0

I am trying to make an arm template deployment in tenant A. One of the parameters in the json file is a SAS uri pointing to a blob in a storage account in tenant B. I generated a token with full read/write/add...etc + http/https permissions for the blob in tenant B and put it in but it is being rejected with message:

{"code":"Conflict","message":"{\r\n "status": "Failed",\r\n "error": {\r\n "code": "ResourceDeploymentFailure",\r\n
"message": "The resource operation completed with terminal provisioning state 'Failed'.",\r\n "details": [\r\n {\r\n
"code": "DeploymentFailed",\r\n "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",\r\n "details": [\r\n {\r\n
"code": "Conflict",\r\n "message": "{\r\n \"status\": \"Failed\",\r\n \"error\": {\r\n
\"code\": \"ResourceDeploymentFailure\",\r\n
\"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n
{\r\n \"code\": \"BlobDownloadFailed\",\r\n
\"message\": \"Microsoft.Azure.Storage.StorageException: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\\r\\n at Microsoft.Azure.Storage.Core.Executor.Executor.d__1`1.MoveNext()\\r\\nRequest Information\\r\\nRequestID:b4d12e48-601e-0009-56de-a537b5000000\\r\\nRequestDate:\\r\\nStatusMessage:Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

What seems to be happening is that ARM is accepting the deployment and trying to pull the blob from the storage account with the SAS provided but the storage account is rejecting it. The deployment works when I try it with a SAS for a blob located in the same resource group + tenant. My understanding (which is likely incorrect) was that having the sas token itself generated with the right permissions was enough to be used cross tenant. Are there additional steps needed when doing an arm deployment which is accessing resources in a different tenant and resource group, such as having app registration...etc?

Reeza
  • 20,510
  • 4
  • 21
  • 38
moon
  • 31
  • 3

1 Answers1

0

Based on the error :AuthenticationFailed|Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

  • Change the header request - x-ms-version: 2020-04-08
  • Can you please generate the SAS token through Storage Explorer tool and try. Also refer to this SO thread based on your scenario/error

Also refer to this Microsoft Q&A thread, which provides more information on your scenario: https://learn.microsoft.com/en-us/answers/questions/29478/is-cross-tenant-blob-access-possible-in-azure.html

Multitenancy and Azure Storage: https://learn.microsoft.com/en-us/azure/architecture/guide/multitenant/service/storage

403 is seen when authorizing with a shared key because "All authorized requests must include the Coordinated Universal Time (UTC) timestamp for the request." Information about this can be found in Authorize with Shared Key

403 means there is something wrong with your SAS token or shared key. You can use storage explorer to generate SAS with the same configuration and see if it works.

If the issue still persist,

  • Can you share the screen shot the error message and use Fiddler to trace the log and please share with us
  • Your shared access signature may be missing permission, please cross verify
  • Can you check the firewall setting and time zone

Additional information: When using Azure Storage account shared key auth, HTTP requests sent by this library will generate a string to sign based on subset of HTTP headers and finally sign with account key. Modifying headers after the signing will lead to auth errors.

Authorize requests to Azure Storage

SumanthMarigowda-MSFT
  • 1,920
  • 9
  • 14