Share via

Redis import: "Not Found. There was no storage account called '<redacted>' in the Azure region 'Brazil South'"

Eduardo Kalinowski 20 Reputation points
2024-10-23T17:39:02.4333333+00:00

Our automated Redis import started failing with this message:

Not Found. There was no storage account called '<redacted>' in the Azure region 'Brazil South'.

Our process is as follows:

  1. Generate a SAS url:
    sas_url=$(az storage blob generate-sas \
                 -o tsv \
                 --account-name $AZ_ACCOUNT_NAME \
                 --account-key $AZ_ACCOUNT_KEY \
                 --container-name $AZ_CONTAINER_NAME \
                 --name db \
                 --permissions r \
                 --start $(date_plus_minutes -20) \
                 --expiry $(date_plus_minutes 120) \
                 --full-uri)
  1. Login with service principal:
    az login \
       --service-principal \
       -u $AZ_SP_ID \
       -p $AZ_SP_PASS \
       --tenant $AZ_SP_TENANT
  1. Import:
    az redis import \
       --ids $REDIS_ID \
       --files $sas_url

The Redis server and the storage account are in the same subscription and resource group.

This process worked fine until 11th October, and has failed since 14th October. (It did not run on the 12th and 13th.)

The process works if I start the import from the web interface, and it also worked from the command-line when I used my account instead of the service principal.

The date when this started to fail is the same as in the very similar question https://learn.microsoft.com/en-us/answers/questions/2104567/suddenly-unable-to-access-blob-storage-using-sas-t.

Following the suggestions on that question, I verified that when logged in as the service principal, az storage account list does not list the storage account (even though the service principal has the Storage Blob Data Contributor role in that account), but I'm not sure that it matters - the SAS token should grant access to users who wouldn't ordinarily have access, right? I have confirmed that by opening the URL and was able to download the file even when not logged in to Azure.

One thing I noticed is that in the web interface the Redis server is listed as "Location: Brazil South" and the storage account as "Location: brazilsouth". I'm not sure this is relevant, however, given that I was able to upload from the command line with a regular user.

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,292 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,003 questions
Azure Cache for Redis
Azure Cache for Redis
An Azure service that provides access to a secure, dedicated Redis cache, managed by Microsoft.
264 questions
Accepted answer
  1. KarishmaTiwari-MSFT 20,307 Reputation points Microsoft Employee
    2024-10-29T00:31:29.2766667+00:00

    @Eduardo Kalinowski

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.

    Issue: Redis import: "Not Found. There was no storage account called '<redacted>' in the Azure region 'Brazil South'"

    Solution: The issue was solved by adding the 'Reader' role to the service principal in the storage account.

    If your issue remains unresolved or have further questions, please let us know in the comments how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback.

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. hossein jalilian 9,310 Reputation points
    2024-10-23T17:43:38.2066667+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    • Ensure the Service Principal has the "Contributor" role (or a custom role with equivalent permissions) on the Redis cache resource.
    • Confirm that the Redis cache and storage account are in the same region
    • Instead of relying on Azure to find the storage account by name, try using the full resource ID of the storage account in your SAS URL generation

    Run your commands with the --debug flag to get more detailed output, which might provide additional insights into the issue

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

  2. Joenorwood1973@gmail.com 0 Reputation points
    2024-10-23T17:50:47.2333333+00:00

    az redis import \

       --ids $REDIS_ID \

       --files $sas_url
    0 comments
  3. Vinod Kumar Reddy Chilupuri 1,915 Reputation points Microsoft Vendor
    2024-10-24T10:39:17.43+00:00

    Hi Eduardo Kalinowski,

    Welcome to Microsoft Q&A, thanks for posting your query.

    Based on the information you have provided, it looks like the issue is related to the service principle not having the access to the storage account, even you are having the Storage Blob Data Contributor role. The issue is occurring due to the permission issue or a problem with the authentication token.

    • Since the SAS token works when accessed in the private window, it is mostly that the issue is not with the SAS token itself. Anyway, it is a better approach to check if the SAS token has the correct permission and format, also verify the system time on the machine generating the SAS token.
    • The Redis server and the storage account are in the same region, it is possible that the issue is related to the difference in the location names between the Redis server and the storage account in the web interface. But the exact process used to work until some days ago, it is possible that the issue is raised because the recent change in the environment.
    • Since the error message shows that there is no storage account called '<redacted>' in the Azure region 'Brazil South', it's important to verify that the storage account exists in the specified region and that the service principal has the necessary permissions to access the storage account. You can use the Azure CLI to list the storage accounts in the resource group and verify that the storage account exists in the specified region.
    • If the storage account exists and the service principle has the required permissions, you can try regenerating the new SAS token and again upload the data. You can also try using the different authentication method such as managed identity or shared access signature. See if it resolves the issue.

    Go through the below documentation for more information.

    Reference:

    Import and Export data in Azure Cache for Redis - Azure Cache for Redis | Microsoft Learn

      

    Please let us know if you have any further queries. I’m happy to assist you further. 

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

    0 comments
  4. Eduardo Kalinowski 20 Reputation points
    2024-10-25T16:04:55.6933333+00:00

    The issue was solved by adding the 'Reader' role to the service principal in the storage account.

    Why this was necessary I don't know, since the service principal already had the 'Storage Blob Data Contributor' role. And the use of a SAS token suggests that no role should be necessary. Moreover, I don't think any changes were made to the permissions by our organization, so it seems something changed on Azure that caused further permissions to be required.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.