6

I created a Shared Access Signature(SAS) token on my Azure storage account using the web interface. The token looks like

?sv=xxxx-xx-xx&ss=b&srt=sco&sp=rl&se=xxxx-xx-xxTxx:xx:xxZ&st=xxxx-xx-xxTxx:xx:xxZ&spr=https&sig=xxxxxxxxxxxxxxxxxxxxxx

The SAS token here is missing the sr field for Service Resource. I have to manually prepend the sr=b to the query string to get things to work. I must be doing something wrong, because this seems extremely finicky.

from azure.storage.blob import BlockBlobService
sas_token = "?sv=xxxx-xx-xx&ss=b&srt=sco&sp=rl&se=xxxx-xx-xxTxx:xx:xxZ&st=xxxx-xx-xxTxx:xx:xxZ&spr=https&sig=xxxxxxxxxxxxxxxxxxxxxx"
sas_token = "?sr=b&" + sas_token[1:]

serv = BlockBlobService(account_name='myaccount', sas_token=sas_token)

for cont in serv.list_containers():
    print cont.name

Without the sas_token = "?sr=b&" + sas_token[1:] I get the error:

sr is mandatory. Cannot be empty

And if the sr=b field is not first in the query, I get an authentication error like

Access without signed identifier cannot have time window more than 1 hour

Improve this question
2
  • What version of Python SDK are you using? Commented Jul 7, 2017 at 1:11
  • I'm using python 2.7.6 and azure-storage 0.34.3 Commented Jul 7, 2017 at 18:24

1 Answer 1

Reset to default
10

Access without signed identifier cannot have time window more than 1 hour

Based on this error message, you may need to set expiry time less than 1 hour from now. See Windows Azure Shared Access Signature always gives: Forbidden 403.

I took your code with Python v2.7.12 and @azure-storage-python v0.34.3 (the latest version). And it worked well on my site. So, I'd recommend you upgrade to latest version and try it again.

enter image description here

UPDATE:

I traced the code of Azure Storage SDK for Python and here's what I found. The SDK is a REST API warpper which assumes that the SAS token looks like this:

sv=2015-04-05&ss=bfqt&srt=sco&sp=rl&se=2015-09-20T08:49Z&sip=168.1.5.60-168.1.5.70&sig=a39%2BYozJhGp6miujGymjRpN8tsrQfLo9Z3i8IRyIpnQ%3d

As you can see, the token doesn't include ?. And the SDK will append ? before the SAS token when it makes a GET request to the Azure Storage REST service.

enter image description here

This would cause that the key of the signed version was parsed as ?sv, then it raised the issue. So, to avoid this, we should remove the ? from the SAS token.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The code as above does work. My issue is that modifying the SAS token seems like the wrong approach. I should be able to use the unmodified SAS token to authenticate and query against an Azure storage account.
Just remove the ? from the SAS token. I've updated my answer with details.
This is like the best answer saved my life because I overlooked that double ?. Would be really great from MS to get a correct malformed url error or something useful.
For some reason, it seems that the format of the SAS token you get from the Azure Portal (web UI) is different depending on whether you get a Token for the storage account or for a blob container - the former has a ? at the start, the latter does not. As a result, if you're using this in a script (for example) you need to check whether there is a ? at the beginning of the token you are using.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.