planetary computer sas token endpoint returning invalid tokens

[ivica3730k]

Hello, we have noticed a problem with the sas token endpoint returning invalid tokens for some collections. In our example, visiting https://planetarycomputer.microsoft.com/api/sas/v1/token/modis-64A1-061 to get the token for modis-64A1-061 collection is returning:

{
"msft:expiry": "2023-11-22T12:48:50Z",
"token": "st=2023-11-21T12%3A03%3A50Z&se=2023-11-22T12%3A48%3A50Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2023-11-22T00%3A01%3A26Z&ske=2023-11-29T00%3A01%3A26Z&sks=b&skv=2021-06-08&sig=JUJmeZrj9vQXE8Vxzhs1pe5fQ3Zu%2B0n4cHmNvzGBoXY%3D"
}

Then, trying to download asset from the following item: https://planetarycomputer.microsoft.com/api/stac/v1/collections/modis-64A1-061/items/MCD64A1.A2023213.h35v10.061.2023284122045

with URL: https://modiseuwest.blob.core.windows.net/modis-061-cogs/MCD64A1/35/10/2023213/MCD64A1.A2023213.h35v10.061.2023284122045_QA.tif?st=2023-11-21T12%3A03%3A50Z&se=2023-11-22T12%3A48%3A50Z&sp=rl&sv=2021-06-08&sr=c&skoid=c85c15d6-d1ae-42d4-af60-e2ca0f81359b&sktid=72f988bf-86f1-41af-91ab-2d7cd011db47&skt=2023-11-22T00%3A01%3A26Z&ske=2023-11-29T00%3A01%3A26Z&sks=b&skv=2021-06-08&sig=JUJmeZrj9vQXE8Vxzhs1pe5fQ3Zu%2B0n4cHmNvzGBoXY%3D

results in error:

<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:439adb16-801e-0086-2c3d-1d1e72000000 Time:2023-11-22T12:17:08.0006783Z</Message>
<AuthenticationErrorDetail>Signature did not match. String to sign used was rl 2023-11-21T12:03:50Z 2023-11-22T12:48:50Z /blob/modiseuwest/modis-061-cogs c85c15d6-d1ae-42d4-af60-e2ca0f81359b 72f988bf-86f1-41af-91ab-2d7cd011db47 2023-11-22T00:01:26Z 2023-11-29T00:01:26Z b 2021-06-08 2021-06-08 c </AuthenticationErrorDetail>
</Error>

Is it possible that the storage containers names changed without changing the container name in the sas obtaining service or something like that?

first spotted by https://github.com/james-hinton :)

[mmcfarland]

Hi @ivica3730k, thanks for the report. The issue here is that the various MODIS-061 collections store assets in multiple storage account containers. The collection metadata lists two attributes, msft:storage_account and msft:container and this combination is what determines the SAS token target when using the .../sas/v1/token/modis-64A1-061 endpoint. If you inspect the URL of the asset file, it's actually in the modis-061-cogs container, which is out of scope for the previously generated token.

There are two other SAS methods you can use to generate the correct token. If you know the storage + container combination ahead of time, use

https://planetarycomputer.microsoft.com/api/sas/v1/token/modiseuwest/modis-061-cogs

Alternatively, there is an endpoint that accepts a URL to a blob store asset, and it determines the account/container to target:

https://planetarycomputer.microsoft.com/api/sas/v1/sign?href=https%3A%2F%2Fmodiseuwest.blob.core.windows.net%2Fmodis-061-cogs%2FMCD64A1%2F35%2F10%2F2023213%2FMCD64A1.A2023213.h35v10.061.2023284122045_Last_Day.tif

The first method may be preferable as you can limit the number of SAS call by caching the container token up to its expiry, but the second method may be convenient based on the mix of assets your reading.

Hope this helps!

[ivica3730k]

https://planetarycomputer.microsoft.com/api/sas/v1/sign?href=https%3A%2F%2Fmodiseuwest.blob.core.windows.net%2Fmodis-061-cogs%2FMCD64A1%2F35%2F10%2F2023213%2FMCD64A1.A2023213.h35v10.061.2023284122045_Last_Day.tif

perfect, thank you very much. I did not know about the third endpoint. Passing a URL would do for my use case.

Thanks