Azure Blob SAS gives an error while container SAS is working on the same blob

Question

My application needs access to the blobs inside my storage and sinc I dont want to ditribute any credentials I'm develpoing a backend endpoint to supply limited SAS token to the client app after authentication.

I thought on generating a blob SAS token (thus following the principle of least privilege and even though I think it worked in the past and I managed to retrieve the blob, it stopped working and I'm getting the below error. Generating a container SAS token and using it on the sme blob - works.

I also tried to generate a blob token from Azure Portal and use it in the same way and that actually worked as expected

Any idea what is wrong with what I'm doing?

this is the code I'm using to generate the blob token (I'm using the Python SDK):

start_time = datetime.datetime.now(datetime.timezone.utc)
expiry_time = start_time + datetime.timedelta(seconds=int(900))
sas_token = generate_blob_sas(
                account_name=account_name,
                container_name=container_name,
                blob_name=blob_name,
                account_key=account_key,
                permission=BlobSasPermissions(read=True),
                expiry=expiry_time,
                start=start_time
            )

using this generated token with a blob URL from the container, gives the following error (HTTP status code 403) when trying to retrieve the blob (GET request):

When I change the code to generate a container token, by using the following code:

start_time = datetime.datetime.now(datetime.timezone.utc)
expiry_time = start_time + datetime.timedelta(seconds=int(900))
sas_token = generate_container_sas(
                account_name=account_name,
                container_name=container_name,
                account_key=account_key,
                permission=BlobSasPermissions(read=True),
                expiry=expiry_time,
                start=start_time
            )

Everything works, and I manage to retirieve the blob.

Both generate_blob_sas and generate_container_sas comes from azure.storage.blob Python SDK (currently using version 12.19.0)

Answer 1

"Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature"

The error occurs when you pass with wrong parameters in the generate_blob_sas function.

I used the below code to generate the SAS token for the blob it created successfully using Python with the same package azure-storage-blob==12.19.0.

In my environment, I have stored an image with the blob name spring-flowers.jpg in the Azure blob storage.

Portal:

Code:

import datetime
from azure.storage.blob import generate_blob_sas, BlobSasPermissions

account_name = 'venkat789'
account_key = 'xxxxxxxx'
container_name = 'demo'
blob_name = 'spring-flowers.jpg'

start_time = datetime.datetime.now(datetime.timezone.utc)
expiry_time = start_time + datetime.timedelta(seconds=int(900))

def get_blob_sas(account_name,account_key, container_name, blob_name):
    sas_blob = generate_blob_sas(account_name=account_name, 
                                container_name=container_name,
                                blob_name=blob_name,
                                account_key=account_key,
                                permission=BlobSasPermissions(read=True),
                                start=start_time,
                                expiry=expiry_time
    )
    return sas_blob
sastoken = get_blob_sas(account_name,account_key, container_name, blob_name)
url = 'https://'+account_name+'.blob.core.windows.net/'+container_name+'/'+blob_name+'?'+sastoken
print(url)

Output:

  https://venkat789.blob.core.windows.net/demo/spring-flowers.jpg?st=2023-12-11T08%3A37%3A15Z&se=2023-12-11T08%3A52%3A15Z&sp=r&sv=2023-11-03&sr=b&sig=/JcSw%2Bxxxxxx

When I copied the same blob sas URL and pasted it into the browser it worked perfectly.

Portal:

Reference:

azure.storage.blob package | Microsoft Learn