2

I'm calling the generate_sas_token API which generates an SAS token that I append to the end of the url to be able to access it. I had it working before but then I kept getting this error:

<Error> <Code> AuthenticationFailed </Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:ae350ec9-c01e-0010-06ca-257999000000
Time:2022-02-19T19:55:49.7901043Z
</Message>

<AuthenticationErrorDetail>
Signature did not match. String to sign used was rt

2022-02-19T21:55:49Z/blob/storage/files/someimage.jpg  

2020-10-02
b

Added my call

def generate_sas_token(file_name, img_url):

    pattern = r'\bhttps:\/\/lenstorage.blob.core.windows.net\/files\/\b'
    file_name = re.sub(pattern,'', img_url)

    AZURE_ACC_NAME = settings.AZURE_ACCOUNT_NAME
    AZURE_PRIMARY_KEY = settings.AZURE_PRIMARY_KEY
    AZURE_CONTAINER = settings.AZURE_CONTAINER

    sas = generate_blob_sas(account_name=AZURE_ACC_NAME,
                            account_key=AZURE_PRIMARY_KEY,
                            container_name=AZURE_CONTAINER,
                            blob_name=file_name,
                            permission=BlobSasPermissions(read=True),
                            expiry=datetime.utcnow() + timedelta(hours=2))

    
    sas_url ='https://'+AZURE_ACC_NAME+'.blob.core.windows.net/'+AZURE_CONTAINER+'/'+file_name+'?'+sas

    return sas_url

After many hours of reading I done the following: I've made sure both resources are in the same region and the times are both the same on both servers. I've checked all my environment variables and they are fine. I've manually generated a token and attached it to the url to access the image. I've somewhat gone through the configuration of azure storages but need some direction as to what would cause this as the error message doesn't provide much.

Update after suggestions

I added the start time and made it 15 minutes in the past in case of time skew. I also added tag as permission for good measure.

The aim being to make sure all the parameters/arguments were correct and matched as the signature wasn't matching.

No luck!

Thank you wizards!

Cl0ud-l3ss
  • 175
  • 2
  • 10
  • 1
    What do you mean by “local server”? Can you share the code for generating the SAS token? – Gaurav Mantri Feb 19 '22 at 20:27
  • I mean on my dev local deployment. I'm calling generate_blob_sas from in Django app and triggering it with an endpoint that is used in a React app. – Cl0ud-l3ss Feb 19 '22 at 20:32
  • I have to strip out the first part of the URL because the file structure is dynamic. then pass the entire string as the file name. Might look a bit much but it works fine on my local set up and used to work online – Cl0ud-l3ss Feb 19 '22 at 20:36
  • 1
    Have you tried setting start time to something in the past (like 10 minutes or so…)? If there is any clock drift, you might find issues using generated SAS. – David Makogon Feb 20 '22 at 05:02
  • 1
    Your code looks ok to me. Only thing I could think of is incorrect parameters. For example, in your code you are creating a SAS Token with `read` permission however in the error message the permissions are for both `read` and `tag`. I wonder why is that? – Gaurav Mantri Feb 20 '22 at 05:21
  • FIrst added a a start time 15 minutes before to try the time skew (I've read a lot about this) and also added a tag field for the permissions. Now I can see the start time of the token but still authenticating wrong. – Cl0ud-l3ss Feb 20 '22 at 08:39
  • Sorry guys my silly mistake :( thanks for the help/direction appreciate it ! – Cl0ud-l3ss Feb 20 '22 at 12:19

1 Answers1

0

tl:dr

Make sure your file_name has no whitespace and check all the arguments you're passing are in the correct format.

The problem was with %20 also known as whitespace in the file_name I naively Azure would handle it or provide a warning or error.

My file name structure in Azure Blob storage (file_name) was like this:

targets/my name/logo/Logo-H.jpg

which translates to:

targets/my%20name/logo/Logo-H.jpg

Purely my mistake and an oversight but I assumed Azure would have some type of catch/handle for this. I stripped out the whitespace from the URL and replaced with - resulting in..

targets/my-name/logo/Logo-H.jpg
Cl0ud-l3ss
  • 175
  • 2
  • 10