Azure Shared Access Signature - Signature did not match

Asked 30/7, 2014 at 13:41 Answered 20/5, 2019 at 15:33

I'm getting this error:

<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:6c3fc9a8-cdf6-4874-a141-10282b709022 Time:2014-07-30T10:48:43.8634735Z
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used was rwl 2014-07-31T04:48:20Z /acoustie/$root 2014-02-14
</AuthenticationErrorDetail>
</Error>

I get it when I generate a sas (Shared Access Signature) then paste that sas at the end of the container uri into a browser. This is the full address with the generated sas:

https://acoustie.blob.core.windows.net/mark?sv=2014-02-14&sr=c&sig=E6w%2B3B8bAXK8Lhvvr62exec5blSxsA62aSWAg7rmX4g%3D&se=2014-07-30T13%3A30%3A14Z&sp=rwl

I have scoured SO and Google and have tried lots of combinations, as far as I can tell I'm doing everything correctly, I know I'm not, I just can't see it...really hoping someone can help :-\

To be clear, I am generating a sas on a container, not a specific blob and not on the root container. Access on the blob is defined as Public Blob. My end goal is to simply allow writes to the container with the sas, while 'debugging' I have added most permissions to the SharedAccessBlobPolicy.

I have tried adding a \ at the beginning and ending of the container name. No change.

This is the code I use to generate the sas:

    var blobClient = storageAccount.CreateCloudBlobClient();
    //Get a reference to the blob container 
    var container = blobClient.GetContainerReference(containerName);

    // Do not set start time so the sas becomes valid immediately.
    var sasConstraints = new SharedAccessBlobPolicy 
    {
        SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(30), 
        Permissions = SharedAccessBlobPermissions.Write 
        | SharedAccessBlobPermissions.Read
        | SharedAccessBlobPermissions.List,
    };

    var sasContainerToken = container.GetSharedAccessSignature(sasConstraints);

    //Return the URI string for the container, including the SAS token.
        var sas = string.Format("{0}{1}", container.Uri.AbsoluteUri, sasContainerToken);
        Logger.Debug("SAS: {0}", sas);
        return sas;

It generates a signature, it just doesn't seem to be a valid signature.

I've tried different containers, changing the Access policy, with and without start times, extending the expiry to > 12 hours from now (I'm in a UTC+10 timezone), it doesn't seem to matter what I change it results in the same "signature did not match" error.

I have even tried using an older version of 'WindowsAzure.Storage', so I have now tried 4.2 and 4.1. Even tried the uri in a different browser, really shouldn't make a difference but hey...

Any suggestions are greatly appreciated :-)

Saad answered 30/7, 2014 at 13:41 Comment(3)

Are you trying to list blobs using this SAS URL? – Secondrate 30/7, 2014 at 13:43

I just want to NOT see the AuthenticationFailed error. I think it 'should' show the list of blobs though as I have given it the List permission. – Saad 30/7, 2014 at 13:52

I am NOT using SAS to access my container. Why I am getting the same error? Just updated the timezone on my device and started to work. The problem is I don't want to depend on timezone. What can I do? – Carafe 9/3, 2019 at 13:29

Short Answer:

Add comp=list&restype=container to your SAS URL and you should not get this error.

Long Answer:

Essentially from your SAS URL, Azure Storage Service is not able to identify if the resource you're trying to access is a blob or a container and assumes it's a blob. Since it assumes the resource type is blob, it makes use of $root blob container for SAS calculation (which you can see from your error message). Since SAS was calculated for mark blob container, you get this Signature Does Not Match error. By specifying restype=container you're telling storage service to treat the resource as container. comp=list is required as per REST API specification.

Secondrate answered 30/7, 2014 at 13:55 Comment(13)

you're a genius, that worked, I can't tell you how happy I am right now, THANKS! :-) – Saad 30/7, 2014 at 14:1

Keen to hear the long answer when you have time...I can't help but wonder why the GetSharedAccessSignature doesn't include bits it needs...thanks again! – Saad 30/7, 2014 at 14:3

I see, that makes sense :-) I knew I was doing something wrong just couldn't see it :-\ – Saad 30/7, 2014 at 14:8

Just updated my answer. Regarding your comment about SAS not including necessary bits, I don't think it is the intent of SAS. SAS provides time/permission bound access to your storage resource. What operation you do using this SAS is up to you. HTH. – Secondrate 30/7, 2014 at 14:9

this is still relevant – Cellar 21/5, 2019 at 14:50

thanks much. worked like a champ. – Parliamentarianism 12/10, 2021 at 21:31

doing what you told I get invalid URI ..The requested URI does not represent any resource on the server – Doorbell 17/2, 2022 at 8:33

Can you please tell me how does the full URL look like? It does not seem to work for me even after adding comp=list&restype=container – Officeholder 2/11, 2023 at 5:18

@AjayManagaon - It should be something like https://<account-name>.blob.core.windows.net/<container-name>?sas-token&comp=list&restype=container. – Secondrate 2/11, 2023 at 5:30

Still the error : This request is not authorized to perform this operation using this permission. RequestId:35200542-701e-0021-054e-0dc485000000 Time:2023-11-02T05:39:29.4275108Z. – Officeholder 2/11, 2023 at 5:39

Not Sure what mistake I'm doing – Officeholder 2/11, 2023 at 5:40

@AjayManagaon - Please ask a new question and provide all the details there. – Secondrate 2/11, 2023 at 5:42

Where is the document that you get the answer from? Need to take a look. – Ritualize 21/2 at 2:34

Adding to @Gaurav Mantri Answer, in order to double check the permissions, you can also create your OWN SAS token in Azure Portal

From this you can relate this comp=list&restype=container

Resource types you can provide as :

Container
Object
Service

Hope this helps to some one..

Danseur answered 16/4, 2018 at 8:46 Comment(0)

After spending lot of time on this the actual error is different then exception raised by .net compiler. if you're using meta data fields while uploading blob file into storage then check metadata character's. For example I am adding metadata fields like description, filename and etc.... In description field I have some junk characters and which i found at the run time string text viewer.

my description originally > test� file description , after changing the description "test file description" . It is working fine.

metadata values i have extracted from different sources tats why it got that junk characters . Please remove/amend values of metadata then it will work well.

Puritanical answered 20/5, 2019 at 15:33 Comment(0)

Recommended topics

Hot tags