<AuthenticationErrorDetail>Signature did not match. String to sign used was

Question

I have the code below to generate a URL that can be used to download a blob. When I run the code locally it returns a URL. But when I access the URL it is giving me this error. I am using my MSFT Account credentials to access a storage in MSFT tenant.

I am getting this error:

<Error>

<Code>AuthenticationFailed</Code>

<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:04195eb8-301e-001b-750c-a3c6e3000000 Time:2025-04-01T13:44:02.3324883Z</Message>

<AuthenticationErrorDetail>Signature did not match. String to sign used was r 2025-04-01T13:43:48Z 2025-04-01T13:48:48Z /blob/testingpurpose12/test/523179595_Outliers.csv de45faf3-1d35-4e66XXXXXXXXXXXXXXXXXX 72f988bf-86f1-41af-91ab-2d7cd011db47 2025-04-01T13:43:48Z 2025-04-01T13:48:48Z b 2024-05-04 2024-05-04 b </AuthenticationErrorDetail>

</Error>

Here's the code:

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobClient, BlobSasPermissions, BlobServiceClient, generate_blob_sas
from datetime import datetime, timedelta, timezone

class BlobStorageDataClient:

    def __init__(self, blob_storage_url, container_name, max_single_put_size=512):
        
        self.blob_storage_url = blob_storage_url
        self.container_name = container_name
        self.max_single_put_size = max_single_put_size
        self.credential = DefaultAzureCredential()
        self.blob_service_client = BlobServiceClient(account_url=self.blob_storage_url, credential=self.credential, max_single_put_size=max_single_put_size)
        self.container_client = self.blob_service_client.get_container_client(self.container_name)

    
    def generate_SAS_URL(self, blob_name, expiry_timedelta = timedelta(hours=1)):
        
        sas_permissions = BlobSasPermissions(read=True)
        key_start_time = datetime.now(timezone.utc)
        key_expiry_time = datetime.now(timezone.utc) + expiry_timedelta

        user_delegation_key = self.blob_service_client.get_user_delegation_key(
            key_start_time=key_start_time,
            key_expiry_time=key_expiry_time
        )
        
        sas_token = generate_blob_sas(
			permission = sas_permissions,
            start = key_start_time,
            expiry = key_expiry_time,
            account_name = self.blob_storage_url,
            container_name = self.container_name,
            blob_name = blob_name,
            user_delegation_key = user_delegation_key
        )
        
        sas_url = f"{self.blob_storage_url}/{self.container_name}/{blob_name}?{sas_token}"

        return sas_url


blob_storage_data_client_ula = BlobStorageDataClient(blob_storage_url = "https://########.blob.core.windows.net", container_name = "###")
blob_name = "####.pdf"
sas_url = blob_storage_data_client_ula.generate_SAS_URL(blob_name = blob_name, expiry_timedelta = timedelta(minutes = 5))

Answer 1

Hi @Saaketh Gunti ,

As per the message mentioned above says that the signature used in the SAS token does not match the expected signature for the request.

Please follow the below suggestions to the issue fixed:

• Please make sure to use the correct account_name in generate_blob_sas: You're currently passing the blob_storage_url as the account_name. However, account_name should only be the storage account name (e.g., if the blob URL is https://myaccount.blob.core.windows.net, the account_name is myaccount).
• Since you’re using your MSFT account credentials, please ensure that the correct tenant ID is being used. If you're authenticated in a multi-tenant setup, explicitly configure the credential for the required tenant.
• Also, please make sure that the get_user_delegation_key call succeeds. If it doesn’t, the returned key will be invalid, resulting in the error. You can inspect the user_delegation_key object to verify its validity.
• Please make sure that the start and expiry times for the SAS token are correctly set. If there's a significant time difference between your local machine and the Azure server, the token might be deemed invalid. It's a good practice to set the start time a few seconds in the past to accommodate any clock drift.
• However, since the error message includes the "String to Sign", please compare the string to the one which Azure expects as which Log the sas_token and user_delegation_key to debug the signature. And ensure all parameters for generating the SAS token match Azure's requirements.
• Also, please make sure to confirm the user or app registered with the DefaultAzureCredential has permissions to generate a User Delegation Key and access the storage account. And please ensure that Role-Based Access Control (RBAC) permissions are correctly assigned to your account or managed identity (e.g., Storage Blob Data Contributor).
• If the issue persists, enable Azure Storage Logging for detailed error traces:
  • Go to Storage Account > Diagnostic settings and enable logging for Authentication and Requests.

For additional information, please refer the below:

• Create a service SAS
• Grant limited access to Azure Storage resources using shared access signatures (SAS)

I hope by following the above helps in resolving the issue.

Please let us know in the comments below, if the issue is resolved or still persists. We will be glad to assist you closely.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.