“Cannot OPEN BACKUP device” error seen when backing up Azure SQL Managed Instance to Azure Blob Storage.
We have been seeing a trend in customer support cases with the following error
When attempting to backup a database in an Azure SQL Managed Instance to Azure Blob Storage you may run into the following error.
“Msg 3201, LEVEL 16,STATE 1,Line 5 Cannot
OPEN BACKUP device 'https://storageacct.blob.core.windows.net/container/db.bak'. Operating system error 50 (The request IS NOT supported.)”
Note that this is not specific to Managed Instance (MI); rather it indicates an issue with accessing the blob storage.
When you are having issues connecting to your blob storage container to perform a backup, it’s due to the Share Access Token (SAS) token being outdated. Listed below are the major components and their function.
- Storage Account - The storage account is the starting point for all storage services.
- Container – The container provides a grouping of a set of blobs and can store an unlimited number of blobs. To write a SQL Server backup to the Microsoft Azure Blob storage service, you must have at least the root container created. You can generate a Shared Access Signature token on a container and grant access to objects on a specific container only.
- Blob - A file of any type and size. There are two types of blobs that can be stored in the Microsoft Azure Blob storage service: block and page blobs. SQL Server backup can use either blob type depending upon the Transact-SQL syntax used. Blobs are addressable using the following URL format: https://<storage account>.blob.core.windows.net/<container>/<blob>
- URL - URL specifies a Uniform Resource Identifier (URI) to a unique backup file. The URL is used to provide the location and name of the SQL Server backup file. The URL must point to an actual blob, not just a container. Example: http[s]://ACCOUNTNAME.blob.core.windows.net/<CONTAINER>/<FILENAME.bak>
- Credential - An SQL Server credential is an object that is used to store authentication information required to connect to a resource outside of SQL Server. Here, SQL Server backup and restore processes use credential to authenticate to the Microsoft Azure Blob storage service and its container and blob objects. The Credential stores either the name of the storage account and the storage account access key values or container URL and its Shared Access Signature token. Once the credential is created, the syntax of the BACKUP/RESTORE statements determines the type of blob and the credential required.
The storage access policy can be created via Azure PowerShell, Azure Storage SDK, Azure Rest API, or a third-party application. I would like to focus on using the Portal and SSMS to drop the problematic SQL scoped credential, create new credential, create a new SAS token, and then using that SAS Token to create a new credential.
First, I always like to drop the credential and just create a new one from scratch with a new SAS token. This will eliminate time and effort when troubleshooting the current connection issue.
- If for some reason SAS credential token has expired, check the start and end date as shown in the screenshot below. One of the biggest mistakes I’ve seen, is that the start date will have the “Now” date/time and when coping the token string, the “?” symbol is included. It’s best to set this to 15 minutes prior to your actual time and the end date to what you need. If this doesn’t work, proceed as follows.
- To drop the current credential, connect to SQL Server Management Studio.
- Open a new query window and connect to the SQL Server Instance for the DB engine in your On-Premise environment
- In the query window, past the following and execute:
- DROP DATABASE SCOPED CREDENTIAL [yourcredentialName]; GO
- Verify that the credential has been drop by performing a new query using, SELECT * fromcredentials
- Now to create a new credential with a new SAS token
- Using storage explorer in the portal is the easiest way to create the SAS token. All you need to take is the part of the string after the question mark for “SAS token” and use that in the SECRET clause for CREATE CREDENTIAL in step 9
- An alternative to the above would be to use Microsoft Azure Storage Explorer to generate the SAS key with the appropriate polices.
- Now that you have the SAS Token, without the “?” marked by the blue “X” above, open a new query window
- In this window, paste the “Create Credential” script below. Please be aware this needs to be modified to match your environment and data and new SAS Token.
IF NOT EXISTS (SELECT * FROM sys.credentials WHERE name = 'https://nameOfCredential.blob.core.windows.net/backup') CREATE CREDENTIAL [https://nameOfCredential.blob.core.windows.net/backup] WITH IDENTITY = 'SHARED ACCESS SIGNATURE', SECRET = 'sv=rest of the token string as shown below; ‘
- To check that the credential has been created, please run the following query - SELECT * fromcredentials
- Once you have verified that the new credential with new SAS token has been created, please try again to backup your database to URL for Managed Instance.
I hope this information is of help and has saved you valuable time and eliminated the need for creating a support request with the Microsoft Azure support team. If after ensuring the above has been done correctly and you’re still experiencing the error above, please create a service request through Microsoft Support.