1

I am debugging a client application calling REST API embedded with AZURE storage SAS-shared access signature to access azure storage resource. However, it is not getting through. The azure threw out an error stating that the mandatory header is missing, and abort the operation.

The REST API is fairly simple, although it is embedded with the SAS token generated by the azure storage account. The client application uses the REST API to write data into an azure blob.

is there anywhere I can find a good example showing how to generate the header for the REST API (SAS)? I need to find out the exact layout of the header (such as the type of information that needs to be embedded in the header.

Also, do I need to register my client application with the Azure AD?

I didn't think my client application needs to be registered with the AZURE since that is why we have client-side SAS. But, I could be wrong. Therefore, any input will be appreciated.

Thanks in advance.

Joy
  • 1,171
  • 9
  • 15
MIkey
  • 165
  • 3
  • 13
  • Could you please provide the error message? – Jim Xu Jan 10 '21 at 14:09
  • Here is a copy of the returned error message: I got an error: AuthenticationFailedServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:f984f06a-5002-0048-770f-e911f6000000 Time:2021-01-12T18:22:17.0563660Z – MIkey Jan 12 '21 at 19:06
  • The client is configured to use a shared access signature (SAS) to upload data to the azure storage table. Microsoft documentation specified that the client needs to provide an authorization header in order to use SAS, For constructing the authorization header, the client needs to use the storage account access key to generate the HMAC-SHA code. What am I missing here? I thought the whole idea of using SAS is to protect the account key. What am i missing here? – MIkey Jan 12 '21 at 19:09

1 Answers1

0

If you use sas token to call Azure blob rest api, the request URL should be like

https://myaccount.blob.core.windows.net/<cantianer>/<blob>?<sastoken>

For example

$accountName=""
$accountKey=""
$containerName="output"
$blobName="test.txt"


$context= New-AzStorageContext -StorageAccountName $accountName -StorageAccountKey $accountKey
$sas = New-AzStorageAccountSASToken -Service Blob -ResourceType Service,Container,Object -Permission "rwdlacx" -Context $context

$body = "Hello"

$headers=@{"x-ms-blob-type"="BlockBlob"; "Content-Type"="text/plain"}

$url="https://$accountName.blob.core.windows.net/$containerName/$blobName$sas"

 Invoke-WebRequest -Uri $url -Method Put -Headers $headers -Body $body -UseBasicParsing

enter image description here

Jim Xu
  • 21,610
  • 2
  • 19
  • 39
  • Thanks for the hint. I did some research to find out if there is any client-side python library that I can use to access a remote azure blob resource. It is as if all the Microsoft client library is configured to use a connection string to access azure storage resource? Is there any alternative? (without using connection string)? Thanks in advance. – MIkey Jan 15 '21 at 01:02
  • @MIkey You also can use sas token. plese refer to https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/storage/azure-storage-blob/samples/blob_samples_authentication.py#L80 – Jim Xu Jan 15 '21 at 02:33
  • Appreciate the information. I will definitely dive into it. – MIkey Jan 15 '21 at 03:38
  • @ Jim: I did some research. It seems that it is much easier to use the connection string to program the client to access the remote azure blob. However, I have to create the connection string on a per storage account basis? – MIkey Jan 15 '21 at 21:13
  • @MIkey please refer to https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string#configure-a-connection-string-for-an-azure-storage-account – Jim Xu Jan 17 '21 at 05:17