azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard

Insufficient read or write permissions on storage account

Open sabmayahai opened this issue 5 years ago • 5 comments

Tried enabling sql auditing using cli, it failed with error "Insufficient read or write permissions on storage account '<storage_account_name>'"

While the corresponding powershell command worked.

AZ CLI Command: [Did not work]

az sql db audit-policy update --name <db_name> --resource-group <rg_name> --server <sql_server_name> --retention-days 30 --storage-account <storage_account_name> --state Enabled --action SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP

POWERSHELL Command [Worked]

Set-AzSqlDatabaseAudit -ResourceGroupName "<rg_name>" -ServerName "<sql_server_name>" -DatabaseName "<db_name>" -BlobStorageTargetState Enabled -StorageAccountResourceId "/subscriptions/***************/resourceGroups/<blob_rg_name>/providers/Microsoft.Storage/storageAccounts/<storage_account_name>" -AuditActionGroup SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP -RetentionInDays 30


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

sabmayahai avatar Sep 07 '20 08:09 sabmayahai

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @azureSQLGitHub.

ghost avatar Sep 07 '20 08:09 ghost

sql

yonzhan avatar Sep 07 '20 08:09 yonzhan

Is there any update? I have the same issue:

az sql server audit-policy update `
--name $ssName `
--state 'Enabled' `
--blob-storage-target-state 'Enabled' `
--retention-days '181' `
--actions 'BATCH_COMPLETED_GROUP' 'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP' 'FAILED_DATABASE_AUTHENTICATION_GROUP' `
--storage-account $storageAccountName `
--resource-group $resourceGroup `
--subscription $subscription

The output is the same: Insufficient read or write permissions on storage account 'sapcpqdevsa'

I tried adding the bypass parameter: --bypass 'AzureServices' or --bypass 'Logging but that didn't help. I found a recommendation to allow access from all networks in the Firewall configuration, but that is not an appropriate option for some situation.

taimish avatar Jun 10 '21 07:06 taimish

sql service team should look into this.

yonzhan avatar Jun 10 '21 09:06 yonzhan

mm.. i am still with this issue. Its being a long time. Have you found any solution?

Thanks!

aroca-opengov avatar Aug 26 '24 13:08 aroca-opengov