c# - Azure Shared Access Signature - Signature did not match

Question

I'm getting this error:

<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:6c3fc9a8-cdf6-4874-a141-10282b709022 Time:2014-07-30T10:48:43.8634735Z
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used was rwl 2014-07-31T04:48:20Z /acoustie/$root 2014-02-14
</AuthenticationErrorDetail>
</Error>

I get it when I generate a sas (Shared Access Signature) then paste that sas at the end of the container uri into a browser. This is the full address with the generated sas:

https://acoustie.blob.core.windows.net/mark?sv=2014-02-14&sr=c&sig=E6w%2B3B8bAXK8Lhvvr62exec5blSxsA62aSWAg7rmX4g%3D&se=2014-07-30T13%3A30%3A14Z&sp=rwl

I have scoured SO and Google and have tried lots of combinations, as far as I can tell I'm doing everything correctly, I know I'm not, I just can't see it...really hoping someone can help :-

To be clear, I am generating a sas on a container, not a specific blob and not on the root container. Access on the blob is defined as Public Blob. My end goal is to simply allow writes to the container with the sas, while 'debugging' I have added most permissions to the SharedAccessBlobPolicy.

I have tried adding a at the beginning and ending of the container name. No change.

This is the code I use to generate the sas:

    var blobClient = storageAccount.CreateCloudBlobClient();
    //Get a reference to the blob container 
    var container = blobClient.GetContainerReference(containerName);

    // Do not set start time so the sas becomes valid immediately.
    var sasConstraints = new SharedAccessBlobPolicy 
    {
        SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(30), 
        Permissions = SharedAccessBlobPermissions.Write 
        | SharedAccessBlobPermissions.Read
        | SharedAccessBlobPermissions.List,
    };

    var sasContainerToken = container.GetSharedAccessSignature(sasConstraints);

    //Return the URI string for the container, including the SAS token.
        var sas = string.Format("{0}{1}", container.Uri.AbsoluteUri, sasContainerToken);
        Logger.Debug("SAS: {0}", sas);
        return sas;

It generates a signature, it just doesn't seem to be a valid signature.

I've tried different containers, changing the Access policy, with and without start times, extending the expiry to > 12 hours from now (I'm in a UTC+10 timezone), it doesn't seem to matter what I change it results in the same "signature did not match" error.

I have even tried using an older version of 'WindowsAzure.Storage', so I have now tried 4.2 and 4.1. Even tried the uri in a different browser, really shouldn't make a difference but hey...

Any suggestions are greatly appreciated :-)

Answer 1

Short Answer:

Add comp=list&restype=container to your SAS URL and you should not get this error.

Long Answer:

Essentially from your SAS URL, Azure Storage Service is not able to identify if the resource you're trying to access is a blob or a container and assumes it's a blob. Since it assumes the resource type is blob, it makes use of $root blob container for SAS calculation (which you can see from your error message). Since SAS was calculated for mark blob container, you get this Signature Does Not Match error. By specifying restype=container you're telling storage service to treat the resource as container. comp=list is required as per REST API specification.