Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot generate a working SAS key from a policy

See original GitHub issue

Describe the bug Cannot generate a working SAS key from a policy

To Reproduce Welcome to Azure Cloud Shell

Type “az” to use Azure CLI 2.0 Type “help” to learn about Cloud Shell

tim@Azure:~$ az account set --subscription MYSUBSCRIPTION tim@Azure:~$ account_name=tomtaexpenses tim@Azure:~$ account_key=MYSTORAGEACCOUNTKEY tim@Azure:~$ group=tomtaexpenses tim@Azure:~$ storageAccount=MYSTORAGEACCOUNTNAME tim@Azure:~$ container=sastest tim@Azure:~$ policy=sastestpolicy tim@Azure:~$ az storage container policy create \

–account-name $storageAccount
–container-name $container
–name $policy
–permissions “dlrw” { “etag”: “"0x8D6C5182840BD2C"”, “lastModified”: “2019-04-19T22:41:26+00:00” } tim@Azure:~$ tim@Azure:~$ sas=az storage container generate-sas \ --name $container \ --account-name $storageAccount \ --policy-name $policy \ --https-only \ --permissions dlrw \ -otsv tim@Azure:~$ echo $sas sp=rwdl&spr=https&sv=2018-03-28&si=sastestpolicy&sr=c&sig=GvotqN1tfbjmrbbcKLCYioN/9R7GmAEcFNARoGUiYvI%3D tim@Azure:~$ touch test.html tim@Azure:~$ tim@Azure:~$ az storage blob upload
–account-name $storageAccount
–container-name $container
–name upload-test
–sas-token $sas
-f test.html
–verbose

You do not have the required permissions needed to perform this operation. Depending on your operation, you may need to be assigned one of the following roles: “Storage Blob Data Contributor (Preview)” “Storage Blob Data Reader (Preview)” “Storage Queue Data Contributor (Preview)” “Storage Queue Data Reader (Preview)”

If you want to use the old authentication method and allow querying for the right account key, please use the “–auth-mode” parameter and “key” value.

The command failed with an unexpected error. Here is the traceback:

‘CommandResultItem’ object is not iterable Traceback (most recent call last): File “/opt/az/lib/python3.6/site-packages/knack/cli.py”, line 212, in invoke self.output.out(cmd_result, formatter=formatter, out_file=out_file) File “/opt/az/lib/python3.6/site-packages/knack/output.py”, line 132, in out output = formatter(obj) File “/opt/az/lib/python3.6/site-packages/knack/output.py”, line 38, in format_json input_dict = dict(result) if hasattr(result, ‘dict’) else result TypeError: ‘CommandResultItem’ object is not iterable

To open an issue, please run: ‘az feedback’ command ran in 0.756 seconds. tim@Azure:~$

Expected behavior Expected the upload to succeed using the SAS key generated from the policy

Environment summary Azure cloud shell

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:8 (4 by maintainers)

Top GitHub Comments

1reaction

cbelleecommented, Sep 7, 2020

I’m having the same issue with CLI version 2.11.1. Can this be re-opened and investigated, please.

{
  "azure-cli": "2.11.1",
  "azure-cli-core": "2.11.1",
  "azure-cli-telemetry": "1.0.5",
  "extensions": {
    "aks-preview": "0.4.60",
    "application-insights": "0.1.9",
    "azure-devops": "0.18.0",
    "connectedk8s": "0.2.1",
    "k8sconfiguration": "0.1.8"
  }
}

Using the commands below, I receive the following error when trying to download the blob using the sas token generated with an access policy :

‘Authentication failure. This may be caused by either invalid account key, connection string or sas token value provided for your storage account.’

If I remove the --policy $policy parameter from the az storage container generate-sas command, so that the access policy isn’t used to generate the sas token, then the upload works.

# vars 
group=test-rg
storageAccount=stor123456789
container=sas-test
policy=sastestpolicy

# create storage policy
az storage container policy create \
  --account-name $storageAccount \
  --container-name $container \
  --name $policy \
  --permissions racwdl

# create sas token using access policy
sas=$(az storage container generate-sas \
  --name $container \
  --account-name $storageAccount \
  --https-only \
  --policy $policy \
  --start '2020-09-01' \
  --expiry '2020-09-30' \
  --permissions rwdl \
  -o tsv)

# create test file
touch test.html

# attempt to upload the blob
az storage blob upload \
  --account-name $storageAccount \
  --container-name $container \
  --name test.html \
  --sas-token $sas \
  --file test.html \
  --verbose

0reactions

Juliehzlcommented, Jan 15, 2021

I’m having the same issue with CLI version 2.11.1. Can this be re-opened and investigated, please.
{
  "azure-cli": "2.11.1",
  "azure-cli-core": "2.11.1",
  "azure-cli-telemetry": "1.0.5",
  "extensions": {
    "aks-preview": "0.4.60",
    "application-insights": "0.1.9",
    "azure-devops": "0.18.0",
    "connectedk8s": "0.2.1",
    "k8sconfiguration": "0.1.8"
  }
}
Using the commands below, I receive the following error when trying to download the blob using the sas token generated with an access policy :

‘Authentication failure. This may be caused by either invalid account key, connection string or sas token value provided for your storage account.’

If I remove the --policy $policy parameter from the az storage container generate-sas command, so that the access policy isn’t used to generate the sas token, then the upload works.
# vars 
group=test-rg
storageAccount=stor123456789
container=sas-test
policy=sastestpolicy

# create storage policy
az storage container policy create \
  --account-name $storageAccount \
  --container-name $container \
  --name $policy \
  --permissions racwdl

# create sas token using access policy
sas=$(az storage container generate-sas \
  --name $container \
  --account-name $storageAccount \
  --https-only \
  --policy $policy \
  --start '2020-09-01' \
  --expiry '2020-09-30' \
  --permissions rwdl \
  -o tsv)

# create test file
touch test.html

# attempt to upload the blob
az storage blob upload \
  --account-name $storageAccount \
  --container-name $container \
  --name test.html \
  --sas-token $sas \
  --file test.html \
  --verbose

Hi @cbellee, please remove --permission in your generate-sas command because you already define it in your policy.

Top Results From Across the Web

Create a service SAS for a container or blob - Azure Storage

Learn how to create a service shared access signature (SAS) for a container or blob using the Azure Blob Storage client library.

Not able to generate SAS in Azure APIM using Microsoft sample

This sample generates SAS token for a table in Azure Storage account. You could modify it to the resources you want to access,...

Azure Storage Policies: Control SAS from the server side

The SAS keys are not stored on the server side. Once they are generated, the server has no control over it and we...

How to Generate an Azure SAS Token to Access Storage ...

Try Specops Password Policy for free! Table of Contents. Prerequisites; Generating a SAS Token using the Azure Portal; Generating a ...

Storage Account SAS Tokens, Access Keys, And Connection ...

Generating a SAS Token With a Stored Access Policy ... it doesn't work with stored access policies, and it cannot be easily created...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Cannot generate a working SAS key from a policy

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

az ad app permission add ERROR : Property requiredResourceAccess.resourceAccess is invalid.

Tab completion is incredibly slow and picky about formatting