SAS URLs not working

Asked 18/5, 2016 at 18:55 Answered 5/5, 2021 at 15:44

I'm trying to create a SAS URL for a blob storage container. I've tried multiple storage accounts and multiple methods of creating the SAS, and all of them give this result when I test the SAS URL in a browser:

<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:d95bf34f-0001-0022-4430-b1a25b000000 Time:2016-05-18T18:12:30.5552096Z
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used was rl 2016-05-18T18:10:00Z 2016-05-19T18:10:00Z /blob/cloudappmanager/$root 2015-04-05
</AuthenticationErrorDetail>
</Error>

I tried Storage Explorer (right-click container, Get SAS, click OK with defaults):

I tried the old Storage Explorer:

And I tried PowerShell:

PS C:\Users\virklba> $context = New-AzureStorageContext -StorageAccountName msuscoreaprod 
cmdlet New-AzureStorageContext at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
StorageAccountKey: xxxxxxxxx

PS C:\Users\virklba> New-AzureStorageContainerSASToken -Name aadlogs -Context $context -FullUri -Permission rl
https://msuscoreaprod.blob.core.windows.net/aadlogs?sv=2015-04-05&sr=c&sig=xxxxxxxx&se=2016-05-18T19%3A47%3A56Z&sp=rl

All with the same result. Is anyone else seeing this behavior, or is it just me?

Phylloid answered 18/5, 2016 at 18:55 Comment(3)

Have you confirmed that your local machine's system clock is up-to-date? Also: Would you mind trying an experiment, setting the start time to, say, an hour (or a day) in the past? – Brochu 18/5, 2016 at 19:9

System clock is accurate. I tried again setting the start time to yesterday, same result. I've also talked to one of our consultants; he's seeing the same behavior on a separate machine, separate Azure environment. – Phylloid 18/5, 2016 at 20:31

What is the URL that you are testing in the browser? – Alexaalexander 18/5, 2016 at 23:22

You are creating a SAS on the container, and it looks like you are trying to read the container in the browser. When I paste the container SAS into the browser, I get the same error you are getting.

The container SAS (with read permissions) gives you read access to the blobs in the container. So you need to append a blob name to the SAS before you paste it into the browser, in order to read a blob.

For example, this will not work:

https://myaccount.blob.core.windows.net/lotsofblobs?st=2016-05-18T22%3A49%3A00Z&se=2016-05-19T22%3A59%3A00Z&sp=rl&sv=2015-04-05&sr=c&sig=62WHwaZGI60ub1hYcQyKg1%2FE%2F1w9HUrOPGorzoWDLvE%3D

This does work, with myblob.txt appended to the base URL:

https://myaccount.blob.core.windows.net/lotsofblobs/myblob.txt?st=2016-05-18T22%3A49%3A00Z&se=2016-05-19T22%3A59%3A00Z&sp=rl&sv=2015-04-05&sr=c&sig=62WHwaZGI60ub1hYcQyKg1%2FE%2F1w9HUrOPGorzoWDLvE%3D

Please also see Gaurav Mantri's detailed explanation here: Azure Shared Access Signature - Signature did not match

Alexaalexander answered 18/5, 2016 at 23:26 Comment(0)

To fix this, try connecting the storage account first, then the blob.

Erse answered 5/5, 2021 at 15:44 Comment(0)

Recommended topics

Hot tags