Home > Back-end >  Azure blob storage gives authentication error when connecting using sas (Access without signed ident
Azure blob storage gives authentication error when connecting using sas (Access without signed ident

Time:05-17

I'm trying to connect to an azure blob storage (listing an containers to check if it works), however when I connect I get an authentication error. Here is my code

from azure.storage.blob import BlockBlobService

top_level_container_name = "top_container"
sas_url ="https://secret.blob.core.windows.net/table?sv=2020-10-02&st=2022-05-16T10:11:57Z&se=2022-05-28T21:59:00Z&sr=c&sp=rl&sig=secret"
service=BlockBlobService(account_name="thi" ,sas_token=sas_url)

containers = service.list_containers() 
for c in containers: 
     print(c.name)

Which when run gives me the following error:

Traceback (most recent call last):
  File "C:\Users\thijser\codes\python\listblobs.py", line 11, in <module>
    containers = service.list_containers()
  File "C:\Python310\lib\site-packages\azure\storage\blob\baseblobservice.py", line 514, in list_containers
    resp = self._list_containers(**kwargs)
  File "C:\Python310\lib\site-packages\azure\storage\blob\baseblobservice.py", line 558, in _list_containers
    return self._perform_request(request, _convert_xml_to_containers, operation_context=_context)
  File "C:\Python310\lib\site-packages\azure\storage\storageclient.py", line 280, in _perform_request
    raise ex
  File "C:\Python310\lib\site-packages\azure\storage\storageclient.py", line 248, in _perform_request
    raise ex
  File "C:\Python310\lib\site-packages\azure\storage\storageclient.py", line 235, in _perform_request
    _http_error_handler(HTTPError(response.status, response.message, response.headers, response.body))
  File "C:\Python310\lib\site-packages\azure\storage\_error.py", line 114, in _http_error_handler
    raise AzureHttpError(message, http_error.status)
azure.common.AzureHttpError: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:2bc0650b-d01e-0050-511b-69cc86000000
Time:2022-05-16T11:54:26.0333719Z</Message><AuthenticationErrorDetail>Access without signed identifier cannot have time window more than 1 hour: Start [Mon, 16 May 2022 10:11:57 GMT] - Expiry [Sat, 28 May 2022 21:59:00 GMT]</AuthenticationErrorDetail></Error>

I am able to use the same sas link to see the files in the azure storage explorer. I have the 1.5.0 version of the azure blob storage freshly installed via pip.

Anybody know how to get rid of the error? The sas token wasn't generated by me and should actually last a whole week. I suspect it might somehow involve my password (given that changing the account_name into something that's invalid changes the error) but I can't find how to properly add that. I tried service=BlockBlobService(account_name="thi", account_key = "my secret password", sas_token=sas_url) but that just changes the error into The MAC signature found in the HTTP request 'c5w tYbWVvibQ1NGFq0sHDwfvMS4wP0nO0d/iv5KuFo=' is not the same as any computed signature. Server used following string to sign: 'GET

Edit:

So I figured out I have a service SAS link and not a SAS account. So that slightly changes my question into how to list everything contained in a service sas url? For this I already tried a couple of online tutorials but they keep running into the error: ImportError: cannot import name 'ContainerClient' from 'azure.storage.blob'. Does anyone know how to fix that/list all files in such a link?

Last edit: solved it. I had to uninstall all azure related packages and install the azure-cli package. followed by the azure-storage-blob package.

CodePudding user response:

The reason you are getting this error is because you are using a Service SAS to perform an operation that requires an Account SAS. List blob containers operation requires an Account SAS because you are performing an operation at account level.

To fix this error, you will need an Account SAS with at least following attributes:

  • Signed Services: Blob
  • Signed Resource Types: Service (to list blob containers) and Container (to list blobs inside a container)
  • Signed Permission: List (for list operations)
  • Related