I'm generating a SAS Token for Azure Blob Storage, it seems to be working with local IP but not VM IP. Any idea why?

Question

I'm generating a SAS Token for Azure Blob Storage, it seems to be working with local IP but not VM IP. Any idea why?

Infra@UB 20

I'm generating a SAS Token for Azure Blob Storage, it seems to be working with local IP but not VM IP (generated two different tokens). Also, this seemed to be working until a while ago when an earlier token expired on it's own. Any idea why?

RestError: This request is not authorized to perform this operation.
RequestId:06f2a2bd-801e-000b-36ae-25b997000000
Time:2023-01-11T11:21:26.1451777Z
 {
  "name": "RestError",
  "code": "AuthorizationFailure",
  "statusCode": 403,
  "request": {
    "streamResponseStatusCodes": {},
    "url": "https://ubstagingcontainer.blob.core.windows.net/ubstagingcontainer/ubstagingcontainer/contacts.png?sp=REDACTED&st=REDACTED&se=REDACTED&sip=REDACTED&spr=REDACTED&sv=REDACTED&sr=REDACTED&sig=REDACTED&comp=REDACTED&blockid=REDACTED",
    "method": "PUT",
    "headers": {
      "_headersMap": {
        "x-ms-version": "REDACTED",
        "content-length": "59935",
        "content-type": "application/octet-stream",
        "accept": "application/xml",
        "user-agent": "azsdk-js-storageblob/12.12.0 (NODE-VERSION v16.16.0; Linux 5.15.0-1029-azure)",
        "x-ms-client-request-id": "c6342b9d-c1e9-468d-9eca-975ac5293dad",
        "cookie": "REDACTED"
      }
    },
    "withCredentials": false,
    "timeout": 0,
    "keepAlive": true,
    "decompressResponse": false,
    "requestId": "c6342b9d-c1e9-468d-9eca-975ac5293dad"
  },
  "details": {
    "errorCode": "AuthorizationFailure",
    "content-length": "246",
    "content-type": "application/xml",
    "date": "Wed, 11 Jan 2023 11:21:25 GMT",
    "server": "Microsoft-HTTPAPI/2.0",
    "x-ms-client-request-id": "c6342b9d-c1e9-468d-9eca-975ac5293dad",
    "x-ms-request-id": "06f2a2bd-801e-000b-36ae-25b997000000",
    "message": "This request is not authorized to perform this operation.\nRequestId:06f2a2bd-801e-000b-36ae-25b997000000\nTime:2023-01-11T11:21:26.1451777Z",
    "code": "AuthorizationFailure"
  },
  "message": "This request is not authorized to perform this operation.\nRequestId:06f2a2bd-801e-000b-36ae-25b997000000\nTime:2023-01-11T11:21:26.1451777Z"
}

Infra@UB 20

Error log:

RestError: This request is not authorized to perform this operation.
RequestId:06f2a2bd-801e-000b-36ae-25b997000000
Time:2023-01-11T11:21:26.1451777Z
 {
  "name": "RestError",
  "code": "AuthorizationFailure",
  "statusCode": 403,
  "request": {
    "streamResponseStatusCodes": {},
    "url": "https://ubstagingcontainer.blob.core.windows.net/ubstagingcontainer/ubstagingcontainer/contacts.png?sp=REDACTED&st=REDACTED&se=REDACTED&sip=REDACTED&spr=REDACTED&sv=REDACTED&sr=REDACTED&sig=REDACTED&comp=REDACTED&blockid=REDACTED",
    "method": "PUT",
    "headers": {
      "_headersMap": {
        "x-ms-version": "REDACTED",
        "content-length": "59935",
        "content-type": "application/octet-stream",
        "accept": "application/xml",
        "user-agent": "azsdk-js-storageblob/12.12.0 (NODE-VERSION v16.16.0; Linux 5.15.0-1029-azure)",
        "x-ms-client-request-id": "c6342b9d-c1e9-468d-9eca-975ac5293dad",
        "cookie": "REDACTED"
      }
    },
    "withCredentials": false,
    "timeout": 0,
    "keepAlive": true,
    "decompressResponse": false,
    "requestId": "c6342b9d-c1e9-468d-9eca-975ac5293dad"
  },
  "details": {
    "errorCode": "AuthorizationFailure",
    "content-length": "246",
    "content-type": "application/xml",
    "date": "Wed, 11 Jan 2023 11:21:25 GMT",
    "server": "Microsoft-HTTPAPI/2.0",
    "x-ms-client-request-id": "c6342b9d-c1e9-468d-9eca-975ac5293dad",
    "x-ms-request-id": "06f2a2bd-801e-000b-36ae-25b997000000",
    "message": "This request is not authorized to perform this operation.\nRequestId:06f2a2bd-801e-000b-36ae-25b997000000\nTime:2023-01-11T11:21:26.1451777Z",
    "code": "AuthorizationFailure"
  },
  "message": "This request is not authorized to perform this operation.\nRequestId:06f2a2bd-801e-000b-36ae-25b997000000\nTime:2023-01-11T11:21:26.1451777Z"
}

Accepted answer

1 additional answer

Your answer

Infra@UB 20 Reputation points

2023-01-12T14:28:37.3166667+00:00

Error log:

RestError: This request is not authorized to perform this operation. RequestId:06f2a2bd-801e-000b-36ae-25b997000000 Time:2023-01-11T11:21:26.1451777Z { "name": "RestError", "code": "AuthorizationFailure", "statusCode": 403, "request": { "streamResponseStatusCodes": {}, "url": "https://ubstagingcontainer.blob.core.windows.net/ubstagingcontainer/ubstagingcontainer/contacts.png?sp=REDACTED&st=REDACTED&se=REDACTED&sip=REDACTED&spr=REDACTED&sv=REDACTED&sr=REDACTED&sig=REDACTED&comp=REDACTED&blockid=REDACTED", "method": "PUT", "headers": { "_headersMap": { "x-ms-version": "REDACTED", "content-length": "59935", "content-type": "application/octet-stream", "accept": "application/xml", "user-agent": "azsdk-js-storageblob/12.12.0 (NODE-VERSION v16.16.0; Linux 5.15.0-1029-azure)", "x-ms-client-request-id": "c6342b9d-c1e9-468d-9eca-975ac5293dad", "cookie": "REDACTED" } }, "withCredentials": false, "timeout": 0, "keepAlive": true, "decompressResponse": false, "requestId": "c6342b9d-c1e9-468d-9eca-975ac5293dad" }, "details": { "errorCode": "AuthorizationFailure", "content-length": "246", "content-type": "application/xml", "date": "Wed, 11 Jan 2023 11:21:25 GMT", "server": "Microsoft-HTTPAPI/2.0", "x-ms-client-request-id": "c6342b9d-c1e9-468d-9eca-975ac5293dad", "x-ms-request-id": "06f2a2bd-801e-000b-36ae-25b997000000", "message": "This request is not authorized to perform this operation.\nRequestId:06f2a2bd-801e-000b-36ae-25b997000000\nTime:2023-01-11T11:21:26.1451777Z", "code": "AuthorizationFailure" }, "message": "This request is not authorized to perform this operation.\nRequestId:06f2a2bd-801e-000b-36ae-25b997000000\nTime:2023-01-11T11:21:26.1451777Z" }

Answer 1

Infra@UB Firstly, If you have generated a New SAS token for the same azure storage account/blob/container/ share which has SAS token already been generated? The old token gets expired and authentication or authorization won't work. You need to use the newly generated SAS token.

Based on the error: Other authorization errors (for example, attempting to modify an ACL or calling another unsupported SAS API)

Authorization header is missing, so authorization was acquired using SAS
Authorization header is present, so authorization was acquired using OAuth Just for the testing purpose, Can you generate the SAS token through Azure Storage explorer tool and let me know the status.
Cause 2 You can also check your firewall rules for the Storage account

Storage accounts > {yourAccount} > Networking > Firewalls and Virtual networks and add your IP address

Additional information: Can you please refer to this article: How a shared access signature works

Create SAS tokens for your Azure storage
Best practices when using SAS
Additional information :


Request Syntax:  
PUT https://myaccount.blob.core.windows.net/mycontainer/myblockblob HTTP/1.1  
Request Headers:  
x-ms-version: 2015-02-21  
x-ms-date: <date>  
Content-Type: text/plain; charset=UTF-8  
x-ms-blob-content-disposition: attachment; filename="fname.ext"  
x-ms-blob-type: BlockBlob  
x-ms-meta-m1: v1  
x-ms-meta-m2: v2  
Authorization: SharedKey myaccount:YhuFJjN4fAR8/AmBrqBz7MG2uFinQ4rkh4dscbj598g=  
Content-Length: 11  
Request Body:  
hello world

https://learn.microsoft.com/en-us/rest/api/storageservices/put-blob
Looking forward for your reply!

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Infra@UB 20 Reputation points

2023-01-18T07:56:54.5166667+00:00

@Sumarigo-MSFT I tried generating a SAS Token using Azure Storage Explorer Tool, I still get the same error. I tried the links you've sent and set the start time a little in the past and the expiry time is also a bit long - 10 years. Still the same error.
I've even whitelisted the IPs I'm using (VM and local), still the same issue.
Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator

2023-01-19T06:27:32.2566667+00:00

Infra@UB Working offline with the customer
Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator

2023-01-19T15:46:44.3766667+00:00

@Infra@UB Thanks for connecting offline! We were able to resolve your issue. Issue was related to Vnet settings. Thanks for accepting the answer, requesting you to retake the survey.
Appreciate your feedback.

Answer 2

Ramya Harinarthini_MSFT 5,366 Microsoft Employee Moderator

@Infra@UB Welcome to Microsoft Q&A, thank you for posting your here!!

We have checked with the Request ID: 06f2a2bd-801e-000b-36ae-25b997000000 from our end and could see the Request is coming from this Client IP=100.73.18.97. Could you please verify if this is the VM ip address you are trying to access from?

Also, please check if you have enabled Firewalls and Virtual networks on your storage account and allowed access to the storage account only from specific Virtual Network(s) (VNet) or all Networks.

You can further troubleshoot this issue with the help of this article: [https://techcommunity.microsoft.com/t5/azure-paas-blog/troubleshooting-storage-firewall-issues/ba-p/1944730

Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Infra@UB 20 Reputation points

2023-01-11T16:21:20.6333333+00:00

@Ramya Harinarthini_MSFT that's not the VM's IP.
No I haven't enabled access to VNets, it's public access for now.
Let me check and get back to you. Thanks!
Infra@UB 20 Reputation points

2023-01-12T07:41:21.0466667+00:00

@Ramya Harinarthini_MSFT I changed it to have access from my local IP and the VM's IP and also allowed access from virtual network and added the network my VM is under. It still doesn't seem to work (but still works with my local IP). With the link you shared to troubleshoot, it requires download of logs from the $logs folder, but mine seems to be empty and hence I can't debug further. Kindly help me with this at the earliest.
Infra@UB 20 Reputation points

2023-01-12T13:39:06.82+00:00

@Ramya Harinarthini_MSFT can you please help me with this?
Ramya Harinarthini_MSFT 5,366 Reputation points Microsoft Employee Moderator

2023-01-12T14:22:37.94+00:00

@Infra@UB I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID, I will follow-up with you. Once again, apologies for any inconvenience with this issue.
Thanks for your patience and co-operation.
Infra@UB 20 Reputation points

2023-01-12T14:28:56.2566667+00:00

@Ramya Harinarthini_MSFT Done, sent the email. Looking forward to getting this resolved soon.

Share via

I'm generating a SAS Token for Azure Blob Storage, it seems to be working with local IP but not VM IP. Any idea why?

1 additional answer

Your answer