Reputation: 31
Azure: SAS is rejected with Blob Download Failure when attempting to copy blob to storage account in different tenant?
I am trying to make an arm template deployment in tenant A. One of the parameters in the json file is a SAS uri pointing to a blob in a storage account in tenant B. I generated a token with full read/write/add...etc + http/https permissions for the blob in tenant B and put it in but it is being rejected with message:
BlobDownloadFailed\",\r\n \"message\": \"Microsoft.Azure.Storage.StorageException: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\\r\\n at Microsoft.Azure.Storage.Core.Executor.Executor
What seems to be happening is that ARM is accepting the deployment and trying to pull the blob from the storage account with the SAS provided but the storage account is rejecting it. The deployment works when I try it with a SAS for a blob located in the same resource group + tenant. My understanding (which is likely incorrect) was that having the sas token itself generated with the right permissions was enough to be used cross tenant. Are there additional steps needed when doing an arm deployment which is accessing resources in a different tenant and resource group, such as having app registration...etc?
Upvotes: 1
Views: 944
Answers (1)
Reputation: 10455
BlobDownloadFailed",\r\n "message": "Microsoft.Azure.Storage.StorageException: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\r\n at Microsoft.Azure.Storage.Core.Executor.Executor
The above error may occurs of restriction so please check the below points:
- In your tenant B the storage account you have assigned role like Storage blob contributor
Azure portal->storage account->Access control(IAM)->Add role assignments->storage blob contributor role.
- kindly check your storage account is firewall enabled it may also reject your
Server failed to authenticate the request.pleas echeck your storage is whitelisted to access as by default itsipis 127.0.0.1:10000.
Azure Portal -> Storage Account -> Networking -> Check Allow Access From (All Networks / Selected Networks)
If it is "Selected Networks" - It means the storage account is firewall enabled.
- Check the also the storage account + SAS URL in the correct way.
https://< Storageaccountname >.blob.core.windows.net/< container name>/< Filename >?sp=r&st=2022-09-05T13:02:10Z&se=2022-09-05T21:02:10Z&spr=https&sv=2021-06-08&sr=b&sig=BL2%2Bwo157%2FMfll0NJpx3bO4yIh6P%2B2hDjZwu8 - Verify the Access level of the container and change access level to read blob ,if it is private. In my case,i am also admin to my storage account and has read , write and create SAS permissions enabled.
- Ensure that your system time is set correctly and that your
SASis valid. If any of these are incorrect, you may receive a"Failed to Authenticate"message.
Reference: Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Docs
Upvotes: 1
Related Questions
- Getting Error while Creating SAS Token for Azure Storage Blob with MSI
- Azure Storage Account : Blob service (SAS) Connectivity Check FAILED
- What are the Azure SAS authorization parameters for copying to Azure Blobs?
- Azure SAS connection is not working with Azure.Storage.Blobs
- Azure Blob Storage Sas Error: AuthenticationFailed
- Azure: Unable to copy Archive blobs from one storage account to another?
- Azure Blob Storage Shared Access Signature (SAS) - Signature did not match
- Azure Blob SAS URL 403 issue
- Can't upload BLOB with SAS Token
- How to use an Azure SAS when trying to copy an Azure File to an Azure Blob