none
Getting a blob content using user delegation SAS created using user delegation key RRS feed

  • Question

  • I have created an AAD app as per https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app.
    The access is given to the azure storage account for the AAD app created.
    Got the client id and client secret.
    To create a user delegation key and user delegation sas, I am using the approach and code as defined in
    https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet.
    (set environment variables as mentioned in article).

    I am able to generate the user delegation key using method GetUserDelegationSasBlob.
    The container and blob file is existing one.

    Now I am using the method ReadBlobWithSasAsync to read the contents of the blob using the SAS uri as generated above.
    But, I get error as below.

    >>>>>
    This request is not authorized to perform this operation using this permission.
    RequestId:5d127eaf-101e-00be-6666-6a3875000000
    Time:2019-09-13T19:04:15.4109144Z
    Status: 403 (This request is not authorized to perform this operation using this permission.)

    ErrorCode: AuthorizationPermissionMismatch
    <<<<<

    In another approach, I am generating the user delegation key using rest api.
    https://docs.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key

    I am able to get user delegation key in xml format.
    I am creating SAS from it as per steps in 
    https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas

    For signature, I am using this code, using StringToSign and secret value as received from delegation key.

                    var encoding = new System.Text.ASCIIEncoding();
                    byte[] keyByte = encoding.GetBytes(secret);
                    byte[] messageBytes = encoding.GetBytes(ToSign);
                    using (var hmacsha256 = new HMACSHA256(keyByte))
                    {
                        byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
                        String sig= Convert.ToBase64String(hashmessage);
                    }

    I am doing the GET request.
    I have tried various set of parameter values, like,

    sr: b and c
    sks: b and c
    sp: racwd and r and rw and few more

    skv and sv is 2018-11-09 because this version is required for creating user delegation key.

    But the GET api returns the error.

    <?xml version="1.0" encoding="utf-8"?>
    <Error>
        <Code>AuthenticationFailed</Code>
        <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
    RequestId:e4bc8f0f-d01e-0046-7367-6af368000000
    Time:2019-09-13T19:12:27.7780695Z</Message>
        <AuthenticationErrorDetail>Signature fields not well formed.</AuthenticationErrorDetail>
    </Error>
    Friday, September 13, 2019 7:24 PM

All replies

  • per the following message you received: This request is not authorized to perform this operation using this permission.
    RequestId:5d127eaf-101e-00be-6666-6a3875000000
    Time:2019-09-13T19:04:15.4109144Z
    Status: 403 (This request is not authorized to perform this operation using this permission.)

    It looks like in the delegation process, you did not choose the specific role to allow through SAS, whether read, write etc.. permissions.  Is it possible to ensure and verify that a specific action access is chosen ?

    Thanks,

    Adam

    Monday, September 16, 2019 10:34 PM
    Moderator
  • If the issue still persist, there is a similar thread discussion in SO, please refer to the suggestion mentioned and let us know the status.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

    Monday, September 23, 2019 7:20 AM
    Moderator
  •  Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Friday, September 27, 2019 9:07 AM
    Moderator