getBlobToStream() using SAS results in a 403 error (Signature fields not well formed.)
See original GitHub issueI am running this on Mac OS X 10.11.5 and node 5.1.0. I have also ran it on Windows 8.1 with node 0.10.33 with the same results.
Code
Note the commented out block which does work when uncommented.
var azure = require('azure-storage');
var fs = require('fs');
var SasConstants = azure.Constants.AccountSasConstants;
var blobService = azure.createBlobService();
var containerName = 'containername';
var blobName = 'howtolooklikethis.jpg';
var startDate = new Date('2016-08-18 00:00:00 GMT');
var expiryDate = new Date(startDate);
expiryDate.setDate(startDate.getDate() + 1);
var sharedAccessPolicy = {
AccessPolicy: {
Permissions: azure.BlobUtilities.SharedAccessPermissions.READ + azure.BlobUtilities.SharedAccessPermissions.WRITE + azure.BlobUtilities.SharedAccessPermissions.ADD + azure.BlobUtilities.SharedAccessPermissions.CREATE,
Start: startDate,
Expiry: expiryDate,
Protocols: SasConstants.Protocols.HTTPSONLY
},
};
var token = blobService.generateSharedAccessSignature(containerName, null, sharedAccessPolicy);
console.log("Base URL:\n" + blobService.getUrl(containerName, null, token));
console.log('=================================')
console.log("SAS Token:\n" + token);
console.log('=================================')
console.log("Blob Request URL\n" + blobService.getUrl(containerName, blobName, token));
console.log('=================================')
/* This does not work */
var sasBlobService = azure.createBlobServiceWithSas(blobService.host, token);
sasBlobService.getBlobToStream(containerName, blobName, fs.createWriteStream('output'), function(error, result, response){
if (error) {
console.log(error);
} else {
console.log('Downloaded the blob ' + blobName);
}
})
/* This works*/
/*
blobService.getBlobToStream(containerName, blobName, fs.createWriteStream('output'), function(error, result, response){
if (error) {
console.log(error);
} else {
console.log('Downloaded the blob ' + blobName);
}
})
*/
Output
Base URL:
https://accountname.blob.core.windows.net/containername?st=2016-08-18T00%3A00%3A00Z&se=2016-08-19T00%3A00%3A00Z&sp=rwac&spr=https&sv=2015-12-11&sr=c&sig=SiGnAtUrE%3D
=================================
SAS Token:
st=2016-08-18T00%3A00%3A00Z&se=2016-08-19T00%3A00%3A00Z&sp=rwac&spr=https&sv=2015-12-11&sr=c&sig=SiGnAtUrE%3D
=================================
Blob Request URL
https://accountname.blob.core.windows.net/containername/howtolooklikethis.jpg?st=2016-08-18T00%3A00%3A00Z&se=2016-08-19T00%3A00%3A00Z&sp=rwac&spr=https&sv=2015-12-11&sr=c&sig=SiGnAtUrE%3D
=================================
{ [StorageError: Forbidden]
name: 'StorageError',
message: 'Forbidden',
code: 'Forbidden',
statusCode: 403,
requestId: '3e50c5fa-0001-00ca-3a6b-f90679000000' }
Output from running the GET request in an HTTP inspector
<?xml version="1.0" encoding="utf-8" ?>
<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:607784c3-0001-00bc-186c-f982c5000000
Time:2016-08-18T16:19:15.3067478Z
</Message>
<AuthenticationErrorDetail>Signature fields not well formed.</AuthenticationErrorDetail>
</Error>
Issue Analytics
- State:
- Created 7 years ago
- Comments:6 (3 by maintainers)
Top Results From Across the Web
getBlobToStream() using SAS results in a 403 error (Signature ...
getBlobToStream() using SAS results in a 403 error (Signature fields not well formed.) ... I am running this on Mac OS X 10.11.5...
Read more >SAS token - Signature fields not well formed - Stack Overflow
403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
Read more >Issue while downloading blob document using account SAS ...
I am trying to download a blob file using account SAS . ... Z</Message><AuthenticationErrorDetail>Signature fields not well formed.
Read more >[PUP-10603] File Resource HTTP GET - Misuse of URL ...
Error : Could not set 'file' on ensure: Error 403 on SERVER: ´╗┐<?xml ... 34.9632157Z</Message><AuthenticationErrorDetail>Signature fields not well formed.
Read more >https://cdn.jsdelivr.net/npm/azure-storage@2.10.0/...
@param {string} [sasToken] The Shared Access Signature token. ... if an error occurs; otherwise `result` will * be true if the container exists, ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
You were right. Changing the permission order solved my issue. Thanks.
This article mentions the order permissions should be in.
Another problem I ran into that is unrelated is that in my HTTP inspector the URL encoded st, se, and sig fields in the generated SAS signature were causing a failure. In order to make my HTTP inspector work, I had to decode these fields.
@cocoasoda
Please refer to https://docs.microsoft.com/en-us/rest/api/storageservices/Constructing-a-Service-SAS?redirectedfrom=MSDN for allowed permission order. Such as,
Permissions for a blob
Permissions for a container