Getting a blob content using user delegation SAS created using user delegation key

1
votes

I have created an AAD app as per https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app.

The access is given to the azure storage account for the AAD app created.

Got the client id and client secret.

To create a user delegation key and user delegation sas, I am using the approach and code as defined in https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet.

(set environment variables as mentioned in article).

I am able to generate the user delegation key using method GetUserDelegationSasBlob.

The container and blob file is existing one.

Now I am using the method ReadBlobWithSasAsync to read the contents of the blob using the SAS uri as generated above.

But, I get error as below.

This request is not authorized to perform this operation using this permission. RequestId:5d127eaf-101e-00be-6666-6a3875000000

Time:2019-09-13T19:04:15.4109144Z

Status: 403 (This request is not authorized to perform this operation using this permission.)

ErrorCode: AuthorizationPermissionMismatch

In another approach, I am generating the user delegation key using rest api. https://docs.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key

I am able to get user delegation key in xml format. I am creating SAS from it as per steps in https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas

For signature, I am using this code, using StringToSign and secret value as received from delegation key.

var encoding = new System.Text.ASCIIEncoding();
byte[] keyByte = encoding.GetBytes(secret);
byte[] messageBytes = encoding.GetBytes(ToSign);
using (var hmacsha256 = new HMACSHA256(keyByte))
{
    byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
    String sig= Convert.ToBase64String(hashmessage);
}

I am doing the GET request. I have tried various set of parameter values, like,

sr: b and c sks: b and c sp: racwd and r and rw and few more

skv and sv is 2018-11-09 because this version is required for creating user delegation key.

But the GET api returns the error.

AuthenticationFailed Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:e4bc8f0f-d01e-0046-7367-6af368000000 Time:2019-09-13T19:12:27.7780695Z Signature fields not well formed.

1
azureazure-storageazure-storage-blobs
Try to assign the Storage Blob Data Contributor role to the storage account. Refer to this article.Joey Cai
Hi Joey. Can't see the check mark beside your comment.Manish
Hi Manish, just click on the check mark beside the answer to toggle it from greyed out to filled in, like this one.Joey Cai
Hi Joey. Thanks for helping to resolve the issue. Accepted the answer.Manish

1 Answers

1
votes

Try to assign the Storage Blob Data Contributor role to the storage account.

The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources.

Refer to this article.