Question 105726 in Azure Question posted in
The official documentation to get you started can be found here.

Why cannot delete a container with lock immutable policy using Powershell but it is allowed from azure portal?

I have a container with locked immutable policy:

enter image description here

There is already no any blobs within this container. I tried to delete this container with below powershell command:

Remove-AzStorageContainer -Name $containerName -Force

But got below error:

The requested operation is not allowed as the container has a locked immutability policy. HTTP Status Code: 409

However, I can delete this container from azure portal successfully.

My question is, why I can delete from portal but cannot using powershell? Is there a way to automatic remove the container with locked immutable policy?

Tags:

3

Answers


  1. 0
    • As per this MSFT document, Call the Set-AzRmStorageContainerImmutabilityPolicy command, specifying the retention interval in days, to set up a time-based retention policy on a container with powershell. Make sure to substitute your own values for the placeholder values in the angle brackets:
    Set-AzRmStorageContainerImmutabilityPolicy -ResourceGroupName <resource-group> `
    -StorageAccountName <storage-account> `
    -ContainerName <container> `
    -ImmutabilityPeriod 10
    • An unlocked time-based retention policy can be changed to change the retention period’s length or allow more writes to append blobs to the container. An unlocked policy can also be deleted.
    • A time-based retention policy can be locked after testing is complete. In accordance with SEC 17a-4(f) , a locked insurance is compliant. A locked policy’s retention period may be increased up to five times, but it cannot be decreased.
    • Once a policy has been locked, it cannot be deleted. However, after the retention period has passed, you can delete the blob.

    References:

    1. Delete containers based on container name prefix
    2. Blob Containers – Delete Immutability Policy
    Login or Signup to reply.
  2. 0

    Storage accounts can be interacted with in two different ways – via the data plane REST API (ie. myaccount.blob.core.windows.net) and through ARM (ie. management.azure.com) via the Storage Resource Provider.

    The Powershell cmdlets in the form of xxx-AzStoragexxx use data plane. The Powershell cmdlets in the form of xxx-AzRmStoragexxx use ARM.

    Managing immutable policies must be done through ARM rather than through the data plane. When interacting with storage accounts via the portal you are using ARM so it works as you would expect. With Powershell, in order to delete a container that has an immutable policy, you must use the AzRmStorage cmdlets.

    To programmatically delete a container with an immutable policy you first have to delete all blobs in the container, then use one of the following:

    Login or Signup to reply.
  3. 0

    Powershell can also delete container with management plane cmdlet:

    login Azure account, not needed if you have done so before

    Connect-AzAccount

    Remove container

    Remove-AzRmStorageContainer -ResourceGroupName $rgname -StorageAccountName $accountName -Name $containerName

    You may also refer to the suggestion mentioned in this thread and let me know the status of the issue

    Note: Please make sure you are using the control plane cmdlet “Remove-AzRmStorageContainer” to delete the share .

    If still fail, please add “-debug” and share the debug log to investigate. (hide if any credential.)

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search