Azure SAS token for container throws 'invalid Signature Size' error

Question

I am trying to list and download blobs from a container on Azure. It works perfectly fine when I try to do so using storage account access key. However, fails when use a SAS token. I generated the SAS token the with the following PowerShell script:

    $storageContext = New-AzureStorageContext -StorageAccountName "myAccount" -StorageAccountKey "<account key>"
$permission = "rwdl"
$sasToken = New-AzureStorageContainerSASToken  -Name "myContainer" -Policy "testPolicy" -Context $storageContext >>sastoken.txt
"

I get the following result:

?sv=2017-04-17&sr=c&si=testPolicy&sig=dbS680%2FXgPp4o%2BQCCzpYzGZszCnDHVjCkdHZRf6KDeg%3D

I appended the sas token with resource URI to get:

https://myAccount.blob.core.windows.net/myContainer?sv=2017-04-17&sr=c&si=testPolicy&sig=dbS680%2FXgPp4o%2BQCCzpYzGZszCnDHVjCkdHZRf6KDeg%3D

and ran the following CLI command:

az storage blob list --container-name myContainer --account-name myAccount --auth-mode key --debug --sas-token "https://myAccount.blob.core.windows.net/myContainer?sv=2017-04-17&sr=c&si=testPolicy&sig=dbS680%2FXgPp4o%2BQCCzpYzGZszCnDHVjCkdHZRf6KDeg%3D" >> bloblist.txt

I get the following error:

azure.multiapi.storage.v2018_03_28.common.storageclient : Client-Request-ID=0f7a 7762-3729-11e9-8b32-ffc4c9592d0a Retry policy did not allow for a retry: Server- Timestamp=Sat, 23 Feb 2019 05:08:30 GMT, Server-Request-ID=21f07a6a-f01e-00e9-32 35-cb7d5c000000, HTTP status code=403, Exception=Server failed to authenticate t he request. Make sure the value of Authorization header is formed correctly incl uding the signature. ErrorCode: AuthenticationFailedAuthenticationFailedServer failed to auth enticate the request. Make sure the value of Authorization header is formed corr ectly including the signature.RequestId:21f07a6a-f01e-00e9-3235-cb7d5c000000Time :2019-02-23T05:08:30.7149353ZSignature size is invalid.

You do not have the required permissions needed to perform this operation. Depending on your operation, you may need to be assigned one of the following ro les:

"Storage Blob Data Contributor (Preview)"
"Storage Blob Data Reader (Preview)"
"Storage Queue Data Contributor (Preview)"
"Storage Queue Data Reader (Preview)"

If you want to use the old authentication method and allow querying for the righ t account key, please use the "--auth-mode" parameter and "key" value.

Event: CommandInvoker.OnFilterResult [] 'CommandResultItem' object is not iterable Traceback (most recent call last): File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-r8nye8gm\knack\knack\cl i.py", line 212, in invoke File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-r8nye8gm\knack\knack\ou tput.py", line 132, in out File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-r8nye8gm\knack\knack\ou tput.py", line 38, in format_json TypeError: 'CommandResultItem' object is not iterable telemetry.save : Save telemetry record of length 2499 in cache

I have tried generating a storage account level SAS portal, but didnt find any luck.

Please help!

Dean L Dean L · Accepted Answer · 2019-05-04T20:34:16

For anyone else that comes along with the same azcopy error with 403 AuthenticationFailed but the detail shows Signature size is invalid - I had the same problem when trying to script azcopy from a windows .bat file. When you get the SAS url, there will be percent signs in the string. You must double up the percent signs to "escape" them when running from a .bat file. e.g. wherever you see a % in the url, make it %% - hope this helps!

Funny thing is I remembered to do this in the first 3 azcopy scripts I wrote and a few weeks later made a 4th one for a new storage account and couldn't figure out why i kept getting 403. I suppose this post will be a reminder to myself the next time I forget again :)

Azure SAS token for container throws 'invalid Signature Size' error

2 Answers