Does StorageConnectionString in AzureWebjobSDK require access to the whole storage account?

Question

I'm trying to use Azure WebJobs SDK to trigger a function when a message is posted on a queue.

This works fine when setting StorageConnectionString to a connection string with the storage account key.

I would like to use a Shared Access Token (SAS) which has access to that queue (and only that) in the StorageConnectionString but getting errors:

Message=Failed to validate Microsoft Azure WebJobs SDK Storage connection string. The Microsoft Azure Storage account connection string is not formatted correctly. Please visit http://msdn.microsoft.com/en-us/library/windowsazure/ee758697.aspx for details about configuring Microsoft Azure Storage connection strings.

And:

   Message=The account credentials for '' are incorrect.
   Source=Microsoft.Azure.WebJobs.Host
   StackTrace:
        at Microsoft.Azure.WebJobs.Host.Executors.DefaultStorageCredentialsValidator.<ValidateCredentialsAsyncCore>d__4.MoveNext()

The connection string I'm using is formatted this way: BlobEndpoint=https://myaccount.blob.core.windows.net/;QueueEndpoint=https://myaccoount.queue.core.windows.net/queuename;SharedAccessSignature=token

Any chance StorageConnectionString requires access to the whole storage account? If so, do you have an idea what I could do?

Answer 1

Looking at the WebjobSDK code: https://github.com/Azure/azure-webjobs-sdk/tree/dev/src it looks like the exception you are facing is thrown by the storage account parser. Looking at the code, it parses as follows:

    public static StorageAccountParseResult TryParseAccount(string connectionString, out CloudStorageAccount account)
    {
        if (String.IsNullOrEmpty(connectionString))
        {
            account = null;
            return StorageAccountParseResult.MissingOrEmptyConnectionStringError;
        }

        CloudStorageAccount possibleAccount;
        if (!CloudStorageAccount.TryParse(connectionString, out possibleAccount))
        {
            account = null;
            return StorageAccountParseResult.MalformedConnectionStringError;
        }

        account = possibleAccount;
        return StorageAccountParseResult.Success;
    }

I checked the formatting you sent using CloudStorageAccount and it seems to pass. Notice that you have an unnecessary '/' after the blob endpoint, maybe you are missing some text and that is causing the parsing to fail.

Answer 2

According to your description, I followed this official document to Configure Azure Storage Connection Strings. Occasionally I encountered the error as you mentioned: The account credentials for '' are incorrect.

As I known, Azure WebJobs SDK would reference the Azure Storage client library, which is a wrapper of Azure Storage Service REST API. For troubleshooting the similar issue, you could leverage Fiddler to capture the network package. Here is the screenshot when I caught the above error via Fiddler:

Any chance StorageConnectionString requires access to the whole storage account? If so, do you have an idea what I could do?

I assumed that there be something wrong with your connection string.

QueueEndpoint=https://myaccoount.queue.core.windows.net/queuename

Here is my connection string that include an account SAS for blob and queue storage within my WebJob project, you could refer to it.

<add name="AzureWebJobsStorage" connectionString="BlobEndpoint=https://brucechen01.blob.core.windows.net/;QueueEndpoint=https://brucechen01.queue.core.windows.net/;SharedAccessSignature=sv=2015-12-11&amp;ss=bq&amp;srt=sco&amp;sp=rwdlacup&amp;se=2016-12-31T18:39:25Z&amp;st=2016-12-25T10:39:25Z&amp;spr=https&amp;sig={signature}" />

Note: If you are specifying a SAS in a connection string in a configuration file, you may need to encode special characters in the URL via Html Encode.

UPDATE:

As you mentioned in the comment below My SAS includes permissions to the queue with the "queuename" only. Since you have configured SAS token for both Blob and Queue, I assumed that you need to create an account SAS token for blob and queue service. You could leverage Microsoft Azure Storage Explorer to create the SAS token as follow:

Choose your storage account, right click and select "Get Shared Access Signature".

Note: When you replace the value of SharedAccessSignature with the generated SAS token, you need to remove the first ? symbol in your SAS token.