2

Our application server rejected by the storage account.

We generated the correct SAS token and we can reach the container in the local. (docker, intelliJ, postman)

  • WebbApp and the Storage Account are in the same location (Germany West Central UTC+2).
  • We have standard subsrciption/plan
  • We set containers to public.
  • We set IP address to firewall.
  • We use azure sdk java

We try to call the Blob service.

We got an error message when the app runs on the Azure servers.

com.azure.storage.blob.models.BlobStorageException at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance

If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call.
Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII.
Status code 403, "<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
RequestId:959d813f-601e-0057-262f-4351a4000000
Time:2021-05-07T10:53:45.0157340Z</Message></Error>"

Update https://i.stack.imgur.com/Hs2Cf.png

UPDATE

We set the time zone to UTC-0. It solved our problem. The serve run in UTC-0 time zone.

geri100
  • 49
  • 2
  • 9
  • 1
    Most likely this error is coming because of the firewall rules. Because of that, your WebApp is not allowed to access your storage account. – Gaurav Mantri May 07 '21 at 11:46
  • I added a picture of my firewall settings in Storage Account. – geri100 May 07 '21 at 11:57
  • 1
    Oh, so you don't have any firewall rules defined. Just to confirm, you can access the same storage account using the SAS URL from local? Can you share the SAS URL? Just obfuscate account name, container name and sig portion of your SAS URL. – Gaurav Mantri May 07 '21 at 12:00
  • ?sv=2020-02-10&ss=bfqt&srt=sco&sp=rwdlacupx&se=2026-05-07T18:36:25Z&st=2021-05-07T08:35:25Z&sip=0.0.0.0-255.255.255.255&spr=https,http&sig=********** – geri100 May 07 '21 at 12:05
  • Yes, we reached the containers with SAS URL with postman and chrome but when we deployed the service into azure we get the exceptions. @GauravMantri – geri100 May 07 '21 at 12:16
  • 1
    Your SAS token looks fine. Can you answer my other questions. – Gaurav Mantri May 07 '21 at 12:17
  • Yes, we can access the same storage from local. @GauravMantri – geri100 May 07 '21 at 12:25
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/232079/discussion-between-geri100-and-gaurav-mantri). – geri100 May 07 '21 at 12:33
  • 2
    May I know how your app service get this SAS token ? – Stanley Gong May 10 '21 at 02:15
  • Unfortunately, I didn't reproduce your error. You could have a look at this: https://github.com/Azure/azure-sdk-for-java/issues/20193 – Doris Lv May 12 '21 at 08:31

2 Answers2

1

We set the time zone to UTC-0. It solved our problem. The serve run in UTC-0 time zone.

geri100
  • 49
  • 2
  • 9
0

There are two thing you should check:

  1. How you get this SAS token.
  2. Did you use different containers between local and remote.

As you said, you could use it successfully on local, then you could try debug you code to get the sas uri value, and access it directly by browser.

Finally, if it not help, you could try generate the SAS token from portal, and hard code the sas token to your code.

Doris Lv
  • 3,083
  • 1
  • 5
  • 14