Dear Azure team,
currently we are using Azure IoT Edge v.1.4 on Ubuntu Server 20.04 with Azure Blob Storage container service (v.1.4.4-linux-amd64).
When we use HTTP protocol with connections strings like: "DefaultEndpointsProtocol=http;BlobEndpoint=http://10.52.118.2:11002/edgeblob;AccountName=edgeblob;AccountKey=<64 bit key>;"
everything is working fine.
Also connections from inside other containers with connection string like: "DefaultEndpointsProtocol=http;BlobEndpoint=http://azureblobstorageoniotedge:11002/edgeblob;AccountName=edgeblob;AccountKey=<64 bit key>;"
is working fine.
Since we want to use secure protocol like HTTPS, we decided to use Azure IoT Edge API Proxy module: https://learn.microsoft.com/en-us/azure/iot-edge/how-to-configure-api-proxy-module?view=iotedge-1.4
We have successfully configured the latest version available of the proxy and configured the environment variable of the proxy: BLOB_UPLOAD_ROUTE_ADDRESS with the value azureblobstorageoniotedge:11002 since the communication between the proxy and the blob container is limited inside docker on the edge device.
We used this connection string for TLS connection on the IoT devices: DefaultEndpointsProtocol=https;BlobEndpoint=https://iotedge/edgeblob;AccountName=edgeblob;AccountKey=<64-bit-key>;"
The endpoint is correctly resolved since the DNS is fine and also certificate are correctly configured on Edge device (EdgeCA is ok). Also the proxy is configured fine and at TLS level we have no errors.
The problem we encountered is this one form the APIs related to interaction with blob storage:
RESPONSE Status: 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. Connection: [keep-alive] Content-Length: [0] Date: [Fri, 22 Mar 2024 08:15:35 GMT] Server: [nginx/1.22.1] X-Ms-Error-Code: [AuthenticationFailed] X-Ms-Request-Id: [459adac6-fbb8-43a4-8cbf-93671a39023b]
I've noticed that when using https connection string, the SDK does not compute well the signature for authorization.
We checked the time and machines are correctly synced. We are using volumes mount for Blob storage persistance on the edge so no errors related on file system permissions are present.
Our suspect is that the problem is in the SDK. The SDK, when parsing https connection strings, accepts only endpoint in the form https://blob-account-name.blob.ms-cloud-sub-domain. Delving into the SDK code, it seems that the parsing function does not take into account https urls in different forms.
In our case we have a blob endpoint like: https://iotedge/edgeblob, where iotedge is the FQDN name of the edge machine and the edgeblob is the container name. In this case, the SDK is not correctly computing the AccountName (which results in empty string) and changes the URI of the blob service.
I've tried to update to Azure.Storage.Blobs 12.19.0, but I'm getting a different error related to x-ms-version not being compatible with the blob storage on edge device.
So using:
- Azure.Storage.Blob v >= 12.16.0, the library is not supported due to the x-ms-version not being compatible with the blob storage on edge device.
- From versions >= 12.9.0 up to 12.15.1 the problem is the one described above.
- With version 12.8.4, overriding class "BlobContainerClient" as shown below I am able to connect, but this version is vulnerable and we cannot use it.
How can I solve both problems (connectivity and x-ms-version incompatibility)?
Thank you!