4

After a few days fighting with this issue I have decided to post it here in case someone can help out by giving me some pointers.

I have an Azure Storage Account with a Blob container with encrypted images. The images have been uploaded via PUT request (from a browser) to the Azure Blob Storage REST API, using SAS signature (generated by an Azure VM) and customer provided keys (x-ms-encryption headers). However, when trying to download the images from the Azure VM with a GET request (using curl), I get the following 403 "AuthorizationFailure" error:

<?xml version="1.0" encoding="utf-8”?>
<Error>
  <Code>AuthorizationFailure</Code>
  <Message>
    This request is not authorized to perform this operation.
    RequestId:1b203db6-c01e-0013-1553-6adb9b000000
    Time:2020-08-04T11:33:42.9494992Z
  </Message>
</Error>

Funny thing though, when I perform exactly the same GET request (exactly the same headers) with curl, Postman or the browser from my own local machine and even from other Azure VMs located in different resource groups and different virtual networks, it works as expected and I can successfully download the encrypted image. This confirms that the SAS signature and the headers passed are correctly constructed.

I have reviewed all the configuration of the VM, Network Security Group, Virtual Network and Storage Account in the Azure Portal and compared it with the other VMs that successfully download the images, and all the settings are exactly the same except for:

  1. In the VM that fails to download the image, I'm authorized as a contributor for that VM's resource group only, while in the VM that works I'm the owner of the account.

  2. In the account where I am the owner, Azure has created a new resource group called NetworkWatcherRG, which seems to have no resources attached to it. In the VM that has the problem I do not have access to that resource group, so I ignore whether it has been created by Azure or not, and whether it has any impact on the problem I'm facing.

I would really appreciate any ideas or suggestions on what the issue might be.

rostow
  • 41
  • 1
  • 5
  • I think might be issue at when you are sending request through c# code may be headers are not set correctly. Could you share your code so we could help you in much better.. way. – Sarthak Vijayvergiya Aug 04 '20 at 14:36

0 Answers0