Azure Storage : Unable to access Container blobs with defined Credentials

0
votes

We are setting a Key for the Storage Account and then using to access the contents as below;

var storageCredentials = new StorageCredentials(mediaStorageAccountName, base64EncodedKey);
var storageAccount = new CloudStorageAccount(storageCredentials, true);
var connString = storageAccount.ToString(true);

Then, using the same "storageAccount" to create the Blob Client;

CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

And to get the Container;

var container = blobClient.GetContainerReference(ContainerName);

"storageAccount" Credential properties are "IsSAS" FALSE, "IsSharedKey" TRUE, "IsToken" FALSE and "KeyName" is NULL.

But, when Blob is being accessed with OpenReadAsync, its failing with following exception;

The remote server returned an error: (403) Forbidden.,The remote server returned an error: (403) Forbidden. Line number: Microsoft.WindowsAzure.Storage Trace: at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.EndExecuteAsync[T](IAsyncResult result) at Microsoft.WindowsAzure.Storage.Blob.CloudBlob.EndExists(IAsyncResult asyncResult) at Microsoft.WindowsAzure.Storage.Core.Util.AsyncExtensions.<>c__DisplayClass2`1.b__0(IAsyncResult ar)

It is basically getting all the references to Container/Blobs etc correctly (gives correct name), but when its tried to read/download/upload those, it fails.

Also, instead of using the "storageAccount" reference directly, even if it is secured with following, it gives same exception;

CloudStorageAccount storageAccount = new CloudStorageAccount(
   new Microsoft.WindowsAzure.Storage.Auth.StorageCredentials(storageAccountName, base64EncodedKey), true);

What is wrong here and how to fix this? Why is KeyName NULL? Is that causing this issue?

1
azure-storageazure-storage-blobs
3 Things you may want to check: 1) Account key you entered is correct 2) Time on the machine you are executing the code from is correct and 3) Storage account is not behind a firewall. These three things could lead to 403 error.Gaurav Mantri
Why is KeyName NULL? - On purpose storage account key is never made available like that. Is that causing this issue? - I would highly doubt that.Gaurav Mantri
What do you mean by Account Key is correct? This is not Storage Account Key, we are defining our own key here. Its running on Azure WebJob, so I don't think Time is an issue. There is no Firewall specifically defined for this newly created Storage Account, unless Azure puts it behind one by default..amsDeveloper
What do you mean by Account Key is correct? This is not Storage Account Key, we are defining our own key here - You need to use the storage account key for the storage account in question. In Azure Portal, go to the storage account and then access keys and then use either key1 or key2 as account key.Gaurav Mantri
Well, the very reason that we are using "new StorageCredentials" is to create new credentials with key as defined in "base64EncodedKey". And, I can see it getting properly defined with "connString". It already works this way with another Storage Account. Btw, this is for storage account associated with Media Service.amsDeveloper

1 Answers

1
votes

The 403 forbidden exception often caused by a wrong access key is used.

As you are using Authorize with Shared Key, all authorized requests must include the Coordinated Universal Time (UTC) timestamp for the request. You can specify the timestamp either in the x-ms-date header, or in the standard HTTP/HTTPS Date header.

The storage services ensure that a request is no older than 15 minutes by the time it reaches the service. This guards against certain security attacks, including replay attacks. When this check fails, the server returns response code 403 (Forbidden).

So, review your server datatime.