search

microsoft / AzureStorageExplorer

Easily manage the contents of your storage account with Azure Storage Explorer. Upload, download, and manage blobs, files, queues, tables, and Cosmos DB entities. Gain easy access to manage your virtual machine disks. Work with either Azure Resource Manager or classic storage accounts, plus manage and configure cross-origin resource sharing (CORS) rules.
Creative Commons Attribution 4.0 International
378 stars 87 forks source link

Unable to use SAS Token to connect Premium Page Blob account to ASE #8220

Open eliaquimbrandao opened 1 month ago

eliaquimbrandao commented 1 month ago

Preflight Checklist

Storage Explorer Version

1.35.0

Regression From

No response

Architecture

x64

Storage Explorer Build Number

20240810.1

Platform

Windows

OS Version

No response

Bug Description

When trying to use Premium Page Blob account in ASE with SAS URL, authentication failure is received, even though having all the necessary permissions for the SAS token and use a storage account completely free of network configurations.

Steps to Reproduce

  1. Create SAS Token in Portal with all permission: image
  2. Launch ASE and connect to Storage Account or service image
  3. Use Shared access signature URL (SAS) image
  4. The account will be connected but when trying to access it, it will fail. image

Actual Experience

I would like to be able to use Premium Page Blob in ASE with SAS Token but I can't. With account name and key I can access/connect the page account without problems and also with Premium Block Blob works with SAS Token only Premium Page Blob doesn't work.

Expected Experience

No response

Additional Context

This request is not authorized to perform this operation.

This storage account's 'Firewalls & virtual networks' settings may be blocking access to storage services. Try adding your client IP address to the firewall exceptions, or by allowing access from 'all networks' instead of 'selected networks'. To learn more about Azure Storage firewalls and virtual networks, visit http://go.microsoft.com/fwlink/?LinkId=845443.

Error Details: { "name": "RestError", "code": "AuthenticationFailed", "statusCode": 403, "request": { "streamResponseStatusCodes": {}, "url": "https://newpagestgguide.blob.core.windows.net/?sv=2022-11-02&ss=b&srt=sco&sp=rwdlaciyx&se=2024-10-04T16:25:05Z&st=2024-10-04T08:25:05Z&spr=https&sig=AzureSAS Token Redacted&comp=list&include=metadata", "method": "GET", "headers": { "_headersMap": { "x-ms-version": { "name": "x-ms-version", "value": "2023-01-03" }, "accept": { "name": "Accept", "value": "application/xml" }, "user-agent": { "name": "User-Agent", "value": "Microsoft Azure Storage Explorer/1.35.0 (win32) azsdk-js-storageblob/12.15.0 (NODE-VERSION v20.14.0; Windows_NT 10.0.26100)" }, "x-ms-client-request-id": { "name": "x-ms-client-request-id", "value": "bbb8a9b4-2923-4b7b-85d6-171c37deea23" } } }, "withCredentials": false, "timeout": 0, "keepAlive": true, "decompressResponse": false, "requestId": "bbb8a9b4-2923-4b7b-85d6-171c37deea23" }, "response": { "request": { "streamResponseStatusCodes": {}, "url": "https://newpagestgguide.blob.core.windows.net/?sv=2022-11-02&ss=b&srt=sco&sp=rwdlaciyx&se=2024-10-04T16:25:05Z&st=2024-10-04T08:25:05Z&spr=https&sig=AzureSAS Token Redacted&comp=list&include=metadata", "method": "GET", "headers": { "_headersMap": { "x-ms-version": { "name": "x-ms-version", "value": "2023-01-03" }, "accept": { "name": "Accept", "value": "application/xml" }, "user-agent": { "name": "User-Agent", "value": "Microsoft Azure Storage Explorer/1.35.0 (win32) azsdk-js-storageblob/12.15.0 (NODE-VERSION v20.14.0; Windows_NT 10.0.26100)" }, "x-ms-client-request-id": { "name": "x-ms-client-request-id", "value": "bbb8a9b4-2923-4b7b-85d6-171c37deea23" } } }, "withCredentials": false, "timeout": 0, "keepAlive": true, "decompressResponse": false, "requestId": "bbb8a9b4-2923-4b7b-85d6-171c37deea23" }, "status": 403, "headers": { "_headersMap": { "content-length": { "name": "content-length", "value": "409" }, "content-type": { "name": "content-type", "value": "application/xml" }, "date": { "name": "date", "value": "Fri, 04 Oct 2024 08:25:55 GMT" }, "server": { "name": "server", "value": "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0" }, "x-ms-client-request-id": { "name": "x-ms-client-request-id", "value": "bbb8a9b4-2923-4b7b-85d6-171c37deea23" }, "x-ms-error-code": { "name": "x-ms-error-code", "value": "AuthenticationFailed" }, "x-ms-request-id": { "name": "x-ms-request-id", "value": "8962abe8-501c-0033-7237-160747000000" }, "x-ms-version": { "name": "x-ms-version", "value": "2023-01-03" } } }, "bodyAsText": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\nAuthenticationFailedServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:8962abe8-501c-0033-7237-160747000000\nTime:2024-10-04T08:25:55.8167608ZSignature fields not well formed.", "parsedBody": { "message": "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:8962abe8-501c-0033-7237-160747000000\nTime:2024-10-04T08:25:55.8167608Z", "code": "AuthenticationFailed", "AuthenticationErrorDetail": "Signature fields not well formed." }, "parsedHeaders": { "errorCode": "AuthenticationFailed", "content-length": "409", "content-type": "application/xml", "date": "Fri, 04 Oct 2024 08:25:55 GMT", "server": "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0", "x-ms-client-request-id": "bbb8a9b4-2923-4b7b-85d6-171c37deea23", "x-ms-request-id": "8962abe8-501c-0033-7237-160747000000", "x-ms-version": "2023-01-03" } }, "details": { "errorCode": "AuthenticationFailed", "content-length": "409", "content-type": "application/xml", "date": "Fri, 04 Oct 2024 08:25:55 GMT", "server": "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0", "x-ms-client-request-id": "bbb8a9b4-2923-4b7b-85d6-171c37deea23", "x-ms-request-id": "8962abe8-501c-0033-7237-160747000000", "x-ms-version": "2023-01-03", "message": "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:8962abe8-501c-0033-7237-160747000000\nTime:2024-10-04T08:25:55.8167608Z", "code": "AuthenticationFailed", "AuthenticationErrorDetail": "Signature fields not well formed." } }

craxal commented 1 month ago

@eliaquimbrandao Can you verify that the start and expiry times are reasonable? Can you try a SAS with an expiry time further in the future? Does a SAS generated from Storage Explorer work?

eliaquimbrandao commented 1 month ago

@eliaquimbrandao Can you verify that the start and expiry times are reasonable? Can you try a SAS with an expiry time further in the future? Does a SAS generated from Storage Explorer work?

The SAS I create was for 1 day and always a new SAS couples of time, I can try longs expire times (years) if necessary but don't think would change anything, but the issue is easy to be repro, I will try with a SAS from ASE and update.

eliaquimbrandao commented 1 month ago

@craxal ,I did some tests and apparently the connection string and sas created by the ASE works, only sas and connection string created by the azure portal present this problem.

However, if I don't want to connect my entire subscription to ASE, I need to relay in Azure portal to create my SAS to connect, what only for Premium Page Blob account is not working.

Below the test with the sas redacted

Portal - ConnectionString - Don't work BlobEndpoint=https://newpagestgguide.blob.core.windows.net/;SharedAccessSignature=sv=2022-11-02&ss=b&srt=sco&sp=rwdlaciyx&se=2025-01-04T03:15:41Z&st=2024-10-04T18:15:41Z&spr=https&sig=REDACTED

}, "details": { "errorCode": "AuthenticationFailed", "content-length": "409", "content-type": "application/xml", "date": "Fri, 04 Oct 2024 18:16:34 GMT", "server": "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0", "x-ms-client-request-id": "3d25a829-fc5f-4fb2-85e9-873f66a2e0c4", "x-ms-request-id": "e3dff058-e01c-0008-2c89-164519000000", "x-ms-version": "2023-01-03", "message": "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:e3dff058-e01c-0008-2c89-164519000000\nTime:2024-10-04T18:16:35.0954584Z", "code": "AuthenticationFailed", "AuthenticationErrorDetail": "Signature fields not well formed." } }

Portal SAS URL - don't work

https://newpagestgguide.blob.core.windows.net/?sv=2022-11-02&ss=b&srt=sco&sp=rwdlaciyx&se=2025-01-04T03:15:41Z&st=2024-10-04T18:15:41Z&spr=https&sig=REDACTED

"details": { "errorCode": "AuthenticationFailed", "content-length": "409", "content-type": "application/xml", "date": "Fri, 04 Oct 2024 18:18:53 GMT", "server": "Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0", "x-ms-client-request-id": "6e9aee05-c304-4d30-b9b5-0cd2bf88a42c", "x-ms-request-id": "fb6c3f57-201c-001e-1f89-168487000000", "x-ms-version": "2023-01-03", "message": "Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:fb6c3f57-201c-001e-1f89-168487000000\nTime:2024-10-04T18:18:53.5991199Z", "code": "AuthenticationFailed", "AuthenticationErrorDetail": "Signature fields not well formed." }

ASE - ConnectionString - works SharedAccessSignature=sv=2023-01-03&ss=b&srt=sco&st=2024-10-04T18%3A04%3A52Z&se=2025-02-15T19%3A04%3A00Z&sp=rwdxftlacup&sig=REDACTED;BlobEndpoint=https://newpagestgguide.blob.core.windows.net/;

ASE - SAS Token and creating SASURL - works https://newpagestgguide.blob.core.windows.net/?sv=2023-01-03&ss=b&srt=sco&st=2024-10-04T18%3A04%3A52Z&se=2025-02-15T19%3A04%3A00Z&sp=rwdxftlacup&sig=REDACTED

craxal commented 1 month ago

@eliaquimbrandao

However, if I don't want to connect my entire subscription to ASE, I need to relay in Azure portal to create my SAS to connect, what only for Premium Page Blob account is not working.

I think you'll find it's the opposite. Azure Portal only lets you create storage account SAS, but Storage Explorer lets you create SAS for containers as well as accounts. You can right-click any storage account or container node in Storage Explorer and select "Generate Shared Access Signature".

The only major difference I can see is the SAS version (sv parameter) used. The Portal is using a much older version. Normally, that shouldn't matter much, but if the problem persists, I suggest opening an Azure service request. If a Storage Explorer SAS is working for you, I suggest continuing to use that.

Let us know if there's anything else, otherwise we can close this issue.

eliaquimbrandao commented 1 month ago

Hi @craxal ,

The Azure Portal offers the capability to create SAS tokens for containers; however, this is not directly relevant to the issue.

The question is: why does Azure Storage Explorer (ASE) not recognize a SAS token created in the Azure Portal for a Premium Page Blob account?

Other storage types utilize the same SAS token version and structure, and connections to ASE work as expected. Nevertheless, ASE rejects the connection only for that kind of account, which suggests the SAS token generated by the Portal is being rejected by the server.

Upon comparing the permissions set by the Portal and ASE, there are discrepancies: Portal [sp=rwdlaciyx] versus ASE [sp=rwdxftlacup]. Despite these differences in permission flags, I believe this is not a issue.

Could you provide insight into why ASE is rejecting a SAS token generated by the Azure Portal?

craxal commented 1 month ago

The error message says, "signature not well formed", which suggests the error was introduced in the creation of the SAS.

I think it's likely the permission differences could be the source of the problem. According to documentation for account SAS, rwdylacuptfi are the only valid permissions, so x shouldn't be in there (I don't even know how you managed it with the Portal UI). The order (at least in the past) is also important, according to docs for service SAS. It would seem to me the permissions part of the Portal SAS is not well formed.

Here is, I think, the best way to determine if permissions is the problem:

All in all, however, I do believe it's time we take another look at our SAS code. I know for a fact we're missing y and i today, so Storage Explorer can't generate SAS with those permissions (that shouldn't affect whether it works in Storage Explorer).

eliaquimbrandao commented 1 month ago

The error message says, "signature not well formed", which suggests the error was introduced in the creation of the SAS.

I think it's likely the permission differences could be the source of the problem. According to documentation for account SAS, rwdylacuptfi are the only valid permissions, so x shouldn't be in there (I don't even know how you managed it with the Portal UI). The order (at least in the past) is also important, according to docs for service SAS. It would seem to me the permissions part of the Portal SAS is not well formed.

Here is, I think, the best way to determine if permissions is the problem:

  • Confirm whether you have hierarchical namespaces enabled for your premium page blob account.
  • When creating SAS, match the exact same set of permissions in the Portal and in Storage Explorer. See which ones work.
  • Reduce the number of permissions in the Portal SAS until they start working in Storage Explorer.

All in all, however, I do believe it's time we take another look at our SAS code. I know for a fact we're missing y and i today, so Storage Explorer can't generate SAS with those permissions (that shouldn't affect whether it works in Storage Explorer).

I ended up expressing myself wrong, but yes, it suggests the error was introduced in the creation of the SAS.

The "x" is being introduced in the portal by default for this option "Blob versioning permissions" when we access the SAS blade, but in fact it is not described in public articles. From ASE the "x" is introduce for "Delete Version".

ASE Permission Image

Portal Permission Image

However, even removing "x" when creating the SAS, ASE does not accept it and fails with the same error.

Responding how best to determine the permission issue:

1 - Confirm whether you have hierarchical namespaces enabled for your premium page blob account.

Hierarchical namespaces are not supported for Page Blob account, so this option is disabled by default.

2 - When creating SAS, match the exact same set of permissions in the Portal and in Storage Explorer. See which ones work.

Unfortunately, through the portal, the maximum I can generate would be "rwdlaciy" by removing "x", as the "update (u)" and "process (p)" options for Premium Page Blob account are blocked, they are only released when I have an account with Hierarchical namespace. But even with that permission "rwdlaciy" still not able to use it on the ASE.

3 - Reduce the number of permissions in the Portal SAS until they start working in Storage Explorer.

I did some tests and with these "rwdlac" permissions I can successfully use the SAS URL in ASE. Image

I did a test: I created a SAS through ASE with all permissions [rwdxftlacup] and tried to connect with SAS URL in the ASE, and I also failed, Premium Page Blob account seems to not accept all permissions is clear, but we also do not have a description of which SAS and permissions should work for each type of account, but starting from a principle where more permissions everything would be possible, I believe that for SAS and some types of accounts this does not apply. :)

craxal commented 3 weeks ago

@eliaquimbrandao Have you been able to resolve your issue?

eliaquimbrandao commented 3 weeks ago

@craxal I would say that I have a mitigation, however, a SAS review from Portal or at least a article point the correct permission for Page Blob account would be great.

craxal commented 3 weeks ago

@eliaquimbrandao Can you elaborate? What sort of "review" are you referring to? There's not much we can do there, as this is for Storage Explorer issues. What permissions did you find that you needed, and do they differ from what Storage Explorer documentation specifies?