Copy all blobs to another Azure storage account

December 18th 2020 Azure PowerShell

There's no functionality in Azure Portal to migrate contents of an Azure Storage account to another one. But there is a command-line tool that can do it - AzCopy. Recursively copying all blobs between two storage accounts is one among the many operations it supports:

> azcopy copy --help

...

Copy all blob containers, directories, and blobs from storage account to another by using a SAS token:

  - azcopy cp "https://[srcaccount].blob.core.windows.net?[SAS]" "https://[destaccount].blob.core.windows.net?[SAS]" --recursive=true

...

Unfortunately, for someone new to Azure Storage this is just the beginning. Obtaining an appropriate SAS token for both storage accounts is far from trivial. After looking at the documentation for SAS (shared access signature) tokens, I chose the PowerShell route.

I followed the installation instructions for the PowerShell module and started looking for a way to create a SAS token for the complete storage account. That's what I'd need for the recursive copy command.

There wasn't such a call in the examples section but I found a command for that in the reference documentation:

New-AzStorageAccountSASToken -Service Blob -ResourceType Service,Container,Object -Permission "racwdlup" -Context $ctx

I still had to provide the correct storage account context for the command to work. The first step towards that was connecting to the appropriate Azure account:

Connect-AzAccount -Tenant $tenantId -Subscription $subscriptionId

The $tenantId and $subscriptionId values can be found in the Azure portal:

  • For the $tenantId, use the hamburger menu to navigate to Azure Active Directory. On the Overview page, the Tenant ID value is listed in the Tenant information frame. You can use the button next to the value to copy it to the clipboard.

    Tenant ID value on the Azure Active Directory Overview page

  • For the $subscriptionId, use the hamburger menu to navigate to Subscriptions. In the list, there will be a Subscription ID value for each subscription which you can copy.

    Subscription ID value in the list of available subscriptions

That should be all the info you need for the SAS token. Just replace my fake tenant ID and subscription ID values with yours, as well as the storage account name and resource group name (as a precaution, the Clear-AzContext command will remove any existing credentials from your current PowerShell session):

Clear-AzContext
Connect-AzAccount -Tenant 3b8e4a82-aeb9-442f-b2cc-db57e63ad021 -Subscription fb2ad999-2b03-4c77-acd2-f7d4f684033d
$storageAccount = Get-AzStorageAccount -Name storageaccount -ResourceGroupName resourcegroup
New-AzStorageAccountSASToken -Service Blob -ResourceType Service,Container,Object -Permission "racwdlup" -Context $storageAccount.context

The final command will return the SAS token in the form of a long query string which you need to append to the URLs in the AzCopy command. Of course, you need to do the above steps for the source and the destination storage account of your copy operation to get both SAS tokens. Only then you can finally invoke the copy command:

azcopy cp "https://[srcaccount].blob.core.windows.net?[SAS]" "https://[destaccount].blob.core.windows.net?[SAS]" --recursive=true

Despite all the preparation steps, the AzCopy command will still save you a lot of time if you need to do massive data migration between storage accounts.

Get notified when a new blog post is published (usually every Friday):

Copyright
Creative Commons License