Azure Access Denied on Shared Signing for Vault 2.0

Question

Azure Access Denied on Shared Signing for Vault 2.0

I'm having trouble getting shared signatures to work with Storage 2.0 ..

I am using the code:

if (blob.Exists()) { var expires = DateTime.UtcNow.AddMinutes(30); var sas = blob.GetSharedAccessSignature(new Microsoft.WindowsAzure.Storage.Blob.SharedAccessBlobPolicy { Permissions = Microsoft.WindowsAzure.Storage.Blob.SharedAccessBlobPermissions.Read, SharedAccessExpiryTime = expires }); url = string.Concat(blob.Uri.AbsoluteUri, sas); } return url;

But if I debug the session and paste the URL into the browser, I get an error message:

 <Error> <Code>AuthenticationFailed</Code> <Message> Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:c1a1dd2b-bf4a-4a6b-bab2-ab1cb9363d27 Time:2012-11-19T14:41:51.1254531Z </Message> <AuthenticationErrorDetail> Signature did not match. String to sign used was r 2012-11-19T15:11:36Z /container/path/1356/pic.jpg 2012-02-12 </AuthenticationErrorDetail> </Error>

Does anyone help?

UPDATE: The resulting URL looks like this: https://storageaccountname.blob.core.windows.net/container/path/1356/pic.jpg?sv=2012-02-12&se=2012-11-19T19%3A25%3A32Z&sr = b & sp = r & sig = s6QIdwAGY4xC8fs4L9pK8hAGIY% 2F8x58aqBcFbejYPdM% 3D

+4

c # azure azure-storage-blobs

clausndk Nov 19 '12 at 15:13

source share

2 answers

Could you try the following code?

 var pathToMyBlob = "/path/1356/pic.jpg"; var blob = container.GetBlockBlobReference(pathToMyBlob.TrimStart('/')); var expires = DateTime.UtcNow.AddMinutes(30); var sas = blob.GetSharedAccessSignature(new Microsoft.WindowsAzure.Storage.Blob.SharedAccessBlobPolicy { Permissions = Microsoft.WindowsAzure.Storage.Blob.SharedAccessBlobPermissions.Read, SharedAccessExpiryTime = expires });

Look at the second line, especially the TrimStart call. I was able to reproduce the problem when trying to get a link to a blob file where the path started with a slash. By removing the slash, the problem has been fixed. So:

/path/1356/pic.jpg> Doesn't work
way /1356/pic.jpg> Works

+1

Sandrino di mattia Nov 20 '12 at 12:26

source share

Martin · Accepted Answer · 2012-11-20T09:21:27+0000

I get the same error. This code was used to work before I upgraded to 2.0:

 var sharedAccessPolicy = new SharedAccessBlobPolicy { SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-10), SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(30), Permissions = SharedAccessBlobPermissions.Read }; var sharedAccessSignature = _blockblob.GetSharedAccessSignature(sharedAccessPolicy); return _blockblob.Uri.AbsoluteUri + sharedAccessSignature;

I get uri:

 http://127.0.0.1:10000/devstoreaccount1/original/c04d2a1c-980b-42c5-b76e-b71185f027b6.jpg?sv=2012-02-12&st=2012-11-20T08%3A30%3A24Z&se=2012-11-20T09%3A10%3A24Z&sr=b&sp=r&sig=9%2BVg6mSGqyrfr5rPlNJ6GSv%2BHN3J9k%2FWFRLYmx3xCvQ%3D

UPDATE RESOLVED:

In my code above, I have _blockBlob. It has been installed in constuctor with

 var blobClient = account.CreateCloudBlobClient(); var container = blobClient.GetContainerReference(containerName); CloudBlockBlob _blockblob = container.GetBlockBlobReference(fileName);

Change last line (as suggested by clausndk) to

 ICloudBlob _test = container.GetBlobReferenceFromServer(fileName);

solves the problem, since calling GetSharedAccessSignature on _test results in a different (valid) signature.

After looking at the source code for Azure storage and using the debugger in my application, I found the cause of the problem. In my code, I have a container name with a trailing slash (original /). This is not a problem only when it comes to GetSharedAccessSignature. Here, an additional slash is placed in canonicalName (one slash is added to the code giving double slashes), and this invalidates the signature. The reason that GetBlobReferenceFromServer works is because it requests the servers (via the REST API) for blob, and as a result, CloudBlockBlob has a slash.

In my code, I removed the trailing slash, but Sandrino Di Mattia's solution for using .Trim ('/') in the container name also works. I think this is preferable to using GetBlobReferenceFromServer, as this will cause an additional server call.

We hope that the implementation of GetCanonicalName in CloudBlockBlobBase will be changed to handle trailing slashes in the future (I created the GitHub problem for this), but at the moment this "workaround" works.

Azure Access Denied on Shared Signing for Vault 2.0

More articles: