locked
Generating a SAS token for a blob storage container (Powershell) RRS feed

  • Question

  • After looking at the docs it seemed very stright forward, and I got to the point I have this line:
    az storage container generate-sas --name "container_name" --connection-string "storage_account_connection_string" --https-only --permissions "w" --expiry "2019-6-20T00:00Z"

    This line result in me getting a SAS token, but when i look in the portal I can not confirm one was indeed created.

    When I try to use azcopy to indeed confirm this by using:
    azcopy copy "file_path" "https://storage_account_name.blob.core.windows.net/container_name?SAS"

    I indeed get:
    Authentication failed, it is either not correct, or expired, or does not have the correct permission.

    AuthenticationErrorDetail: se is mandatory. Cannot be empty
       Code: AuthenticationFailed

    RESPONSE Status: 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

    I guess I'm missing somthing basic but I can not figure out what.
    Sunday, June 9, 2019 8:34 PM

Answers

  • 403 means there is something wrong with your SAS token or shared key. You can use storage explorer to generate SAS with the same configuration and see if it works.

    https://docs.microsoft.com/en-us/rest/api/storageservices/authentication-for-the-azure-storage-services

    If I use Y-m-d'T'H:M:S'Z' instead (%Y-%m-%dT%H:%M:%SZ in strftime) it works correctly.

    You may also refer to the suggestion mentioned in this GitHub link

    Generates an SAS token for an Azure storage container using PowerShell.

    az storage container generate-sas using CLI

    $now=get-date
    
    $StorageContext = New-AzureStorageContext -StorageAccountName 'blo**rage18' -StorageAccountKey '8e6fNXZtVWE2FD2G***rVmVKpAR4i***ZM/860ppOEdvegwXP3KeiCR0Hgo/7ZoMTmZw=='
    
    $container = Get-AzureStorageContainer -Name test -context $storageContext
    
    #New-AzureStorageContainerSASToken -Name blobstorage18 -Context $storageContext -Permission rwl -StartTime $now.AddHours(-1) -ExpiryTime $now.AddMonths(1)
    
    #I believe the problem is because you're specifying the URL in SAS Token
    
    $context = New-AzureStorageContext -StorageAccountName $Storagecontext -SASToken "st=2019-06-25T19%3A57%*****key" 


    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members

    Monday, June 10, 2019 5:07 AM

All replies

  • 403 means there is something wrong with your SAS token or shared key. You can use storage explorer to generate SAS with the same configuration and see if it works.

    https://docs.microsoft.com/en-us/rest/api/storageservices/authentication-for-the-azure-storage-services

    If I use Y-m-d'T'H:M:S'Z' instead (%Y-%m-%dT%H:%M:%SZ in strftime) it works correctly.

    You may also refer to the suggestion mentioned in this GitHub link

    Generates an SAS token for an Azure storage container using PowerShell.

    az storage container generate-sas using CLI

    $now=get-date
    
    $StorageContext = New-AzureStorageContext -StorageAccountName 'blo**rage18' -StorageAccountKey '8e6fNXZtVWE2FD2G***rVmVKpAR4i***ZM/860ppOEdvegwXP3KeiCR0Hgo/7ZoMTmZw=='
    
    $container = Get-AzureStorageContainer -Name test -context $storageContext
    
    #New-AzureStorageContainerSASToken -Name blobstorage18 -Context $storageContext -Permission rwl -StartTime $now.AddHours(-1) -ExpiryTime $now.AddMonths(1)
    
    #I believe the problem is because you're specifying the URL in SAS Token
    
    $context = New-AzureStorageContext -StorageAccountName $Storagecontext -SASToken "st=2019-06-25T19%3A57%*****key" 


    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members

    Monday, June 10, 2019 5:07 AM
  • I tried creating a SAS via the storage explorer, it worked fine (kinda):
    I created a token with read,add,create,write,delete,list permissions and in the token i recived i can indeed confirm this as it include "sp=racwdl". However, in the portal I see this token as read,list only (which is odd).
    I did try copy using azcopy with this token and it was indeed secssesful, so this is just a portal bug i guess.

    Anyway, this indict that the problem is with the az cli which seems to generate bad token / do not register the token.
    I did tried to add seconds, i.e, my command was:
    az storage container generate-sas --name "input" --connection-string $cs --permissions "rwdl" --expiry "2019-6-20T00:00:00Z"
    but this did not help.

    I can confirm however that, if i try to create sas to a specific bolb inside my continar via:

    az storage blob generate-sas --container-name "input" --name "product.csv" --connection-string $cs --https-only --permissions "a" --expiry "2019-6-20T00:00:00Z"

    I get a valid token (I can use it with the url, i.e., url?SAS, to download the file.)

    I did try PS and again I ended up in the same place, I get a token but it does not work nor does it apper in the portal.
    • Edited by LironLevy Monday, June 10, 2019 3:41 PM
    Monday, June 10, 2019 3:25 PM
  • Honestly, I'm not sure what happened, but it is working now.

    my command to generate the SAS token is:
    az storage container generate-sas --name "test" --connection-string $cs --https-only --permissions "wr" --expiry "2019-6-20T00:00:00Z"

    which seems to work, I still however not able to see the SAS token in the Access policy tab in my container options.
    Monday, June 10, 2019 3:57 PM
  • Thanks for the update! If you still find any issue. Please feel free contact us anytime.
     If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Tuesday, June 11, 2019 4:46 AM