Why cannot delete a container with lock immutable policy using Powershell but it is allowed from azure portal?

Youxu
July 13, 2022
320 views
3 votes
3 Answers

I have a container with locked immutable policy:

There is already no any blobs within this container. I tried to delete this container with below powershell command:

Remove-AzStorageContainer -Name $containerName -Force

But got below error:

The requested operation is not allowed as the container has a locked immutability policy. HTTP Status Code: 409

However, I can delete this container from azure portal successfully.

My question is, why I can delete from portal but cannot using powershell? Is there a way to automatic remove the container with locked immutable policy?

Answers

- SuryasriKaminiMT
- July 13, 2022 at 8:03 am
- 0 votes
0
- As per this MSFT document, Call the Set-AzRmStorageContainerImmutabilityPolicy command, specifying the retention interval in days, to set up a time-based retention policy on a container with powershell. Make sure to substitute your own values for the placeholder values in the angle brackets:
```
Set-AzRmStorageContainerImmutabilityPolicy -ResourceGroupName <resource-group> `
    -StorageAccountName <storage-account> `
    -ContainerName <container> `
    -ImmutabilityPeriod 10
   
```
- An unlocked time-based retention policy can be changed to change the retention period’s length or allow more writes to append blobs to the container. An unlocked policy can also be deleted.
- A time-based retention policy can be locked after testing is complete. In accordance with SEC 17a-4(f) , a locked insurance is compliant. A locked policy’s retention period may be increased up to five times, but it cannot be decreased.
- Once a policy has been locked, it cannot be deleted. However, after the retention period has passed, you can delete the blob.
References:
1. Delete containers based on container name prefix
2. Blob Containers – Delete Immutability Policy
Login or Signup to reply.

- kwill
- August 17, 2022 at 5:54 pm
- 0 votes
0
Storage accounts can be interacted with in two different ways – via the data plane REST API (ie. myaccount.blob.core.windows.net) and through ARM (ie. management.azure.com) via the Storage Resource Provider.

The Powershell cmdlets in the form of xxx-AzStoragexxx use data plane. The Powershell cmdlets in the form of xxx-AzRmStoragexxx use ARM.

Managing immutable policies must be done through ARM rather than through the data plane. When interacting with storage accounts via the portal you are using ARM so it works as you would expect. With Powershell, in order to delete a container that has an immutable policy, you must use the AzRmStorage cmdlets.

To programmatically delete a container with an immutable policy you first have to delete all blobs in the container, then use one of the following:
- Powershell: Remove-AzRmStorageContainer
- CLI: az storage container-rm delete
- REST API: https://learn.microsoft.com/en-us/rest/api/storagerp/blob-containers/delete?tabs=HTTP
Login or Signup to reply.

- SumanthMarigowdaMSFT
- August 26, 2022 at 7:34 am
- 0 votes
0
Powershell can also delete container with management plane cmdlet:

login Azure account, not needed if you have done so before
```
Connect-AzAccount 
```
Remove container
```
Remove-AzRmStorageContainer -ResourceGroupName $rgname -StorageAccountName $accountName -Name $containerName  
```
You may also refer to the suggestion mentioned in this thread and let me know the status of the issue

Note: Please make sure you are using the control plane cmdlet “Remove-AzRmStorageContainer” to delete the share .

If still fail, please add “-debug” and share the debug log to investigate. (hide if any credential.)
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.