Search code examples

Cannot extend nor lock Azure immutability policy from command line: Operation not allowed on immutability policy with incorrect etag

I am using Azure immutable storage, aka WORM (Write Once, Read Many).

I am trying to set the immutability policies using the az command line, as documented here. I can create policies from the CLI, but that's all. I cannot extend locked policies, nor can I lock unlocked ones.

Example (using PowerShell in Windows):

$etag = az storage container immutability-policy show `
    --account-name <a-name> `
    --container-name <c-name> `
    --query etag `
    --output tsv
# This yields a sane-looking ETag, a 15-digit hexadecimal string.
az storage container immutability-policy lock `
    --account-name <a-name> `
    --container-name <c-name> `
    --if-match $etag

This gives an error message:

(ContainerImmutabilityPolicyFailure) Operation not allowed on immutability policy with incorrect etag. Code: ContainerImmutabilityPolicyFailure Message: Operation not allowed on immutability policy with incorrect etag.

I get the same error message if I send --if-match *.

If I omit --if-match entirely it throws an error.

If I try to look up the policy by ETag I can find the policy fine:

az storage container immutability-policy show `
  --account-name <a-name> `
  --container-name <c-name> `
  --if-match $etag

Adding --resource-group <r-name> makes no difference.

I can lock and extend these policies fine from the Azure portal (browser GUI), logged in with the same credentials.


  • Apparently my login was set to the wrong subscription, and the error message is just bad. I think I fixed it by doing this:

    az account set --subscription <name-of-subscription-where-storage-account-is>