23

I'm sending the following request in Postman to retrieve a simple .jpg from Azure Blob storage at this URL https://steamo.blob.core.windows.net/testcontainer/dog.jpg

GET /testcontainer/dog.jpg HTTP/1.1
Host: steamo.blob.core.windows.net
Authorization: SharedKey steamo:<my access key>
x-ms-date: Tue, 26 May 2015 17:35:00 GMT
x-ms-version: 2014-02-14
Cache-Control: no-cache
Postman-Token: b1134f8a-1a03-152c-2810-9cb351efb9ce

If you're unfamiliar with Postman it is just a REST client - the Postman-Token header can probably be ignored.

My access key is copied from my Azure Management Portal.

I get this error:

Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:2482503d-0001-0033-60da-9708ed000000 Time:2015-05-26T17:35:41.4577821Z

With this AutheticationErrorDetail:

The MAC signature found in the HTTP request '<my access key>' is not the same as any computed signature. Server used following string to sign: 'GET x-ms-date:Tue, 26 May 2015 17:35:00 GMT x-ms-version:2014-02-14 /steamo/testcontainer/dog.jpg'.

How do I fix this? Let me know if you need any more info from me.

starlord7
  • 1,034
  • 2
  • 9
  • 14

2 Answers2

16

Authentication for Azure Storage is not simply a matter of providing the access key (that is not very secure). You need to create a signature string that represents the given request, sign the string with the HMAC-SHA256 algorithm (using your storage key to sign), and encode the result in base 64. See https://msdn.microsoft.com/en-us/library/azure/dd179428.aspx for full details, including how to construct the signature string.

Adam Sorrin - MSFT
  • 576
  • 3
  • 5
  • 1
    when you sa using your storage key to sign, do you mean our access token? – conterio Nov 20 '17 at 23:38
  • why is only providing the key not secure? – jvans Feb 05 '23 at 17:30
  • 1
    @jvans because you need to store and transmit the underlying key giving potentially unlimited access to whole storage account, including settings, management etc. By generating SAS token, you define scope of access, expiry dates and optionally source IP. Whether using original access key is secure or not is a matter of definition - how secure it has to be for us to call it 'secure'. But SAS tokens provide additional security regardless – karolgro Jun 19 '23 at 08:28
9

Just got this working, here's my code:

string signWithAccountKey(string stringToSign, string accountKey)
{
    var hmacsha = new System.Security.Cryptography.HMACSHA256();
    hmacsha.Key = Convert.FromBase64String(accountKey);
    var signature = hmacsha.ComputeHash(Encoding.UTF8.GetBytes(stringToSign));
    return Convert.ToBase64String(signature);
}
Ambrose Leung
  • 3,704
  • 2
  • 25
  • 36