Azure SAS token AuthorizationResourceTypeMismatch

Question

I have created azure storage account. I have created file storage. I have generated SAS token. when I try to access file using sas token showing error "The remote server returned an error: (403) Forbidden."

I am able to generate SAS token. when I try to access file in file storage throwing exception. I have tried to copy and paste url on browser throws error "

<Error>
       <Code>AuthorizationResourceTypeMismatch</Code>
       <Message>
       This request is not authorized to perform this operation using 
        this resource type. RequestId:4cbc0cbe-401a-00c2-2edf- 
        202bc4000000 Time:2019-06-12T05:26:39.4816687Z
        </Message>
        </Error>"

Code I am using to Generate SAS token

Static string GetAccountSASToken()

      SharedAccessAccountPolicy policy = new 
                          SharedAccessAccountPolicy()
    {
        Permissions = SharedAccessAccountPermissions.Read | 
                    SharedAccessAccountPermissions.Write | 
                    SharedAccessAccountPermissions.List,
                     Services = SharedAccessAccountServices.File,
        ResourceTypes = SharedAccessAccountResourceTypes.Service,
        SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
        Protocols = SharedAccessProtocol.HttpsOnly,


    };

Code I am using to access file

 XDocument objdoc = XDocument.Load(filepath+ sasToken);

After loading file to XDocument I have to perform some read and write operations.Please help in finding mistake that I am doing

From where are you loading the XML document- blob storage or file storage? — Gaurav Mantri, Jun 12 '19 at 07:45
Fixed sir. I have changed ResourceTypes = SharedAccessAccountResourceTypes.Service to ResourceTypes = SharedAccessAccountResourceTypes.Object. Thank you sir. — user3404686, Jun 12 '19 at 09:34
Awesome! Please put your fix as an answer. It might help someone in future. — Gaurav Mantri, Jun 12 '19 at 09:38

score 9 · Answer 1 · answered Mar 05 '21 at 10:31

I was encountering the same problem, and the solution from user3404686 (2019-07-13) is correct. After the fact it's much clearer, but when it's still a problem without resolution it can be baffling.

Resource types are authorised independently of each other, rather than there being a hierarchy, ie 'service' does not include 'container' and 'object' authorisations (which was my misunderstanding).

The storageservices API documentation describes how resource type permissions are assigned:

Service (s): Access to service-level APIs (e.g., Get/Set Service Properties, Get Service Stats, List Containers/Queues/Tables/Shares)

Container (c): Access to container-level APIs (e.g., Create/Delete Container, Create/Delete Queue, Create/Delete Table, Create/Delete Share, List Blobs/Files and Directories)

Object (o): Access to object-level APIs for blobs, queue messages, table entities, and files(e.g. Put Blob, Query Entity, Get Messages, Create File, etc.)

Further down in the same document, it provides examples of the service, resource type and permissions required for various operations that you may be using, allowing minimum-required-permissions granularity with regard to assigning permissions to a service using the SA token.

After understanding this, the error code AuthorizationResourceTypeMismatch makes more sense - the resource type(s) the SAS token is authorised for, mismatches the resource types you're attempting to access.

score 4 · Answer 2 · answered Jun 13 '19 at 05:18

4

In SharedAccessAccountPolicy I have changed

ResourceTypes =SharedAccessAccountResourceTypes.Service to
 ResourceTypes = SharedAccessAccountResourceTypes.Object. Then It's working for me.

answered Jun 13 '19 at 05:18

user3404686

131
2
10

Azure SAS token AuthorizationResourceTypeMismatch

Code I am using to Generate SAS token

Code I am using to access file

2 Answers2