Is an authorization header required by the azure storage shared access signature (SAS) REST API

0
votes

I need to read/write an azure storage table. The client program is configured to use a shared access signature to read/write remote azure table.

Can anyone give me a good example of how to construct the authorization header in order to use the sas? I am getting HTTP error code 403.

Microsoft documentation specified that all the rest API will have to be embedded with an authorization header. By default, the documentation suggests that I can use the storage account access key to generate the HMAC-SHA code for the authorization header. I think I am missing something here.

The whole idea of using a shared access signature (SAS) is to protect the storage account access key. At the same time, the doeumentation seems to suggest that the storage account owner needs to provide the account access key so the client can use the access key to generate the HMAC-SHA code. What am I missing here? can anyone shed some light here? Thanks,

1
azure-storage
Could please let us know which api you're using? you can provide a link to the api. I can provide a working example here.Ivan Yang
are you using azure table storage Query Entities api?Ivan Yang
Yes, I am using the query entity api, Here is the link: docs.microsoft.com/en-us/rest/api/storageservices/…MIkey
provided that I am using SAS, Microsoft keeps telling me that I don't need to provide an authorization header. It seems pretty straight forward. Yet, I keep getting HTTP error 403. I suspects that maybe there is a problem with the header?MIkey

1 Answers

0
votes

If you're using sas_token in the request url, then you don't need to provide Authorization in the header.

How to check which header should be provided? in the related api page -> go to the Request Headers section -> check each header, if the header is required, then it will be described in it's Description. Here is a screenshot for your reference:

enter image description here

Here are the steps to query entities by using sas_token:

1.Generate sas_token from azure portal. You can refer to the screenshot below:

enter image description here

2.Check which header are required, as per query-entities -> request-headers, we know x-ms-date is required(Authorization is not required here since we're using sas_token). You can provide a value for x-ms-date, like Wed, 13 Jan 2021 01:29:31 GMT.

If you don't know how to get the value for x-ms-date header, you can open powershell -> type Get-Date command -> then it will generate the date:

enter image description here

3.Prepare the request url with sas_token, like below:

https://xxx.table.core.windows.net/testtable(PartitionKey='a1',RowKey='r11')?sv=2019-12-12&ss=t&srt=sco&sp=rwdlacu&se=2021-01-13T09:24:58Z&st=2021-01-13T01:24:58Z&spr=https&sig=xxxxx

4.Use some tools like Postman, send the request with proper header. Here is the test result by using Postman:

enter image description here