3

I have created an AAD app as per https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app.

The access is given to the azure storage account for the AAD app created.

Got the client id and client secret.

To create a user delegation key and user delegation sas, I am using the approach and code as defined in https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet.

(set environment variables as mentioned in article).

I am able to generate the user delegation key using method GetUserDelegationSasBlob.

The container and blob file is existing one.

Now I am using the method ReadBlobWithSasAsync to read the contents of the blob using the SAS uri as generated above.

But, I get error as below.

This request is not authorized to perform this operation using this permission. RequestId:5d127eaf-101e-00be-6666-6a3875000000

Time:2019-09-13T19:04:15.4109144Z

Status: 403 (This request is not authorized to perform this operation using this permission.)

ErrorCode: AuthorizationPermissionMismatch

In another approach, I am generating the user delegation key using rest api. https://learn.microsoft.com/en-us/rest/api/storageservices/get-user-delegation-key

I am able to get user delegation key in xml format. I am creating SAS from it as per steps in https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas

For signature, I am using this code, using StringToSign and secret value as received from delegation key.

var encoding = new System.Text.ASCIIEncoding();
byte[] keyByte = encoding.GetBytes(secret);
byte[] messageBytes = encoding.GetBytes(ToSign);
using (var hmacsha256 = new HMACSHA256(keyByte))
{
    byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
    String sig= Convert.ToBase64String(hashmessage);
}

I am doing the GET request. I have tried various set of parameter values, like,

sr: b and c sks: b and c sp: racwd and r and rw and few more

skv and sv is 2018-11-09 because this version is required for creating user delegation key.

But the GET api returns the error.

AuthenticationFailed Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:e4bc8f0f-d01e-0046-7367-6af368000000 Time:2019-09-13T19:12:27.7780695Z Signature fields not well formed.

Improve this question
4
  • Try to assign the Storage Blob Data Contributor role to the storage account. Refer to this article. Commented Sep 16, 2019 at 9:54
  • 1
    Hi Joey. Can't see the check mark beside your comment. Commented Sep 26, 2019 at 22:14
  • Hi Manish, just click on the check mark beside the answer to toggle it from greyed out to filled in, like this one. Commented Sep 27, 2019 at 1:20
  • Hi Joey. Thanks for helping to resolve the issue. Accepted the answer. Commented Oct 15, 2019 at 4:09

1 Answer 1

Reset to default
3

Try to assign the Storage Blob Data Contributor role to the storage account.

The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources.

Refer to this article.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.