How to upload blob using Azure SDK with a custom domain via Azure CDN and SAS token?

Question

How to upload blob using Azure SDK with a custom domain via Azure CDN and SAS token?

Bathina Mahesh 20

Hi,

I've configured a custom domain on my Azure Storage account using Azure CDN https://learn.microsoft.com/en-us/azure/storage/blobs/storage-custom-domain-name?tabs=azure-portal#using-azure-cdn. I can successfully download files using a SAS token (generated via the Azure Portal and Go SDK) by replacing the storage account domain with the custom domain.

However, when I try to upload a file using the same SAS token, I encounter the following error:

<custom-domain>/testwld-uploads-bucket/validation-1749037452\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 Forbidden\nERROR CODE: AuthenticationFailed\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthenticationFailed\u003c/Code\u003e\u003cMessage\u003eServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:16b28f3a-501e-004c-2645-d5f9cd000000\nTime:2025-06-04T11:44:12.5605633Z\u003c/Message\u003e\u003cAuthenticationErrorDetail\u003eSignature did not match. String to sign used was acw\n\n2025-06-04T12:14:12Z\n/blob/testwldstorageac/testwld-uploads-bucket/validation-1749037452\nde8a8613-f910-4e33XXXXXXXXXXXXXXXXXX\ne709ae1c-ef4f-432d-a263-a39c33d2c5c1\n2025-06-04T11:44:02Z\n2025-06-04T12:19:02Z\nb\n2025-01-05\n\n\n\n\nhttps\n2025-01-05\nb\n\n\n\nattachment; filename=\"\"\n\n\n\u003c/AuthenticationErrorDetail\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------\n"

Details:

Using a custom domain via Azure CDN
SAS token generated from UI and Azure SDK for Go https://github.com/Azure/azure-sdk-for-go/blob/sdk/storage/azblob/v1.6.0/sdk/storage/azblob/sas/examples_test.go#L31

Able to download via custom domain, upload fails

Upload request returns a 403 AuthenticationFailed error

The request works when using the original Azure storage endpoint

Questions:

Does Azure support uploading via SAS token when using a custom domain through CDN?

If not, is there a recommended approach to securely upload files via a custom domain?

Are there specific configurations needed when uploading with a custom domain?

Thanks in advance for the help.

Hari Babu Vattepally 3,270 Reputation points Microsoft External Staff Moderator

2025-06-04T18:12:19.83+00:00
Hi @Bathina Mahesh,

Thanks for the question!

In this scenario, while uploading files to Azure Blob Storage using a custom domain via Azure CDN with a SAS token is not supported. Here CDN is mainly for content delivery and caching, so it doesn't support write operations like uploads. If you try uploading through a custom domain, you'll get a 403 AuthenticationFailed error because the SAS token isn't valid for the custom domain endpoint.

For secure file uploads, please use the original Azure Storage endpoint rather than the custom domain. This will ensure proper authentication of the SAS token and allow for successful uploads.

Upload fails via Azure CDN custom domain, as Azure SAS tokens are tied to the canonical resource. So whenever, we make a request via CDN custom domain, host and path in the request don't match the expected canonical string used to generate the SAS token's signature. Hence this will return 403 error - Signature did not match. Please follow the below MS Document says that Azure CDN does not support upload operation methods to Azure Storage account. CDN is primarily for GET, but not to secure upload operations.

However, if you need to maintain a custom domain for uploads, it is advisable to use Azure Front Door or directly access the Azure Storage endpoint for write operations, while continuing to use the custom domain for read operations.

For more additional information, please refer below documents:

Map a custom domain to an Azure Blob Storage endpoint

Uploading blob or block content fails in Azure Blob Storage

Hope by following the above will resolve the issue. Please let us know in the comments sections if there are further questions. We will be glad to assist you closely.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Bathina Mahesh 20

Hi @Hari Babu Vattepally

Thanks you very much for quick response!

I've even configured a custom domain on my Azure Storage account using Azure Front Door https://learn.microsoft.com/en-us/azure/frontdoor/integrate-storage-account https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-add-custom-domain https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell. I’m able to successfully download files using a SAS token (generated via the Azure Portal) by replacing the storage account domain with the custom domain. However, when using a SAS token generated through the Azure SDK for Go, I’m unable to download or upload files via the custom domain through Azure Front Door.

 PUT https://<<custom domain>>/testwld-uploads-bucket/validation-1749096268\n--------------------------------------------------------------------------------\nRESPONSE 403: 403 Forbidden\nERROR CODE: AuthenticationFailed\n--------------------------------------------------------------------------------\n\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\u003cError\u003e\u003cCode\u003eAuthenticationFailed\u003c/Code\u003e\u003cMessage\u003eServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.\nRequestId:e3c4c680-d01e-001f-44ce-d5daf9000000\nTime:2025-06-05T04:04:29.1302847Z\u003c/Message\u003e\u003cAuthenticationErrorDetail\u003eSignature did not match. String to sign used was acw\n\n2025-06-05T04:34:28Z\n/blob/testwldstorageac/testwld-uploads-bucket/validation-1749096268\n2d205ca2-337f-45c6XXXXXXXXXXXXXXXXXX\ne709ae1c-ef4f-432d-a263-a39c33d2c5c1\n2025-06-05T04:04:18Z\n2025-06-05T04:39:18Z\nb\n2025-01-05\n\n\n\n\nhttps\n2025-01-05\nb\n\n\n\nattachment; filename=\"\"\n\n\n\u003c/AuthenticationErrorDetail\u003e\u003c/Error\u003e\n--------------------------------------------------------------------------------

Sample SAS Token generation using azure sdk for go:


package main

import (
	"context"
	"fmt"
	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/sas"
	"strings"
	"time"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service"
)

func main() {
	ctx := context.TODO()

	tenantID := "xxxxxxxx"
	clientID := "xxxxx"
	clientSecret := "xxxxxxxx"
	endpointURL := "<< CUSTOM DOMAIN>>"
	containerName := "xxxx"
	blobName := "testBlob2"

	// Create credential
	cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, clientSecret, nil)
	if err != nil {
		fmt.Printf("Failed to create credential: %v\n", err)
		return
	}

	// Create service client
	serviceClient, err := service.NewClient(endpointURL, cred, nil)
	if err != nil {
		fmt.Printf("Failed to create service client: %v\n", err)
		return
	}
	expiry := time.Now().UTC().Add(30 * time.Minute)

	// Initialize SAS permissions (default to false for all)
	permissions := sas.BlobPermissions{
		Read:                  false,
		Add:                   false,
		Create:                false,
		Write:                 false,
		Delete:                false,
		DeletePreviousVersion: false,
		Tag:                   false,
	}

	switch strings.ToUpper("PUT") {
	case "PUT", "POST":
		permissions = sas.BlobPermissions{Create: true, Write: true, Add: true}
	case "GET":
		permissions = sas.BlobPermissions{Read: true}
	case "DELETE":
		permissions = sas.BlobPermissions{Delete: true}
	default:
		fmt.Println("method not supported")
	}

	// Construct the SAS query parameters
	sasValues := sas.BlobSignatureValues{
		Protocol:           sas.ProtocolHTTPS,
		ExpiryTime:         expiry,
		Permissions:        permissions.String(),
		ContainerName:      containerName,
		BlobName:           blobName,
		ContentDisposition: fmt.Sprintf("attachment; filename=\"%s\"", "new-file.txt"), // Set Content-Disposition
	}

	var sasQueryParams sas.QueryParameters

	// Token Credential (user delegation)
	now := time.Now().UTC()
	expiration := now.Add(5 * time.Minute) // short key lifetime
	info := service.KeyInfo{
		Start:  to.Ptr(now.Format(sas.TimeFormat)),
		Expiry: to.Ptr(expiration.Format(sas.TimeFormat)),
	}
	udc, err := serviceClient.GetUserDelegationCredential(ctx, info, nil)
	fmt.Printf("User Delegation Credential: %v\n", udc)
	if err != nil {
		fmt.Errorf("failed to get user delegation credential: %w", err)
	}
	sasQueryParams, err = sasValues.SignWithUserDelegation(udc)

	var signedURL string

	signedURL = fmt.Sprintf("%s/%s/%s?%s", endpointURL, containerName, blobName, sasQueryParams.Encode())
	fmt.Println("signed URL:", signedURL)
}

I’m able to successfully generate a SAS token using the Azure SDK for Go and custom domain.

Questions:

Does Azure support uploading via SAS token( generated using azure sdk for go https://github.com/Azure/azure-sdk-for-go/blob/sdk/storage/azblob/v1.6.0/sdk/storage/azblob/sas/examples_test.go#L31 ) when using a custom domain through Azure Front door?

Is there anything I might be missing?

Bathina Mahesh 20 Reputation points

2025-06-05T19:59:13.8533333+00:00

Hi @Hari Babu Vattepally

Thank you so much for your response. I have tried this just before seeing your comment, everything working well.
Hari Babu Vattepally 3,270 Reputation points Microsoft External Staff Moderator

2025-06-05T20:41:57.0466667+00:00

Hi @Bathina Mahesh,

Glad to know that the issue has been resolved. Your contribution is highly appreciated. Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Accepted answer

0 additional answers

Your answer

Hari Babu Vattepally 3,270 Reputation points Microsoft External Staff Moderator

2025-06-04T18:12:19.83+00:00

Hi @Bathina Mahesh,

Thanks for the question!

In this scenario, while uploading files to Azure Blob Storage using a custom domain via Azure CDN with a SAS token is not supported. Here CDN is mainly for content delivery and caching, so it doesn't support write operations like uploads. If you try uploading through a custom domain, you'll get a 403 AuthenticationFailed error because the SAS token isn't valid for the custom domain endpoint.

For secure file uploads, please use the original Azure Storage endpoint rather than the custom domain. This will ensure proper authentication of the SAS token and allow for successful uploads.

Upload fails via Azure CDN custom domain, as Azure SAS tokens are tied to the canonical resource. So whenever, we make a request via CDN custom domain, host and path in the request don't match the expected canonical string used to generate the SAS token's signature. Hence this will return 403 error - Signature did not match. Please follow the below MS Document says that Azure CDN does not support upload operation methods to Azure Storage account. CDN is primarily for GET, but not to secure upload operations.

However, if you need to maintain a custom domain for uploads, it is advisable to use Azure Front Door or directly access the Azure Storage endpoint for write operations, while continuing to use the custom domain for read operations.

For more additional information, please refer below documents:

Map a custom domain to an Azure Blob Storage endpoint

Uploading blob or block content fails in Azure Blob Storage

Hope by following the above will resolve the issue. Please let us know in the comments sections if there are further questions. We will be glad to assist you closely.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Bathina Mahesh 20 Reputation points

2025-06-05T19:59:13.8533333+00:00

Hi @Hari Babu Vattepally

Thank you so much for your response. I have tried this just before seeing your comment, everything working well.
Hari Babu Vattepally 3,270 Reputation points Microsoft External Staff Moderator

2025-06-05T20:41:57.0466667+00:00

Hi @Bathina Mahesh,

Glad to know that the issue has been resolved. Your contribution is highly appreciated. Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

Hi @Bathina Mahesh,

Thanks for the response and providing additional information.

Does Azure support uploading via SAS token( generated using azure sdk for go https://github.com/Azure/azure-sdk-for-go/blob/sdk/storage/azblob/v1.6.0/sdk/storage/azblob/sas/examples_test.go#L31 ) when using a custom domain through Azure Front door?

Yes, Azure supports uploading and downloading via SAS token when using a custom domain through Azure Front door only if the SAS token is correctly generated by using the original Azure blob storage endpoint for example: https://<account>.blob.core.windows.net.

Whenever you are generating SAS token, use the storage account domain instead of custom domain. Example as below:

endpointURL := "https://testwldstorageac.blob.core.windows.net"

So once the SAS token has been generated, replace the domain with the custom domain for accessing the blob.

Also, please make sure that there are proper SAS tokens permissions are provided like Read, Write, Create and Add permissions. Check and correct the expiration time to avoid authentication failures.

Please make sure that the request headers are passed unchanged by configuring Azure Front Door rules which may also modifies headers, causes authentication issues.

For more information, please refer the below document:

Reliable file upload to Azure Storage Blob through Azure Front Door.

Hope this helps!

Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

How to upload blob using Azure SDK with a custom domain via Azure CDN and SAS token?

0 additional answers

Your answer