V1.70.[0-2] in Azure: copy from BLOB to BLOB fails with "ManagedIdentityCredential.GetToken() requires exactly one scope"

Konstantin_Denin · July 1, 2025, 6:47am

What is the problem you are having with rclone?

Rclone copy from one Azure BLOB to another Azure BLOB fails with "ManagedIdentityCredential.GetToken() requires exactly one scope"

Run the command 'rclone version' and share the full output of the command.

rclone v1.70.2
- os/version: oracle 8.10 (64 bit)
- os/kernel: 5.15.0-307.178.5.el8uek.x86_64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.24.4
- go/linking: static
- go/tags: none

Issue exists in versions 1.70.0 - 1.70.2
Versions 1.69.1 - 1.69.3 are not affected.

Are you on the latest version of rclone? You can validate by checking the version listed here: Rclone downloads
We are on the latest version (1.70.2).

Which cloud storage system are you using? (eg Google Drive)

Azure BLOB.

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

"/bin/rclone" "copy" "-cvvP" "--stats=1m" "--transfers=1" "--min-age=1m" "--no-traverse" "--log-file=/logs/az_upload_config_host_2025-07-01_06_19_54.log" "blob1:host/test/config" "blob2:host/test/config"

The rclone config contents with secrets removed.

[blob2]
type = azureblob
use_msi = true
chunk_size = 100M
access_tier = Cool
account = XXX
msi_mi_res_id = XXX

[blob1]
type = azureblob
use_msi = true
chunk_size = 100M
access_tier = Hot
account = XXX
msi_mi_res_id = XXX

A log from the command with the `-vv` flag

2025/07/01 06:19:54 DEBUG : rclone: Version "v1.70.2" starting with parameters ["/bin/rclone" "copy" "-cvvP" "--stats=1m" "--transfers=1" "--min-age=1m" "--no-traverse" "--log-file=/logs/az_upload_config_host_2025-07-01_06_19_54.log" "blob1:host/test/config" "blob2:host/test/config"]
2025/07/01 06:19:54 DEBUG : Creating backend with remote "blob1:host/test/config"
2025/07/01 06:19:54 DEBUG : Using config file from "/etc/rclone.conf"
2025/07/01 06:19:54 DEBUG : Creating backend with remote "blob2:host/test/config"
2025/07/01 06:19:54 DEBUG : contents/test_backup_config_2025-07-01_05_00_17.xml: Need to transfer - File not found at Destination
2025/07/01 06:19:54 DEBUG : logs/test_backup_config_2025-07-01_05_00_17.log: Need to transfer - File not found at Destination
2025/07/01 06:19:54 ERROR : contents/test_backup_config_2025-07-01_05_00_17.xml: Failed to copy: multipart copy: failed to create access token: ManagedIdentityCredential.GetToken() requires exactly one scope
2025/07/01 06:19:54 DEBUG : Azure container host path test/config: Waiting for transfers to finish
2025/07/01 06:19:54 ERROR : logs/test_backup_config_2025-07-01_05_00_17.log: Failed to copy: multipart copy: failed to create access token: ManagedIdentityCredential.GetToken() requires exactly one scope
2025/07/01 06:19:54 ERROR : Attempt 1/3 failed with 2 errors and: multipart copy: failed to create access token: ManagedIdentityCredential.GetToken() requires exactly one scope
2025/07/01 06:19:54 DEBUG : contents/test_backup_config_2025-07-01_05_00_17.xml: Need to transfer - File not found at Destination
2025/07/01 06:19:54 DEBUG : logs/test_backup_config_2025-07-01_05_00_17.log: Need to transfer - File not found at Destination
2025/07/01 06:19:54 DEBUG : Azure container host path test/config: Waiting for checks to finish
2025/07/01 06:19:54 DEBUG : Azure container host path test/config: Waiting for transfers to finish
2025/07/01 06:19:54 ERROR : contents/test_backup_config_2025-07-01_05_00_17.xml: Failed to copy: multipart copy: failed to create access token: ManagedIdentityCredential.GetToken() requires exactly one scope
2025/07/01 06:19:54 ERROR : logs/test_backup_config_2025-07-01_05_00_17.log: Failed to copy: multipart copy: failed to create access token: ManagedIdentityCredential.GetToken() requires exactly one scope
2025/07/01 06:19:54 ERROR : Attempt 2/3 failed with 2 errors and: multipart copy: failed to create access token: ManagedIdentityCredential.GetToken() requires exactly one scope
2025/07/01 06:19:54 DEBUG : contents/test_backup_config_2025-07-01_05_00_17.xml: Need to transfer - File not found at Destination
2025/07/01 06:19:54 DEBUG : logs/test_backup_config_2025-07-01_05_00_17.log: Need to transfer - File not found at Destination
2025/07/01 06:19:54 DEBUG : Azure container host path test/config: Waiting for checks to finish
2025/07/01 06:19:54 DEBUG : Azure container host path test/config: Waiting for transfers to finish
2025/07/01 06:19:54 ERROR : logs/test_backup_config_2025-07-01_05_00_17.log: Failed to copy: multipart copy: failed to create access token: ManagedIdentityCredential.GetToken() requires exactly one scope
2025/07/01 06:19:54 ERROR : Attempt 3/3 failed with 2 errors and: multipart copy: failed to create access token: ManagedIdentityCredential.GetToken() requires exactly one scope
2025/07/01 06:19:54 INFO  : 
Transferred:   	          0 B / 0 B, -, 0 B/s, ETA -
Errors:                 2 (retrying may help)
Checks:               180 / 180, 100%, Listed 192
Elapsed time:         0.2s

2025/07/01 06:19:54 DEBUG : 49 go routines active
2025/07/01 06:19:54 NOTICE: Failed to copy with 2 errors: last error was: multipart copy: failed to create access token: ManagedIdentityCredential.GetToken() requires exactly one scope

asdffdsa · July 1, 2025, 4:57pm

just a guess, looking at changelog. maybe the issue is "Implement multipart server side copy"
maybe as a test, try to prevent "multipart server side copy"

for a deeper look at the api calls, use --dump flags.
and to keep the logs smaller, use --retries=1

Konstantin_Denin · July 1, 2025, 9:10pm

I'll create a test case with the specified flags and share the log after masking data and removing checks for existing files (there are many).
In the meantime regarding multipart, copy works perfectly well in 1.69 and earlier. The error started occurring once we updated the package from 1.69.1 to 1.70.2.
For now, we downgraded rclone to 1.69.3, and the issue vanished.
Given the behavior, we assume the cause can be related to the significant portion of new code for Azure BLOBs, introduced in 1.70.0.

Konstantin_Denin · July 3, 2025, 6:37am

Creating a dump with "requests,responses,auth" flags results in a logfile of circa 3000 lines.
In order to save some space and time, can you let me know which specific dump flags you'd like me to enable.

ncw · July 3, 2025, 9:24am

@Konstantin_Denin this looks like a bug Can you open a new issue on Github please and attach a log with -vv --dump bodies --retries 1 please. It might be best if you can create a small test case showing the failure - If we can replicate the problem we can fix it much more easily. Thanks.

Konstantin_Denin · July 4, 2025, 4:56am

Konstantin_Denin:

rclone v1.70.2
- os/version: oracle 8.10 (64 bit)
- os/kernel: 5.15.0-307.178.5.el8uek.x86_64 (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.24.4
- go/linking: static
- go/tags: none

Thank you, @ncw!
Issue 8662 has been created.
We'll stay on v1.69.3 for now.
Please do let us know if any other info is required from us.

K.D.

Konstantin_Denin · July 8, 2025, 5:22am

Issue is no longer manifested in 1.71.0-beta.8855.
Considering it resolved and closing this topic.

Many thanks to @ncw!

system · July 11, 2025, 5:22am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.