Unable to list containers from CLI generated sas-token

[RotateAt60MPH]

I am trying to create a bash shell script that lists containers in all my storage account. The problem is that the CLI generated sas token does not appear to be valid.

Here's what I am doing:

az login
storage_account_name=<storage account name>
end=`date -u -d "30 days" '+%Y-%m-%dT%H:%M:%SZ'`
start=`date -u -d "10 seconds" '+%Y-%m-%dT%H:%M:%SZ'`
sas="$(az storage account generate-sas --permissions acdlpruw  --account-key 00000000 --account-name $storage_account_name --services bfqt --resource-types sco --start $start --expiry $end -o tsv)"
echo $sas

Results in:

st=2023-04-27T15%3A14%3A33Z&se=2023-05-27T15%3A14%3A23Z&sp=rwdlacup&sv=2018-03-28&ss=bqtf&srt=sco&sig=REDACTED

Now if try and list the containers with the CLI generated sas token:

az storage container list --account-name $storage_account_name --query "[].{name:name}" --output tsv --sas-token "?st=2023-04-27T15%3A14%3A33Z&se=2023-05-27T15%3A14%3A23Z&sp=rwdlacup&sv=2018-03-28&ss=bqtf&srt=sco&sig=REDACTED"

I get:

ERROR:
Authentication failure. This may be caused by either invalid account key, connection string or sas token value provided for your storage account.

But if I go into the Azure portal for the storage account and generate a sas from there I get:

?sv=2021-12-02&ss=bfqt&srt=sco&sp=rwdlacupiytfx&se=2023-04-27T22:09:53Z&st=2023-04-27T14:09:53Z&spr=https&sig=REDACTED

Note the different order of the parameters and the date encoding differences.

Running exactly same command with the azure generated sas token works fine.

I expected that the CLI generated token should work no different than the token generated from the Azure portal.

[yonzhan]

Thank you for opening this issue, we will look into it.

[RotateAt60MPH]

Hello? Anything further on this?