One of my blog readers contacted me via email for an error message which he was receiving while using the backup to URL feature. Using this feature, SQL Server can take database backup directly to Azure Blob Storage. I have already written a blog about few errors which I received earlier but this error was new. I replied him asking more details and it was an easy error to fix. In this blog we would discuss how to fix 3271, The remote server returned an error: (403) Forbidden.
Here is the command which I have used to reproduce the error.
BACKUP DATABASE SQLAuthority TO URL='https://sqlprodbkups.blob.core.windows.net/sqldbbackups/SQLAuthority.bak' WITH CREDENTIAL ='AzBackupCred'
And the error message is below
Msg 3271, Level 16, State 1, Line 1
A nonrecoverable I/O error occurred on file “https://sqlprodbkups.blob.core.windows.net/sqldbbackups/SQLAuthority.bak:” Backup to URL received an exception from the remote endpoint. Exception Message: The remote server returned an error: (403) Forbidden..
Msg 3013, Level 16, State 1, Line 1
BACKUP DATABASE is terminating abnormally.
If you notice the error 3271 can come because of multiple reasons. An important piece of the error message is the error returned by the remote server. In this case, we are getting error 403 – Forbidden. Below is one earlier blog where I discussed Error – 400 – Bad Request SQL SERVER – Backup to URL Fails in Azure Resource Manager (ARM) Deployment Model with Error – (400) Bad Request
As you can see there is nothing wrong with the command. As soon as we run the command, SQL Server uses the credential to connect to storage and performs a backup. When I checked the credential, it was created using Access Keys in the portal. In our case, we have given container name instead of storage account name while creating credential.
Below image should give a clear picture of what needs to be given at which place.
Credential Name = any name which we need to use in BACKUP command
Identity = Storage Account Name which can be found under “Access Keys”.
Password and Confirm Password = Either Key1 or Key2.
It didn’t take much time to realize that my client has used some random name in Identity instead of storage account name and that was the cause of the error. We were able to fix that using ALTER command as below
USE [master] GO ALTER CREDENTIAL [AzBackupCred] WITH IDENTITY = N'sqlprodbkups', SECRET = N'Value In Key1' GO
Hope this would help you in fixing error 403, forbidden while taking backup to URL.
Reference: Pinal Dave (https://blog.sqlauthority.com)