unable to find blobs in a container with a blob tag filter sql expression using container SAS

[Venu-prahalad]

Preflight Checklist

• [X] I have installed the latest version of Storage Explorer.
• [X] I have checked existing resources, including the troubleshooting guide and the release notes.
• [X] I have searched for similar issues.

Storage Explorer Version

1.26.1

Regression From

No response

Architecture

x64

Storage Explorer Build Number

20221018.5

Platform

Windows

OS Version

Windows 10

Bug Description

I am in need to filter blobs by tags when connected using container SAS. When I tried doing so, I get the error "Server failed to authenticate the request......." as in below image

NOTE: Filter tag works if I use account level SAS This problem is only seen when I use container level SAS. I have granted all required permissions racwdxltf on container level SAS.

I found same issue with Azure CLI, powershell as well. CLI team has fixed the issue for CLI and powershell. You can refer to the URL for the issue https://github.com/Azure/azure-cli/issues/24171

Steps to Reproduce

1. Launch storage explorer
2. click on connect button
3. select blob container
4. select SAS connection string option
5. provide SAS connection string generated for the container
6. proceed to connect to the container.
7. After connecting to container, click on Filter button
8. select filter by tag. provide filter option and click on appy.
9. observe the behavior.

The extract from the log file is as below

[2022-11-08T19:38:00.888Z] (se-blob-extension:29852) Fallback for operation 'BlobServiceClient.findBlobsByTags, count 1 [2022-11-08T19:40:11.695Z] (se-blob-extension:29852) API call for BlobServiceClient.findBlobsByTags failed GET https://xx.blob.core.windows.net/?sv=2021-08-06&st=2022-11-07T18%3A42%3A00Z&si=xxTestFagFilterSAS&sr=c&sig=AzureSAS Token Redacted&maxresults=5000&comp=blobs&where=%22tagKey%22%3D'tagValue'%20AND%20%40container%3D'xx' - 403 Credential used: SAS token - sv=2021-08-06&st=2022-11-07T18%3A42%3A00Z&si=xxTestFagFilterSAS&sr=c&sig=** RequestId: 09aeab90-f556-42f1-9081-740b2ba8a3a1, Date sent: Tue, 08 Nov 2022 19:40:10 GMT, ApiVersion: 2017-04-17, ProxySettings: undefined ErrorCode: undefined [2022-11-08T19:40:11.696Z] (se-blob-extension:29852) Fallback for operation 'BlobServiceClient.findBlobsByTags, count 1

Actual Experience

I receive error "Server failed to authenticate the request..."

Expected Experience

When right container level SAS is used, application should filter blobs byt ags

Additional Context

The extract from the log file is as below

[2022-11-08T19:38:00.888Z] (se-blob-extension:29852) Fallback for operation 'BlobServiceClient.findBlobsByTags, count 1 [2022-11-08T19:40:11.695Z] (se-blob-extension:29852) API call for BlobServiceClient.findBlobsByTags failed GET https://xx.blob.core.windows.net/?sv=2021-08-06&st=2022-11-07T18%3A42%3A00Z&si=xxTestFagFilterSAS&sr=c&sig=AzureSAS Token Redacted&maxresults=5000&comp=blobs&where=%22tagKey%22%3D'tagValue'%20AND%20%40container%3D'xx' - 403 Credential used: SAS token - sv=2021-08-06&st=2022-11-07T18%3A42%3A00Z&si=xxTestFagFilterSAS&sr=c&sig=** RequestId: 09aeab90-f556-42f1-9081-740b2ba8a3a1, Date sent: Tue, 08 Nov 2022 19:40:10 GMT, ApiVersion: 2017-04-17, ProxySettings: undefined ErrorCode: undefined [2022-11-08T19:40:11.696Z] (se-blob-extension:29852) Fallback for operation 'BlobServiceClient.findBlobsByTags, count 1

[craxal]

@Venu-prahalad The SAS you appear to be using is based on a shared access policy (indicated by the "si=xxx" part of the token). I assume the shared access policy includes "t" and "f" permissions?

[JasonYeMSFT]

This is a known issue we are trying to resolve in 1.27.0 #6184 . Currently the container level SAS won't work for the filter by tags API we use.

[MRayermannMSFT]

Since #6184 is merged we will close this. This scenario will be supported in 1.27.