SAS for Blob write access keeps causing 403 authentication error with azure storage

Question

I keep getting a 403 authentication error from the Azure Storage Service when I try to use a SAS key I generated using the azure client storage library. The exception is being thrown on the calling code.

Here is the exception I'm getting:

StatusMessage:Server failed to authenticate the request. Make sure the value of
Authorization header is formed correctly including the signature.
ErrorCode:AuthenticationFailed

Here's the SAS key being generated (the signature at the end is not accurate since I didn't want to share that):

https://evinsight.blob.core.windows.net/jimsworld/jellyfish2.png?sv=2012-02-12&se=2013-08-29T03%3A36%3A52Z&sr=b&sp=w&sig=FJALKJFLKASJDF%JLKSDJLK%LJDLFKSDFJKL

Here is the calling code:

/// Create the document and file objects and then return the fileAccessToken
/// <param name = "file_name"></param> */
public void GetSasInfoFromEb(string file_name)
{
    /*********************************** EVINSIGHT TESTING CODE ********************************************/
    try
    {
        AzureStorageTester ast = new AzureStorageTester();
        BlobSasUri = ast.getStorageLibrarySas(file_name);
    }
    catch (Exception ex)
    {
        throw ex;
    }
    /***************************************************************************************************************/
}

/// Sends the whole small file to Azure Blob
public void WriteSmallFileToBlob()
{
    int fileId = 0;
    try
    {
        Blob = new CloudBlockBlob(new Uri(BlobSasUri));
        Blob.UploadFromStream(File.InputStream);


        File.InputStream.Close();
    }
    catch (Exception ex)
    {
        throw ex;
    }
}

Here's is the SAS generating code:

    /// <summary>
    ///  Returns the URI similar to how eB does it
    /// </summary>
    /// <param name="blobName">The name of the file being uploaded/downloaded</param>
    /// <returns>The full uri for blob access</returns>
    public string getStorageLibrarySas(string blobName)
    {
        string sasKey;
        string uri;

        setupBlobContainer();

        blobName = blobName.ToLower();
        _blob = _cloudRootContainer.GetBlockBlobReference(blobName);


        sasKey = _blob.GetSharedAccessSignature(new SharedAccessBlobPolicy()
        {
            Permissions = SharedAccessBlobPermissions.Write,
            SharedAccessExpiryTime = DateTime.UtcNow.AddHours(1)
        });

        return string.Format(CultureInfo.InvariantCulture, "{0}{1}", _blob.Uri, sasKey);
    }

    /// Creates the Blob Container
    private void setupBlobContainer()
    {
        try
        {
            Microsoft.WindowsAzure.Storage.Auth.StorageCredentials credentials = new Microsoft.WindowsAzure.Storage.Auth.StorageCredentials(_accountName, _accountKey);

            // Create the storage account with the connection string
            Microsoft.WindowsAzure.Storage.CloudStorageAccount _cloudStorageAccount = new Microsoft.WindowsAzure.Storage.CloudStorageAccount(credentials, true);

            _cloudBlobClient = _cloudStorageAccount.CreateCloudBlobClient();
            _cloudRootContainer = _cloudBlobClient.GetContainerReference(_rootPath.ToLower());
            _cloudRootContainer.CreateIfNotExists();

            BlobContainerPermissions containerPermissions = new BlobContainerPermissions();


            containerPermissions.PublicAccess = BlobContainerPublicAccessType.Off;
            _cloudRootContainer.SetPermissions(containerPermissions);
        }
        catch (Exception ex)
        {
            throw ex;
        }
    }

Any ideas? Appreciate it!

Answer 1

Your code looks perfectly fine to me. In fact, I used your code to create a sample application and everything worked well.

Can you please check the sig part of the SAS token? Especially look for + sign there. I have seen a similar issue here not too long ago where occasionally SAS URL was failing with 403 error. It turned out the SAS token has a plus sign in it which is URL encoded value for space. Since the SAS token is sent as URL, + sign in the token was interpreted as space and resulted in 403 error.

Answer 2

The StartTime is a common cause of this error (http://blogs.msdn.com/b/kwill/archive/2013/08/28/http-403-server-failed-to-authenticate-the-request-when-using-shared-access-signatures.aspx), but since you are not specifying the start time I suspect you are hitting the other common cause of this error - an incorrect URI. See When using Shared Access Signature (SAS) with Windows Azure, it is best to use Uri.AbsoluteUri() instead of Uri.ToString().