s3proxy icon indicating copy to clipboard operation
s3proxy copied to clipboard
verified publisher icon gaul

CopyBlob fails on azureblob-sdk with managed identity

Open hermandavid opened this issue 2 weeks ago • 3 comments

When using managed identity with azureblob-sdk, server-side copy fails with the following error.

java.lang.NullPointerException: The argument must not be null or an empty string. Argument name: storageSharedKeyCredentials.
	at com.azure.storage.common.implementation.StorageImplUtils.assertNotNull(StorageImplUtils.java:174)
	at com.azure.storage.blob.implementation.util.BlobSasImplUtil.generateSas(BlobSasImplUtil.java:167)
	at com.azure.storage.blob.specialized.BlobClientBase.generateSas(BlobClientBase.java:2454)
	at com.azure.storage.blob.specialized.BlobClientBase.generateSas(BlobClientBase.java:2435)
	at com.azure.storage.blob.specialized.BlobClientBase.generateSas(BlobClientBase.java:2406)
	at org.gaul.s3proxy.azureblob.AzureBlobStore.copyBlob(AzureBlobStore.java:461)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at com.google.inject.internal.DelegatingInvocationHandler.invoke(DelegatingInvocationHandler.java:50)
	at jdk.proxy2/jdk.proxy2.$Proxy54.copyBlob(Unknown Source)
	at org.gaul.s3proxy.S3ProxyHandler.handleCopyBlob(S3ProxyHandler.java:1903)
	at org.gaul.s3proxy.S3ProxyHandler.doHandle(S3ProxyHandler.java:766)
	at org.gaul.s3proxy.S3ProxyHandlerJetty.handle(S3ProxyHandlerJetty.java:80)
	at org.gaul.shaded.org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at org.gaul.shaded.org.eclipse.jetty.server.Server.handle(Server.java:563)
	at org.gaul.shaded.org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	at org.gaul.shaded.org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	at org.gaul.shaded.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	at org.gaul.shaded.org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	at org.gaul.shaded.org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	at org.gaul.shaded.org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at org.gaul.shaded.org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	at org.gaul.shaded.org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	at org.gaul.shaded.org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	at org.gaul.shaded.org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	at org.gaul.shaded.org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
	at org.gaul.shaded.org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	at org.gaul.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	at org.gaul.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	at org.gaul.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	at java.base/java.lang.Thread.run(Unknown Source)

hermandavid avatar Dec 11 '25 14:12 hermandavid

@klaudworks could you look at this?

gaul avatar Dec 11 '25 18:12 gaul

@gaul sure!

klaudworks avatar Dec 11 '25 18:12 klaudworks

@hermandavid I pinpointed the issue. However, Azure seems to have a small hickup at my end. Will implement and verify a fix tomorrow.

klaudworks avatar Dec 11 '25 22:12 klaudworks

Thank you. I can help with testing if needed.

hermandavid avatar Dec 12 '25 12:12 hermandavid

I'm still stuck with different kind of infinite loading screens such as this beauty. Couldn't manage to create a storage account on my personal Azure account yet.

Image

You could speed up the resolution significantly by providing me with a VM that has a managed identity assigned with access to a test storage account. This is an ssh public key that you could put into ~/.ssh/authorized_keys in the VM.

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICA069QluETGh7Ljoc4UxQSk4sWFcnvUS1O6MENLp2IN

Once the VM is ready just send me user@ip. That would help me replicate the issue and to actually test a fix.

klaudworks avatar Dec 12 '25 20:12 klaudworks

@klaudworks

I don't have any environment I could give you access to. But I can test some code on my side if necessary.

hermandavid avatar Dec 15 '25 11:12 hermandavid

@hermandavid okay, I'll provide you with a "best effort" implementation and you'll test it?

klaudworks avatar Dec 15 '25 12:12 klaudworks