How can I delete a lease Container with a audit log in Azure?

Question

There are a few questions here on Stackoverflow in this matter but all of them are when there is a lease due to Virtual Machine and its disks. The answer then is to delete the disk first to be able to delete the storage account/container.

Example: How do I delete an Azure storage account containing a leased blob?

My problem is that I have a custom audit log that we used a leased container (We don't want anyone to manipulate logs obv.). But we moved these logs to other place so now I want to delete the old resource. But unable to due to lease lock.

Most likely this is due to me not understanding how leases work. My first try was to break the lease and unlock.. This have been done:

My assumption was that I could delete the resource now but I still get the error:

"Failed to delete 1 out of 1 container(s): auditlog-container: ContainerProtectedFromDeletion: The storage account stgutauditlog container auditlog-container is protected from deletion due to ImmutabilityPolicy."

So looking at this ImmutablePolicy I tried Blob Containers - Delete Immutability Policy but got the error message:

{
  "error": {
    "code": "ContainerImmutabilityPolicyFailure",
    "message": "Operation not allowed on immutability policy with incorrect etag."
  }
}

Looking at eTag you are supposed to se the eTag version (only eTag related parameter) in the If-Match header. But i tried adding the eTag, tried * and others but still same message.

Trying the Blob Containers - Get Immutability Policy command to try and get eTag I only get the eTag allready supplied and such

{
  "id": "/subscriptions/<removed>/resourceGroups/<removed>/providers/Microsoft.Storage/storageAccounts/<removed>/blobServices/default/containers/auditlog-container/immutabilityPolicies/default",
  "name": "default",
  "type": "Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies",
  "etag": "\"<removed>\"",
  "properties": {
    "immutabilityPeriodSinceCreationInDays": 8,
    "state": "Locked"
  }
}

(Removed some information for security marked with removed in the code above)

Here it says locked... But how do I remove this lock??

Also deleting the files in it is not possible, the options are greyed out:

I don't know what step to take next or what I have missed. How do I delete this storage account/Container?

Any help appriciated!

Answer 1

@Swippen, I tried reproducing the scenario and got the below errors when trying to delete the container using powershell and storage explorer, where immutable policy is in locked state. policy1 policy But when I tried using portal to delete the same container. It was successfully deleted and worked for me, could you try once deleting the container using portal. policy3

Note:- Deleting a locked immutability policy is not allowed, only way is to delete the container after deleting all blobs inside the container.

Answer 2

I would suggest you to try the below Power Shell script to delete the specific container, if lease status is available. See if this helps you.

Login-AzureRmAccount
Set-AzureRmContext -SubscriptionID "yoursubscription id"
$ResourceGroupName = "your resourcegroup name"
$StorageAccountName = "your storage account name"
$StorageContainerNames = "container1, container2"

try{

## Get Storage Details
Write-Output ("Get Storage Account $StorageAccountName Keys")
$Keys = Get-AzureRmStorageAccountKey -ResourceGroupName $ResourceGroupName -Name $StorageAccountName;

Write-Output ("Get Storage Account $StorageAccountName Context")
$StorageContext = New-AzureStorageContext -StorageAccountName $StorageAccountName -StorageAccountKey $Keys[0].Value;

## Proccess Each Container
$StorageContainerNames.Split(",") | ForEach {       

    $currentContainer = $_

    Write-Output ("Start Remove for Container $currentContainer")

    ## Remove Container
    if ((Get-AzureStorageContainer -Context $StorageContext | Where-Object { $_.Name -eq $currentContainer })){           

        ## Remove a Blob Container in the Storage Account
        Write-Output ("Removing Container: $currentContainer")
        Remove-AzureStorageContainer -Context $StorageContext -Name $currentContainer -Force;
        Write-Output ("Container $currentContainer Removed")           

    }
    else {

        Write-Warning "Container $currentContainer doesn't exists."

    }
}
}catch {

Write-Error "$_.Exception.Message"

}