Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SAS throwing "Server failed to authenticate the request"

See original GitHub issue

Which service(blob, file, queue, table) does this issue concern?

Blob

Which version of the Azurite was used?

3.8.0

Package            Version
------------------ ---------
azure-core         1.7.0
azure-storage-blob 12.3.2
certifi            2020.6.20
cffi               1.14.1
chardet            3.0.4
cryptography       3.0
idna               2.10
isodate            0.6.0
msrest             0.6.17
oauthlib           3.1.0
pip                20.1.1
pycparser          2.20
requests           2.24.0
requests-oauthlib  1.3.0
setuptools         46.4.0
six                1.15.0
urllib3            1.25.10
wheel              0.34.2

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

DockerHub

What problem was encountered?

Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.

Steps to reproduce the issue?

version: '3'

services:
  azurite:
    image: mcr.microsoft.com/azure-storage/azurite
    ports:
    - 10000:10000
    - 10001:10001
    volumes:
    - ./data:/data

        from azure.storage.blob import BlobServiceClient
        connection_string = "DefaultEndpointsProtocol=http;" \
                  "AccountName=devstoreaccount1;" \
                  "AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;" \
                  "BlobEndpoint=http://127.0.0.1:10000/devstoreaccount1;"
        blob_service_client = BlobServiceClient.from_connection_string(connection_string)

        # Instantiate a ContainerClient
        container_client = blob_service_client.get_container_client("myaccesscontainer")

        try:
            # Create new Container
            container_client.create_container()

            # [START set_container_access_policy]
            # Create access policy
            from azure.storage.blob import AccessPolicy, ContainerSasPermissions
            access_policy = AccessPolicy(permission=ContainerSasPermissions(read=True,
                                                                            write=True,
                                                                            list=True,
                                                                            delete=True),
                                         expiry=datetime.utcnow() + timedelta(hours=24),
                                         start=datetime.utcnow() - timedelta(minutes=24))

            identifiers = {'test': access_policy}

            # Set the access policy on the container
            container_client.set_container_access_policy(signed_identifiers=identifiers)
            # [END set_container_access_policy]

            # [START get_container_access_policy]
            policy = container_client.get_container_access_policy()
            # [END get_container_access_policy]

            # [START generate_sas_token]
            # Use access policy to generate a sas token
            from azure.storage.blob import generate_container_sas

            sas_token = generate_container_sas(
                container_client.account_name,
                container_client.container_name,
                account_key=container_client.credential.account_key,
                policy_id='my-access-policy-id'
            )
            # [END generate_sas_token]

            # Use the sas token to authenticate a new client
            # [START create_container_client_sastoken]
            from azure.storage.blob import ContainerClient
            container = ContainerClient.from_container_url(
                container_url=f"http://127.0.0.1:10000/{container_client.account_name}/{container_client.container_name}",
                credential=sas_token
            )

          list_containers = list(container.list_blobs())

Have you found a mitigation/solution?

Issue Analytics

State:
Created 3 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

bluewwcommented, Jul 28, 2020

@jddsc

From the debug log, it looks the access policy my-access-policy-id used to generate SAS not exist on the container.

2020-07-28T09:13:32.200Z 762925f4-b62f-46a1-95ac-9455f0045ff8 warn: BlobSASAuthenticator:validate() Cannot get access policy defined for container myaccesscontainer with id my-access-policy-id.

From you test code, seems you create an access policy with name test, but generate SAS with policy_id my-access-policy-id.

identifiers = {'test': access_policy}

        sas_token = generate_container_sas(
                container_client.account_name,
                container_client.container_name,
                account_key=container_client.credential.account_key,
                policy_id='my-access-policy-id'
            )

Please use access policy with policy_id as test to generate SAS, and see if this issue can be fixed.

0reactions

bluewwcommented, Jul 29, 2020

@jddsc

For the python SDK sample problem, we might not be the best person to follow it. Would you like to open an issue in https://github.com/Azure/azure-sdk-for-python, and the related team will follow it?

And for this issue, as your have get it resolved, would you like to close it? Feel free to contact us again if you need further assistance on Azurite.