Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

getBlobToStream() using SAS results in a 403 error (Signature fields not well formed.)

See original GitHub issue

I am running this on Mac OS X 10.11.5 and node 5.1.0. I have also ran it on Windows 8.1 with node 0.10.33 with the same results.

Code

Note the commented out block which does work when uncommented.

var azure = require('azure-storage');
var fs = require('fs');
var SasConstants = azure.Constants.AccountSasConstants;

var blobService = azure.createBlobService();

var containerName = 'containername';
var blobName = 'howtolooklikethis.jpg';

var startDate = new Date('2016-08-18 00:00:00 GMT');
var expiryDate = new Date(startDate);
expiryDate.setDate(startDate.getDate() + 1);

var sharedAccessPolicy = {
  AccessPolicy: {
    Permissions: azure.BlobUtilities.SharedAccessPermissions.READ + azure.BlobUtilities.SharedAccessPermissions.WRITE + azure.BlobUtilities.SharedAccessPermissions.ADD + azure.BlobUtilities.SharedAccessPermissions.CREATE,
    Start: startDate,
    Expiry: expiryDate,
    Protocols: SasConstants.Protocols.HTTPSONLY
  },
};

var token = blobService.generateSharedAccessSignature(containerName, null, sharedAccessPolicy);

console.log("Base URL:\n" + blobService.getUrl(containerName, null, token));
console.log('=================================')
console.log("SAS Token:\n" + token);
console.log('=================================')
console.log("Blob Request URL\n" + blobService.getUrl(containerName, blobName, token));
console.log('=================================')

/* This does not work */
var sasBlobService = azure.createBlobServiceWithSas(blobService.host, token);
sasBlobService.getBlobToStream(containerName, blobName, fs.createWriteStream('output'), function(error, result, response){
    if (error) {
      console.log(error);
    } else {
      console.log('Downloaded the blob ' + blobName);
    }
})

/* This works*/
/*
blobService.getBlobToStream(containerName, blobName, fs.createWriteStream('output'), function(error, result, response){
    if (error) {
      console.log(error);
    } else {
      console.log('Downloaded the blob ' + blobName);
    }
})
*/

Output

Base URL:
https://accountname.blob.core.windows.net/containername?st=2016-08-18T00%3A00%3A00Z&se=2016-08-19T00%3A00%3A00Z&sp=rwac&spr=https&sv=2015-12-11&sr=c&sig=SiGnAtUrE%3D
=================================
SAS Token:
st=2016-08-18T00%3A00%3A00Z&se=2016-08-19T00%3A00%3A00Z&sp=rwac&spr=https&sv=2015-12-11&sr=c&sig=SiGnAtUrE%3D
=================================
Blob Request URL
https://accountname.blob.core.windows.net/containername/howtolooklikethis.jpg?st=2016-08-18T00%3A00%3A00Z&se=2016-08-19T00%3A00%3A00Z&sp=rwac&spr=https&sv=2015-12-11&sr=c&sig=SiGnAtUrE%3D
=================================
{ [StorageError: Forbidden]
  name: 'StorageError',
  message: 'Forbidden',
  code: 'Forbidden',
  statusCode: 403,
  requestId: '3e50c5fa-0001-00ca-3a6b-f90679000000' }

Output from running the GET request in an HTTP inspector

GET https://accountname.blob.core.windows.net/containername/howtolooklikethis.jpg?st=2016-08-18T00%3A00%3A00Z&se=2016-08-19T00%3A00%3A00Z&sp=rwac&spr=https&sv=2015-12-11&sr=c&sig=SiGnAtUrE%3D

<?xml version="1.0" encoding="utf-8" ?>
    <Error>
    <Code>AuthenticationFailed</Code>
    <Message>
    Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
    RequestId:607784c3-0001-00bc-186c-f982c5000000
    Time:2016-08-18T16:19:15.3067478Z
    </Message>
    <AuthenticationErrorDetail>Signature fields not well formed.</AuthenticationErrorDetail>
    </Error>

Issue Analytics

State:
Created 7 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

MHolmes91commented, Aug 19, 2016

You were right. Changing the permission order solved my issue. Thanks.

This article mentions the order permissions should be in.

Specify permissions by combining URI symbols in the signedpermissions field of your SAS URI. Permissions can be grouped to allow multiple operations to be performed with the given signature. You must include permissions in the order that they appear in the table for the resource type. For example, to grant all permissions to a container, the URI must specify sp=rwdl. To grant only read/write permissions, the URI must specify sp=rw.

Another problem I ran into that is unrelated is that in my HTTP inspector the URL encoded st, se, and sig fields in the generated SAS signature were causing a failure. In order to make my HTTP inspector work, I had to decode these fields.

0reactions

XiaoningLiucommented, Mar 12, 2018

@cocoasoda

Please refer to https://docs.microsoft.com/en-us/rest/api/storageservices/Constructing-a-Service-SAS?redirectedfrom=MSDN for allowed permission order. Such as,

Permissions for a blob

Permission	URI symbol	Allowed operations
Read	r	Read the content, properties, metadata and block list. Use the blob as the source of a copy operation.
Add	a	Add a block to an append blob.
Create	c	Write a new blob, snapshot a blob, or copy a blob to a new blob.
Write	w	Create or write content, properties, metadata, or block list. Snapshot or lease the blob. Resize the blob (page blob only). Use the blob as the destination of a copy operation.
Delete	d	Delete the blob. For version 2017-07-29 and later, the Delete permission also allows breaking a lease on a blob. See Lease Blobfor more information.

Permissions for a container

Permission	URI symbol	Allowed operations
Read	r	Read the content, properties, metadata or block list of any blob in the container. Use any blob in the container as the source of a copy operation.
Add	a	Add a block to any append blob in the container.
Create	c	Write a new blob to the container, snapshot any blob in the container, or copy a blob to a new blob in the container.
Write	w	For any blob in the container, create or write content, properties, metadata, or block list. Snapshot or lease the blob. Resize the blob (page blob only). Use the blob as the destination of a copy operation. Note: You cannot grant permissions to read or write container properties or metadata, nor to lease a container, with a service SAS. Use an account SAS instead.
Delete	d	Delete any blob in the container. Note: You cannot grant permissions to delete a container with a service SAS. Use an account SAS instead. For version 2017-07-29 and later, the Delete permission also allows breaking a lease on a container. See Lease Container for more information.
List	l	List blobs in the container.

Top Results From Across the Web

getBlobToStream() using SAS results in a 403 error (Signature ...

getBlobToStream() using SAS results in a 403 error (Signature fields not well formed.) ... I am running this on Mac OS X 10.11.5...

SAS token - Signature fields not well formed - Stack Overflow

403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Issue while downloading blob document using account SAS ...

I am trying to download a blob file using account SAS . ... Z</Message><AuthenticationErrorDetail>Signature fields not well formed.

[PUP-10603] File Resource HTTP GET - Misuse of URL ...

Error : Could not set 'file' on ensure: Error 403 on SERVER: ´╗┐<?xml ... 34.9632157Z</Message><AuthenticationErrorDetail>Signature fields not well formed.

https://cdn.jsdelivr.net/npm/azure-storage@2.10.0/...

@param {string} [sasToken] The Shared Access Signature token. ... if an error occurs; otherwise `result` will * be true if the container exists, ......