Skip to content

Fix server-side copy with Managed Identity in AzureBlobStore #944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gaul merged 1 commit into from
Dec 19, 2025
Merged

Fix server-side copy with Managed Identity in AzureBlobStore #944

gaul merged 1 commit into from
Dec 19, 2025

Conversation

@klaudworks
Copy link
Contributor

@klaudworks klaudworks commented Dec 16, 2025
edited
Loading

Summary

Fix NullPointerException when performing server-side blob copy operations using Managed Identity with the azureblob-sdk provider. See also issue #939.

Problem

When AzureBlobStore is configured with Managed Identity, the copyBlob method fails with:

java.lang.NullPointerException: The argument must not be null or an empty string. Argument name: storageSharedKeyCredentials.
    at com.azure.storage.common.implementation.StorageImplUtils.assertNotNull(StorageImplUtils.java:174)
    at com.azure.storage.blob.implementation.util.BlobSasImplUtil.generateSas(BlobSasImplUtil.java:167)
    at com.azure.storage.blob.specialized.BlobClientBase.generateSas(BlobClientBase.java:2454)
    at org.gaul.s3proxy.azureblob.AzureBlobStore.copyBlob(AzureBlobStore.java:461)

The root cause is that BlobClientBase.generateSas() requires StorageSharedKeyCredential internally. When the BlobServiceClient is constructed with DefaultAzureCredential (for Managed Identity), no shared key is available, causing the NullPointerException.

Solution

The Azure SDK provides an alternative for OAuth-based authentication: User Delegation SAS. This approach:

  1. Obtains a UserDelegationKey from BlobServiceClient.getUserDelegationKey()
  2. Uses BlobClientBase.generateUserDelegationSas() instead of generateSas()

The fix detects whether shared key credentials are available:

  • If yes → use existing generateSas() (unchanged behavior)
  • If no (Managed Identity) → use generateUserDelegationSas() with a user delegation key

Requirements

When using Managed Identity, the identity must have the RBAC permission:

  • Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action

This permission is included in built-in roles:

  • Storage Blob Data Contributor
  • Storage Blob Data Owner
  • Storage Blob Delegator

Validation

@hermandavid could you validate the change? e.g. by building a custom image. I can support you with that. Would be cool if we can validate this before merging it to master.

@hermandavid
Copy link
Contributor

hermandavid commented Dec 19, 2025

@klaudworks

I have tested the code and confirm it's working as expected. Thanks

@gaul gaul merged commit 388188a into gaul:master Dec 19, 2025
3 checks passed
@gaul
Copy link
Owner

gaul commented Dec 19, 2025

Thank you for your contribution @klaudworks and for your testing @hermandavid!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@klaudworks @hermandavid @gaul