![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 86%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,026 questions
I think that the authentication mechanism you're using is not correct for the operation you want to perform.
You are using Managed Service Identity for authentication, but Azure Blob Storage expects the Authorization header to be properly signed with the correct signature and not with a bearer token. The error indicates that the Bearer token method is not supported in this context.
For the PUT operation to copy the blob, you need to use the correct signature, which involves creating a Shared Access Signature (SAS) for the source blob, or the operation must be authenticated using the appropriate service account key.
Azure Storage supports copying a blob from one account to another by sending a PUT request to the target blob's URI, along with the x-ms-copy-source header pointing to the source blob's SAS URI. However, this requires a valid SAS token, or it must be done with correct authentication via an account key.
What is recommended ?
You must create a SAS token for the source blob, which you will use in the x-ms-copy-source header. The SAS token should allow reading the source blob and should have appropriate permissions ( r for read access).
Steps to create SAS for the source blob:
- Go to the Azure portal.
- Navigate to your source storage account and locate the blob.
- Generate a SAS token with read access (
r) for the blob.
Example x-ms-copy-source header:
x-ms-copy-source: https://<source-storage-account>.blob.core.windows.net/<source-container>/<source-blob>?<sas-token>
Since you're using Logic Apps, ensure that the managed identity you are using has the necessary permissions to perform the copy operation. You can configure these permissions at the target storage account (assign a Storage Blob Data Contributor role to the managed identity).
When using the PUT method to copy the blob, ensure the following headers:
-
x-ms-copy-source: The SAS URL to the source blob. -
x-ms-date: The current date in GMT. -
x-ms-version: A valid storage API version (e.g.,2019-02-02). -
x-ms-blob-type:BlockBlob(or the correct type depending on the blob).
{
"uri": "https://<target-storage-account>.blob.core.windows.net/<target-container>/<target-blob>",
"method": "PUT",
"headers": {
"Authorization": "<account-key-or-SAS>",
"x-ms-date": "Tue, 14 Jan 2025 11:11:50 GMT",
"x-ms-version": "2019-02-02",
"Content-Length": "0",
"x-ms-copy-source": "https://<source-storage-account>.blob.core.windows.net/<source-container>/<source-blob>?<sas-token>",
"x-ms-blob-type": "BlockBlob"
},
"authentication": {
"audience": "https://storage.azure.com/",
"identity": "<Managed Identity>",
"type": "ManagedServiceIdentity"
}
}
If the REST API approach continues to be troublesome, you can also use the Copy Blob action in Azure Logic Apps. Even though you mentioned you can't use it due to the blob size, you could try breaking the blob into smaller parts or consider other workarounds to manage large files.