Invalid authentication info error when using Azure AD and Azure Storage PUT API

Question

I'm trying to upload a file to a container in Azure Storage using Azure Active Directory (AAD) Authentication and REST API's. I can't figure out what is missing in the workflow below, but it always fails.

How it works:

0. A service principal (SP) was created in AAD
1. A client_secret was generated for this SP
2. Contributor role added to the Storage Account for the SP, at the Storage Account-level
   • Side question: Can the Storage Blob Data Contributor role be scoped down to the Container-level instead of granting at the Account-level?
3. Sample authentication request:
   • Method: GET
   • URL: https://login.microsoftonline.com/<my_tenant>/oauth2/v2.0/token
   • Body: x-www-form-urlencoded
     • grant_type: client_credentials
     • client_id: <client_id>
     • scope: https://graph.microsoft.com/.default
     • client_secret: <client_secret>
   • Header(s):
     • content-type: application/x-www-form-urlencoded
4. Sample auth. response:
   • Status: 200
   • Body:

{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 3599,
    "access_token": "<auth_token>"
}

5. No problem thus far. The <auth_token> from this request is then used to send a PUT request to upload file to Azure Storage Container
6. Sample upload request:
   • Method: PUT
   • URL: https://<stg-account-name>.blob.core.windows.net/<container-name>/<file-name>.json
   • Body: binary
     • <file-name>.json
   • Header(s):
     • x-ms-blob-type: BlockBlob
     • x-ms-version: 2020-04-08
       • Required for AAD auth (at least per this doc)
     • Authentication: Bearer <auth_token>
7. Sample upload response:
   • Status: 401
   • Body:

<?xml version="1.0" encoding="utf-8"?>
<Error>
    <Code>InvalidAuthenticationInfo</Code>
    <Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:<guid>
Time:2022-09-26T18:29:27.4477615Z</Message>
    <AuthenticationErrorDetail>Signature validation failed. Signature verification failed.</AuthenticationErrorDetail>
</Error>

Tried:

• Removing the Bearer keyword from the Authentication header
  • Results in Status 403
• Changing the x-ms-version header from 2017-11-09 to 2020-04-08
  • No change

Questions

1. What is missing here?
2. Where is this covered in the documentation?

---

EDIT1

1. RE: "What is missing here?"
   • Thank you @gaurav-mantri, your suggested worked!
   • I changed the scope header to https://storage.azure.com/.default in the auth request.
   • The subsequent upload request responded with status 201.
2. RE: "Can you help me find this referenced in the docs?"
   • Thank you again @gaurav-mantri, here is the doc ref

Answer 1

I tried to reproduce the same in my environment and got the below results:

I created one service principal Test and added Contributor role to it at storage account level as below:

I generated the access token with same parameters as you like below:

When I use the above access token to upload file via PUT request, I am getting same error as you like this:

To resolve the error, you need to add Storage Blob Data Contributor role to your service principal at Azure Storage container level as below:

Now, I generated access token by changing scope to https://storage.azure.com/.default like this:

With this token, I am able to upload file to Azure Storage container successfully as below:

When I checked Azure Portal, file got uploaded successfully like this:

If you generated the token by changing the scope to https://storage.azure.com/.default and did not assign Storage Blob Data Contributor role, you will get 403 error like below:

So, make sure to grant Storage Blob Data Contributor role to service principal before generating access token.