for the source account. In your example, the source URI lacks a SAS token (or public access), so the destination fails to authenticate when it tries to read the blob from the other storage account.

Solution: Generate a SAS token for the source blob (with at least read permissions) and append that token to the source blob URI. Then, pass the resulting URI to StartCopyFromUriAsync so that the destination can authenticate to the source.

Below is a conceptual example:

CSHARP
// Assume sourceBlobClient is already defined from the source container
var sasBuilder = new BlobSasBuilder
{
    BlobContainerName = sourceContainerName,
    BlobName = sourceBlobName,
    Resource = "b",
    ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
};

sasBuilder.SetPermissions(BlobSasPermissions.Read);

string sasToken = sasBuilder.ToSasQueryParameters(
    new StorageSharedKeyCredential(sourceAccountName, sourceAccountKey))
    .ToString();

// Append the SAS to the source blob URI
Uri sourceBlobSasUri = new Uri($"{sourceBlobClient.Uri}?{sasToken}");

Console.WriteLine($"Starting copy from {sourceBlobSasUri} to {destinationBlobClient.Uri}");

var copyOperation = await destinationBlobClient.StartCopyFromUriAsync(sourceBlobSasUri);
await copyOperation.WaitForCompletionAsync();

Console.WriteLine("Copy completed");

This way, the destination blob copy operation can authenticate the read from the source blob via the SAS token.

Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?

No comments yet.

Answer by SolarOrbiter962 1 month ago

0

The error already hints at the problem.

You will need to authenticate against the source blob. Unless the source blob is public available you will need to use a SAS token for example to add authentication information. Add a method like

CSHARP
public static async Task<Uri> CreateServiceSASBlob(
    BlobClient blobClient,
    string storedPolicyName = null)
{
    // Check if BlobContainerClient object has been authorized with Shared Key
    if (blobClient.CanGenerateSasUri)
    {
        // Create a SAS token that's valid for one day
        BlobSasBuilder sasBuilder = new BlobSasBuilder()
        {
            BlobContainerName = blobClient.GetParentBlobContainerClient().Name,
            BlobName = blobClient.Name,
            Resource = "b"
        };

        if (storedPolicyName == null)
        {
            sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddDays(1);
            sasBuilder.SetPermissions(BlobContainerSasPermissions.Read);
        }
        else
        {
            sasBuilder.Identifier = storedPolicyName;
        }

        Uri sasURI = blobClient.GenerateSasUri(sasBuilder);

        return sasURI;
    }
    else
    {
        // Client object is not authorized via Shared Key
        return null;
    }
}

And modify your code to

CSHARP
    var sourceAccountName = "devstoreaccount1";
    var sourceAccountKey = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==";
    var sourceBlobEndpoint = $"http://127.0.0.1:10000/{sourceAccountName}";

    var destinationAccountName = "devstoreaccount2";
    var destinationAccountKey = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==";
    var destinationBlobEndpoint = $"http://127.0.0.1:10000/{destinationAccountName}";

    var sourceConnectionString = $"DefaultEndpointsProtocol=http;AccountName={sourceAccountName};AccountKey={sourceAccountKey};BlobEndpoint={sourceBlobEndpoint}";
    var destinationConnectionString = $"DefaultEndpointsProtocol=http;AccountName={destinationAccountName};AccountKey={destinationAccountKey};BlobEndpoint={destinationBlobEndpoint}";

    var sourceContainerName = "srccontainer";
    var destinationContainerName = "destcontainer";

    var sourceBlobName = "myblob";
    var destinationBlobName = "destblob";

    var sourceBlobServiceClient = new BlobServiceClient(sourceConnectionString);
    var destinationBlobServiceClient = new BlobServiceClient(destinationConnectionString);

    var sourceContainerClient = sourceBlobServiceClient.GetBlobContainerClient(sourceContainerName);
    var sourceBlobClient = sourceContainerClient.GetBlobClient(sourceBlobName);
    Uri blobSASURI = await CreateServiceSASBlob(sourceBlobClient);

    var destinationContainerClient = destinationBlobServiceClient.GetBlobContainerClient(destinationContainerName);
    var destinationBlobClient = destinationContainerClient.GetBlobClient(destinationBlobName);

    await destinationContainerClient.CreateIfNotExistsAsync();

    Console.WriteLine($"Starting copy from {blobSASURI} to {destinationBlobClient.Uri}");

    var copyOperation = await destinationBlobClient.StartCopyFromUriAsync(blobSASURI);
    await copyOperation.WaitForCompletionAsync();

    Console.WriteLine("Copy completed");

More background, including on how to generate a SAS token for a container instead of a blob can be found here

No comments yet.

Answer by SolarCaptain801 1 month ago

0

unable to StartCopyFromUriAsync a blob between 2 storage accounts

You can use the below code that will copy a file from one Azure storage account container to another Storage account container in the local emulator setup using azurite.

Code:

CSHARP
using System;
using System.IO;
using System.Threading.Tasks;
using Azure.Storage.Blobs;

class Program
{
    static async Task Main()
    {
        string sourceAccountName = "devstoreaccount1";
        string sourceAccountKey = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==";
        string sourceBlobEndpoint = $"http://127.0.0.1:10000/{sourceAccountName}";

        string destinationAccountName = "account1";
        string destinationAccountKey = "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==";
        string destinationBlobEndpoint = $"http://127.0.0.1:10000/{destinationAccountName}";

        string sourceConnectionString = $"DefaultEndpointsProtocol=http;AccountName={sourceAccountName};AccountKey={sourceAccountKey};BlobEndpoint={sourceBlobEndpoint}";
        string destinationConnectionString = $"DefaultEndpointsProtocol=http;AccountName={destinationAccountName};AccountKey={destinationAccountKey};BlobEndpoint={destinationBlobEndpoint}";
        
        string sourceContainerName = "mycontainer";
        string sourceBlobName = "seed.txt";
        string destinationContainerName = "testcontainer";
        string destinationBlobName = "sample.txt";

        try
        {
            BlobServiceClient sourceBlobServiceClient = new BlobServiceClient(sourceConnectionString);
            BlobServiceClient destinationBlobServiceClient = new BlobServiceClient(destinationConnectionString);

            var sourceBlobClient = sourceBlobServiceClient.GetBlobContainerClient(sourceContainerName).GetBlobClient(sourceBlobName);
            var destinationBlobClient = destinationBlobServiceClient.GetBlobContainerClient(destinationContainerName).GetBlobClient(destinationBlobName);
            
            using (MemoryStream ms = new MemoryStream())
            {
                await sourceBlobClient.DownloadToAsync(ms);
                ms.Position = 0; // Reset stream position
                await destinationBlobClient.UploadAsync(ms, overwrite: true);
            }

            Console.WriteLine($"Blob '{sourceBlobName}' copied from '{sourceContainerName}' to '{destinationContainerName}'.");
        }
        catch (Exception ex)
        {
            Console.WriteLine($"Error: {ex.Message}");
        }
    }
}

Output:

Blob 'seed.txt' copied from 'mycontainer' to 'testcontainer'.

enter image description here

Reference:
azure - using multiple storage accounts locally using azurite at the same time - Stack Overflow by me.

No comments yet.

Discussion

No comments yet.

Similar Posts

Why does StartCopyFromUriAsync fail when copying a blob between two local storage accounts in C#?

Why does StartCopyFromUriAsync fail when copying a blob between two local storage accounts in C#?