Troubleshooting Azure Web App Connectivity to Blob Storage via SAS Token

Question

I am using two Azure services, a Web App to host a server and a Blob Storage, which are connected via nodejs. It works fine from my local machine with the Blob Storage, but the problem occurs when I deploy the server to the Web App.

Things I have already tried and taken into account:

1. I have a SAS token, which works from localhost, and I have reset the SAS token, but it still doesn't work on the Web App (it works locally).
2. The Blob Storage is open to the entire internet. I understand this may be insecure, but I want to check its functionality this way.
3. I have tried setting permissions on the Blob Storage for the Web App as a Storage Blob Data Contributor.
4. I have tried making a 'curl' request from the Web App itself via SSH to a link that is open without the need for a token. However, when I do it with the token, it says:

root@...:/home# curl 'https://...' --output 'prueba.xlsx' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 246 100 246 0 0 2320 0 --:--:-- --:--:-- --:--:-- 2320 
root@...:/home# cat prueba.xlsx

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.
...

The problem, therefore, lies in the Web App server's connection to Storage via SAS. How can I solve this?

Answer 1

@DARIO ESCUDERO DE PACO It sounds like you are having trouble connecting your Azure Web App to your Blob Storage account via a SAS token. Here are a few things you can try to troubleshoot the issue:

Check that the SAS token is correct: Make sure that the SAS token you are using is correct and has not expired. You can regenerate the SAS token in the Azure portal to ensure that it is up-to-date.

1. Check that the Web App has permission to access the Blob Storage account: Make sure that the Web App has the necessary permissions to access the Blob Storage account. You can grant permissions by adding the Web App's identity to the Blob Storage account's access control list (ACL).
2. Check that the Web App is using the correct endpoint: Make sure that the Web App is using the correct endpoint to access the Blob Storage account. The endpoint should be in the format https://<<span class=" active-doc-0 active-doc-1 active-doc-2" data-doc-items="0,1,2">account-name>.blob.core.windows.net[1](#doc-pos=0)[2](#doc-pos=1)[3](#doc-pos=2)</span>.
3. Check that the Web App is using the correct HTTP method: Make sure that the Web App is using the correct HTTP method (e.g. GET, PUT, POST) to access the Blob Storage account. The HTTP method should match the permissions granted by the SAS token.
4. Check that the Web App is using HTTPS: Make sure that the Web App is using HTTPS to access the Blob Storage account. SAS tokens should only be used over HTTPS to ensure that they are secure.
5. Check that the Web App is using the correct SAS token format: Make sure that the Web App is using the correct SAS token format. SAS tokens should be in the format ?sv=<version>&sr=<resource>&sig=<signature>&st=<start-time>&se=<expiry-time>&sp=<permissions>

If none of these steps resolve the issue, you may need to enable diagnostic logging on your Web App to get more information about the error. You can also try using a tool like Fiddler to capture the HTTP traffic between the Web App and the Blob Storage account to see if there are any errors or issues with the requests.