Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

az storage blob generate-sas does not properly encode --full-uri

See original GitHub issue

Describe the bug az storage blob generate-sas … --full-uri can have / characters in the SAS sig param. e.g.: https://(account).blob.core.windows.net/(container)/(filename).vhd?...&sig=.../.../...

These should be escaped to %2F as they are a reserved character for URIs (and in this case we definitely want a full uri): https://tools.ietf.org/html/rfc3986#section-2.2

Unescaped /s in the SAS token can cause parsing issues in various places when trying to use the --full-uri output.

To Reproduce Run az storage blob generate-sas ... --full-uri to generate the Full URI+SAS token for a blob. You may need to run it a couple times, but eventually there will be a / in the SAS token.

Expected behavior The expected form of the --full-uri output should have the / characters escaped: https://(account).blob.core.windows.net/(container)/(filename).vhd?...&sig=...%2F...%2F...

The Az powershell module as an example does correctly escape the SAS characters (New-AzStorageBlobSASToken ... -FullUri).

Environment summary

Ubuntu 18.04.
Install method apt-get. Followed these instructions: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-apt?view=azure-cli-latest
azure-cli version: 2.0.81
Powershell or shell script run by Jenkins

Additional context Add any other context about the problem here.

Issue Analytics

State:
Created 4 years ago
Reactions:3
Comments:10 (4 by maintainers)

Top GitHub Comments

2reactions

kraizcommented, Oct 29, 2020

This is a problem open for months: generate-sas is handing out an invalid value. The provided URL will error out with:

<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.RequestId:2f8c48fa-d01e-0029-05cb-ad71a1000000Time:2020-10-29T08:14:54.6251537Z</Message>
<AuthenticationErrorDetail>Signature fields not well formed.</AuthenticationErrorDetail>
</Error>

It’s breaking automated workflows. Please have a look into this.

0reactions

Juliehzlcommented, Nov 2, 2020

Hi @kraiz , I could reproduce the sas token with /, but it still works as expected no authentication error. Here is the link: https://zuhdefault.blob.core.windows.net/test4/try.txt?se=2020-11-03&sp=ra&sv=2018-11-09&sr=b&sig=EV5vxI0Wg87/tnyCTNBfkuL085LMhtuANzcQQBl%2BNGg%3D

quoting / is not a problem for us, but we want to know the root cause you get authentication error. Hope you could provide more information.

Top Results From Across the Web

az storage blob | Microsoft Learn

Create a storage blob directory in a storage container. ... The legacy "key" mode will attempt to query for an account key if...

Azure Storage Account generate SAS Token, not an SAS URI

Use the Azure CLI to get the SAS token from the Storage Account. az storage blob generate-sas \ --account-name {Storage Account name} ...

azure-cli-storage 2.4.3 - PyPI

storage blob generate -sas : add –full-uri to create the full uri for the blob with sas ... Fixed #8021, binary data is...

How to Use Blob Storage via Azure File Storage

Blob storage is one of the Azure storage services and lets you store large amounts of text and binary data files, streaming content,...

azure.storage.blob package - NET

Creating the BlobServiceClient with Azure Identity credentials.¶ ... If the container is not found, a ResourceNotFoundError will be raised. Parameters.