Closed StannieV closed 1 year ago
Thank you for your feedback. This has been routed to the support team for assistance.
@StannieV Apologies for the late reply. Thanks for reaching out to us and reporting this issue. We are looking into this issue and we will provide an update.
@StannieV Could you please share the x-ms-request-id
from the most recent occurrence of the issue ?
Hi @navba-MSFT ,
Thanks for looking at my issue. The following request ids are from failing ones (all from a few minutes ago):
I hope this is enough!
@StannieV Thanks for sharing the request ID. I checked the backend logs and the failure is due to the StringToSign. As mentioned in this documentation, You should first create the successfully working SAS token with Blob (storage) endpoint. Then use the SAS token query string to append it to your frontdoor endpoint url. Hope this helps.
Hi @navba-MSFT,
Thanks for investigating the requests. I had hoped for a more elegant way to solve this in code than string manipulation.
Based on your answer I still have some questions:
@StannieV Thanks for your reply. While I tested at my end using your above code, I could see that it was using Sharedkey and not SAS token. So I had to update your code to make use of SAS token with the Azure FrontEnd endpoint and that worked just fine. Please refer the sample code here. Hope this helps.
@navba-MSFT you're right, my example code doesn't generate a SAS token. I simplified my program for this issue. But the problem also occurs in my example code on retrieving the blob items. (containerClient.GetBlobsAsync()) If this succeeds, generating the SA token will also work. It will look like this:
// Get a reference to the container client
BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(containerName);
// Use the container client to perform blob operations
// For example, you can list the blobs in the container:
await foreach (BlobItem blobItem in containerClient.GetBlobsAsync())
{
Console.WriteLine(blobItem.Name);
var blobClient = containerClient.GetBlobClient(blobItem.Name);
var blobSasBuilder = new BlobSasBuilder();
blobSasBuilder.SetPermissions(BlobSasPermissions.Read);
blobSasBuilder.StartsOn = DateTimeOffset.UtcNow.AddMinutes(-5);
blobSasBuilder.ExpiresOn = DateTimeOffset.UtcNow.Add(TimeSpan.FromHours(5));
blobSasBuilder.BlobContainerName = containerClient.Name;
blobSasBuilder.BlobName = blobClient.Name;
var sas = blobClient.GenerateSasUri(blobSasBuilder);
Console.WriteLine(sas);
}
@StannieV Thanks for your reply. Let's isolate this issue first.
@StannieV I wanted to do quick follow-up to check if you had a chance to look at my above comment. Please let us know if you had any updates on this. Awaiting your reply.
Hi @navba-MSFT, I think I'll have today time to look at it.
@StannieV Thanks for your reply. Let's isolate this issue first.
- Do you want to create an Account SAS ? or Container SAS ? or a Blob SAS ?
- The sample which I used above is an account SAS. So before I test your SAS generating code, Could you please confirm if hardcoding the SAS token as mentioned in my sample code here, works fine at your end ? Awaiting your reply.
@navba-MSFT
Response x-ms-client-request-id 'e6fabfca-cc37-43a2-b48e-a5adc9d2054f' does not match the original expected request id, 'b5bc9dd3-c086-41be-a7e8-87d8e08e3381'.
Unhandled exception. Azure.RequestFailedException: Response x-ms-client-request-id 'e6fabfca-cc37-43a2-b48e-a5adc9d2054f' does not match the original expected request id, 'b5bc9dd3-c086-41be-a7e8-87d8e08e3381'.
@StannieV Thanks for your reply. If hardcoding the SAS token itself is failing then that issue should be fixed first.
I tried creating a Blob SAS and used the same in my code to get that blob and it worked fine with FrontDoor URL. Sending you the screenshot from the fiddler if that helps:
Please check if your Frontdoor setting is configured as below:
@StannieV I wanted to do quick follow-up to check if you had a chance to look at my above comment. Please let us know if you had any updates on this. Awaiting your reply.
@navba-MSFT I didn't have time to look at it. Most probably I'll have time next week... I'll keep you up-to-date.
Hi @StannieV. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
Hi @StannieV, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!
Library name and version
Azure.Storage.Blobs 12.15.0
Describe the bug
When creating a BlobServiceClient based on an Azure Front Door endpoint URL, in ~50% of the cases, it produces an Authentication exception.
Expected behavior
In my solution, I want to create a SAS Uri for a blob item that is accessed via an Azure Front Door (AFD) endpoint. The blob container cannot be publicly accessible and therefore the SAS is needed. After creating a SAS for a blob item, you can replace the hostname of the blob URL E.g ‘https://.blob.core.windows.net’ (from the complete SAS) with the hostname of the AFD endpoint. E.g: ‘https:// .z01.azurefd.net’. With this new URL, you can access the blob item (even download it in the browser) through the AFD endpoint and use CDN.
In code, it seemed a clumsy solution first to create a SAS and then replace the hostname of the URL in the code. After some searching, I found a solution in creating a ‘BlobServiceClient’ with a different service URL, which points to the AFD endpoint. At first glance, this seems great. With this, I only have to change the initialization of the blob object(s) in my startup logic and keep my logic in the application the same. Unfortunately, this is not always working. In half of the cases, it works and in the other half, an exception is thrown in the code.
Why is this exception thrown and should it work as I intend? Or, are there better alternatives for what I want to achieve?
Actual behavior
The exception that is produced is:
Reproduction Steps
The following C# code reproduces (sometimes) the exception:
Project file:
The following BICEP script creates the Storage Account and the Azure Front Door (I composed it from multiple files so it isn’t production code):
Environment
NET runtime version: .Net 6.0 & .Net 7.0 IDE and version: Microsoft Visual Studio Enterprise 2022 (64-bit) - Current Version 17.5.1 OS: Windows 11 Pro Version 22H2 (OS Build 22621.1344)