2

I want to call REST API related to file storage of azure through postman. Here is how I am making my request :

enter image description here

I am making request to list all shares in file storage account as described here : https://learn.microsoft.com/en-us/rest/api/storageservices/list-shares

I am getting below error:

"The Date header in the request is incorrect." What changes I should make ?

Edit1 :

When I provided date n correct format, I have error like this :

enter image description here

I am getting below error: "The MAC signature found in the HTTP request '' is not the same as any computed signature. Server used following string to sign: 'GET"

How to resolve this?

Improve this question
9
  • You would need to calculate the authorization header value. It is very well documented here: learn.microsoft.com/en-us/rest/api/storageservices/…. Commented Jul 18, 2017 at 6:04
  • Please see the updated question.. Commented Jul 18, 2017 at 6:41
  • Could you give use some insight into how you are constructing the Signature? It looks way longer than in the examples. Commented Jul 18, 2017 at 6:46
  • Hi, key is the same as provided in 'Access-keys' tab of my account of azure portal. What's your suggestion? Commented Jul 18, 2017 at 6:53
  • You should calculate the signature, not just use the access-key. See the updated answer. Commented Jul 18, 2017 at 7:05

2 Answers 2

Reset to default
3

With your updated screenshot, it seems like that your problem is no longer related to x-ms-date. The reason for this 403 error is the Authorization attribute in the Header which format as

Authorization="[SharedKey|SharedKeyLite] [AccountName]:[Signature]"

You should't directly use the Access Key on Azure Portal as the Signature part of Authorization,instead it should be constructed encoding request string by using the HMAC-SHA256 algorithm over the UTF-8-encoded. format as

Signature=Base64(HMAC-SHA256(UTF8(StringToSign)))

which mentioned on the official document.

Sample java code as below show you how to construct Signature part of Authorization:

String stringToSign = "GET\n" 
       + "\n" // content encoding
       + "\n" // content language
       + "\n" // content length
       + "\n" // content md5
       + "\n" // content type
       + "\n" // date
       + "\n" // if modified since
       + "\n" // if match
       + "\n" // if none match
       + "\n" // if unmodified since
       + "\n" // range
       + "x-ms-date:" + date + "\nx-ms-version:2015-02-21\n" // headers
       + "/" + <your account name> + "/"+"\ncomp:list"; // resources
       String auth = getAuthenticationString(stringToSign);

private static String getAuthenticationString(String stringToSign) throws Exception {
       Mac mac = Mac.getInstance("HmacSHA256");
       mac.init(new SecretKeySpec(Base64.decode(key), "HmacSHA256"));
       String authKey = new String(Base64.encode(mac.doFinal(stringToSign.getBytes("UTF-8"))));
       String auth = "SharedKey " + account + ":" + authKey;
       return auth;
}

The auth parameter in the code is generated your Signature mentioned above,then you could fill it in the Authorization property and re-send request in Postman.

The screenshot as below: enter image description here

Important notice:

In the above code,you should't miss "\ ncomp: list" in the //resources line,otherwise it will also return 403 error. You could find the rules in the Constructing the Canonicalized Resource String.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks , that code actually gave me brief idea about required shared key.
Hi, please have a look at this question : stackoverflow.com/questions/45209985/…
@VyankateshSRepal ok.
Hi please give some suggestion for this : stackoverflow.com/questions/45279079/…
1

The link you point towards holds this example:

PUT http://myaccount/mycontainer?restype=container&timeout=30 HTTP/1.1  
x-ms-version: 2015-02-21  
x-ms-date: Fri, 26 Jun 2015 23:39:12 GMT  
Authorization: SharedKey myaccount:ctzMq410TV3wS7upTBcunJTDLEJwMAZuFPfr0mrrA08=  
Content-Length: 0

The date format you're using is not correct:

All authenticated requests must include the Coordinated Universal Time (UTC) timestamp for the request. You can specify the timestamp either in the x-ms-date header, or in the standard HTTP/HTTPS Date header. If both headers are specified on the request, the value of x-ms-date is used as the request's time of creation.

EDIT:
On the authorization header, the Authentication for the Azure Storage Services link in the article in your link states the following:

To authenticate a request, you must sign the request with the key for the account that is making the request and pass that signature as part of the request.

The format for the Authorization header is as follows:
Authorization="[SharedKey|SharedKeyLite] :"
where SharedKey or SharedKeyLite is the name of the authorization scheme, AccountName is the name of the account requesting the resource, and Signature is a Hash-based Message Authentication Code (HMAC) constructed from the request and computed by using the SHA256 algorithm, and then encoded by using Base64 encoding.

Here's some more info on the Hash-based Message Authentication Code (HMAC)

Since you commented:

Hi, key is the same as provided in 'Access-keys' tab of my account of azure portal. What's your suggestion?

That's where the problem is. You shouldn't use the key as the Signature for the message, you need to calculate the Signature based on the key.

In short:

  • Calculate the SHA256 hash of your request using the key from the 'Access-keys' tab
  • Base64 encode the SHA256 hash output
  • Use the Base64 encoded string as the Signature
Improve this answer

5 Comments

Should I convert all requested data in the screenshot to SHA256 ? I used this tool to convert the data to SHA256 : xorbin.com/tools/sha256-hash-calculator Then I encoded it to Base64 : online-convert.com/result/469e1c6b-17f8-4fba-99cc-8ae817f5ee0a Still it's giving same error. Can you please help me out for the correct stpeps?
You should calculate (not convert) the SHA256 of the request with the access key. So it's not as much a conversion as it is an extra piece of information that validates your request. For correct steps, read the link(s) both Gaurav Mantri and I shared.
To calculate a decent SHA256 HMAC value, Search for SHA256 HMAC and use an online tool. Don't just use any SHA256 calculator.
Hi, please have a look at this question : stackoverflow.com/questions/45209985/…
Hi, please have a look at this : stackoverflow.com/questions/45279079/…

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.