Value of "se" is invalid in SAS token

2
votes

I've created a SAS token, which seems to work if I access the private container with URL: https://mystorage.blob.core.windows.net/mycontainer?restype=container&comp=list&sv=2015-12-11&sr=c&sig=11111111111123%3D&se=2016-07-29T11%3A32%3A28Z&sp=cwl

Code:

 SharedAccessBlobPolicy policy = new SharedAccessBlobPolicy()
        {
            Permissions = SharedAccessBlobPermissions.Create | 
                            SharedAccessBlobPermissions.Write | 
                            SharedAccessBlobPermissions.List |
                            SharedAccessBlobPermissions.Read,
            SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(15)
        };

        var blobStorage = storageAccount.CreateCloudBlobClient();
        CloudBlobContainer container = blobStorage.GetContainerReference(blobContainerName);

        string sasContainerToken = container.GetSharedAccessSignature(policy);

But when I use this sasContainerToken in AzCopy (from a batch file), I receive the following error:

[2016-07-29 14:00:38][ERROR] The syntax of the command is incorrect.
Invalid SAS  token in parameter "DestSAS". Value of "se" is invalid in SAS token.

The problems seems to be with the time, which is escaped with the "%3A", changing this to ":" resolves the error, but now I'm not authorized because of an incorrect SAS.

Any idea's?

UPDATE: Generating an Account SAS from the Azure Portal seems to solve the AzCopy error, but still access denieds from the individual blob uploads

AzCopy 
  /Source:C:\temp\myfiles 
  /Dest:"https://mystorage.blob.core.windows.net/mycontainer" 
  /DestSas:"?sv=2015-04-05&ss=bfqt&srt=sco&sp=rwdlacup&se=2016-07-30T21:11:31Z&st=2016-07-28T13:11:31Z&spr=https&sig=p%2FlCgbgMRU7lH7111111YyxEDE21rZWFo4%3D"

Changing the /DestSas to /DestKey (with a valid key) works, but gives too much permissions

1
azureazure-storageazcopy
Can you try by creating a new SAS and then replacing "%3A" to ":"?Gaurav Mantri
I did, it solves the AzCopy error, but then AzCopy uses this "corrupt" SAS and it is unauthorized. It seems like the AzCopy is doing some strange parsing, my laptop is in the dutch locale, but the date is ISO, so that couldn't be a problemErik Oppedijk

1 Answers

6
votes

Do you run AzCopy in a script like *.bat?

If so, The "se=2016-07-29T11%3A32%3A28Z" need to double "%" to "se=2016-07-29T11%%3A32%%3A28Z". This is because "%3" has specific meaning in *.bat. (You need to double all "%" in the SAS)

And please note, all "%3A" should not be convert back to ":", or the SAS will get access denied.

BTW, which AzCopy version do you use? The SAS issue might also caused by the Client library version mismatch between AzCopy and the Client library to generate SAS.