azurerm_storage_account_blob_container_sas produced a different token to one created on portal. Terraform created token does not authenticate.

[dipesh747]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

2.14.0

AzureRM Provider Version

3.1.0

Affected Resource(s)/Data Source(s)

azurerm_storage_account_blob_container_sas

Terraform Configuration Files

data "azurerm_storage_account_blob_container_sas" "objects" {
  connection_string = module.eus2-this-sta.stor_primary_connstring
  container_name    = azurerm_storage_container.objects.name
  https_only        = true

  start  = "2022-09-30T09:00:00"
  expiry = "2024-09-30T09:00:00"

  permissions {
    read   = true
    add    = true
    create = true
    write  = true
    delete = true
    list   = true
  }
}

output "object_sas" {
  description = "SAS token"
  value       = data.azurerm_storage_account_blob_container_sas.objects.sas
  sensitive   = true
}

resource "azurerm_key_vault_secret" "storage-account-container-objects-sas" {
  key_vault_id = data.azurerm_key_vault.hub_kv.id
  name = "airflow-storage-account-container-objects-sas"
  value = data.azurerm_storage_account_blob_container_sas.objects.sas
}

Debug Output/Panic Output

N/A - the configuration works and terraform apply succeeds. When the token is used to authenticate against the KV, it fails. Authentication is via Az Copy (https://learn.microsoft.com/en-us/azure/storage/common/storage-use-azcopy-v10) SAS token method. This authentication works when I create the SAS token directly in the portal.

Expected Behaviour

SAS token should be in the following format:

Actual Behaviour

Steps to Reproduce

1. Create blob container
2. Create azure key vault
3. create sas token and store in vault
4. use sas token for authentication (my method was with Az Copy, I assume other auth methods would also fail).

Important Factoids

No response

References

I followed this thread which was very similar: https://github.com/hashicorp/terraform-provider-azurerm/issues/16295 However I have tried different entries for start and end date in ISO 8601 format with no offsets, but I still get the issue.

This thread had the same issue but for account_sas rather than container_sas and their fix does not apply here: https://github.com/hashicorp/terraform-provider-azurerm/issues/17558

[magodo]

@dipesh747 The fix made for #17558 (https://github.com/hashicorp/go-azure-helpers/pull/123) also applies to the container_sas as both data sources' underlying calls are the same.

[dipesh747]

The temporary fix doesnt apply as I don't have keys tag, filter or signed version in my tf.

When will your pr from magodo:sas_fix be merged?

[magodo]

@tombuildsstuff Can we continue reviewing https://github.com/hashicorp/go-azure-helpers/pull/123?

[dipesh747]

I've noticed this pr has been open since July. What's your eta for merge?

[dipesh747]

Would you be able to provide an update please.

[dipesh747]

Would you be able to provide an update please.

[christopher-pope]

Do we have an update on this issue?

[westonplatter]

@dipesh747 I think it's possible to fork the original PR, make the changes that @tombuildsstuff requested, and go from there. I think that's the most viable path forward.

[devianzincarnate]

Any movement? Still appears to be a problem

[westonplatter]

@devianzincarnate I put forward a quick snippet on @magodo's PR responding to @tombuildsstuff's PR question / feedback. I believe(?) the ball is in @tombuildsstuff's court.

@magodo @tombuildsstuff - please let me know if there's any way I can support getting this issue addressed. I have production infrastructure that is impacted by this issue and I'm available to work in a professional capacity on further research / testing / QA to confirm a solution.

[tgolly]

We just hit this today as well. :( Any ETA on a fix?

[westonplatter]

@tgolly the pull request (#123) targeting the core issue has been merged into main (see this commit), but has not been released yet.

[magodo]

Since https://github.com/hashicorp/terraform-provider-azurerm/pull/21725 is merged that upgrades the go-azure-helpers to v0.56.0, so I'm gonna close this issue as the fix is in. Please feel free to reopen it if the issue remains.

[DevOpsFu]

This issue doesn't appear to be fixed in v3.56.0. I get a Signature fields not well formed. error when trying to use a SAS token generated by this data source.

[westonplatter]

@DevOpsFu what's the format of the token?

[DevOpsFu]

@westonplatter My apologies - please ignore this. I have it working now. The reason I received an error before was due to the leading ? on the SAS token that the provider produces. The SAS tokens that get produced via the portal do not have this - I was not taking this into account in my Terraform code.

[westonplatter]

Confirmed the sas token changes are working on our infra in azure. Thanks @magodo and @dipesh747 for paving the way on the changes.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.