Share via

URL(Sas) for blob access generates 403 error on Azure, but works in development

Damian Pike 21 Reputation points
2021-05-06T16:34:55.223+00:00

I have a site that provides access to videos:

  • generates a URL with Sas
  • passes the URL to a HTML5 video component

The Sas is generated through a UserDelegationKey and the BlobServiceClient is authenticated with DefaultAzureCredential.

I have set up the Storage Account Contributor, Storage Blob Data Contributor, Storage Blob Data Owner role assignments for the Storage account.

This works in development.

When I publish to Azure, I get a 403 message in the console and the following error message from the browser:

<Error>
<Code>AuthorizationPermissionMismatch</Code>
<Message>This request is not authorized to perform this operation using this permission. RequestId:bf90f918-b01e-005b-6476-424803000000 Time:2021-05-06T12:51:56.3374395Z</Message>
</Error>

The site is currently hosted on a 32 bit machine.

I have read that there may be a requirement to upgrade to a 64 bit machine for SasBlobs to work - though I cannot find any documentation from Microsoft that confirms this.

Any thoughts on how to resolve?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,492 questions
0 comments
Accepted answer
  1. Sumarigo-MSFT 44,081 Reputation points Microsoft Employee
    2021-05-07T09:40:29.677+00:00

    @Damian Pike Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    403 is seen when authorizing with a shared key because "All authorized requests must include the Coordinated Universal Time (UTC) timestamp for the request." Information about this can be found in Authorize with Shared Key

    403 means there is something wrong with your SAS token or shared key. You can use storage explorer to generate SAS with the same configuration and see if it works.

    • Can you share the screen shot the error message and use Fiddler to trace the log and please share with us
    • Your shared access signature may be missing permission, please cross verify
    • Can you check the firewall setting and time zone

    Additional information: When using Azure Storage account shared key auth, HTTP requests sent by this library will generate a string to sign based on subset of HTTP headers and finally sign with account key. Modifying headers after the signing will lead to auth errors.

    Authorize requests to Azure Storage

    Looking forward for your reply!, If the issue still persists, I would like to work closer on this issue

    Kindly let us know if the above helps or you need further assistance on this issue.

    ------------------------------------------------------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Damian Pike 21 Reputation points
    2021-05-07T11:27:29.577+00:00

    Firstly, many thanks for your help.

    In response to your points:

    1) The blob is marked for public access so the Sas should be sufficient (as I understand it). Certainly, this works in development environment.

    2) 94689-fiddler-2021-05-07-115415.png

    3)

    • 'Shared Access Signature may be missing permission' - I suspect this might be it.
    • When I compare the Development Sas between the development and the production Sas, the only difference seems to be the Signed Object Id (Skoid).
    • The Sas is generated by a UserDelegatedKey based on a bobClient authorised by the DefaultAzureCredential.
    • I understand that this uses ManagedIdentity in the production environment -
    • Managed Identity is system assigned at App level with status on and user role assignments as per initial description
    • Im not sure what else I can do to 'cross verify' - any suggestions welcome!

    4) Firewall setting: I'm not sure which firewall is relevant here? Local setting is ok. Azure?

    5) TimeZone - I understood that all Azure (including Storage) is based on UTC? If relevant, we are on UK hosting (UTC+1). I suspect this isn't answering your question?

    6) In terms of modifying headers - I don't think this is relevant here... In summary, the flow is:

    a) Generate a SAS for the Blob (as described above)
    b) Pass to front end to HTML5 video source

    7) I have now upgrade the Service Plan to 64 bit, though this appears to have had no impact.

    Thanks again,

    0 comments
  2. Damian Pike 21 Reputation points
    2021-05-07T12:23:13.267+00:00

    Update:

    I have just rechecked the site and it now works...

    I have tried to downsize the server to 32 bit - which it won't let me do, so I suspect that this was the issue.

    Thanks again for your time.

    0 comments
  3. Prateek K 1 Reputation point
    2022-11-11T15:18:32.687+00:00

    I am facing the same issue. The same code works fine on dev but on live throws this

    <Error>
    <Code>AuthorizationFailure</Code>
    <Message>This request is not authorized to perform this operation. RequestId:bbbac7ed-901e-0071-17de-f57259000000 Time:2022-11-11T15:02:31.5126641Z</Message>
    </Error>

    The SAS token is this ==> skoid=253d9eb9-9791-4156-aed5-7a697886fece&sktid=48794f31-2f6d-4909-8b2f-53b64c7f3199&skt=2022-11-11T15%3A02%3A29Z&ske=2022-11-18T15%3A02%3A29Z&sks=b&skv=2021-08-06&sv=2021-08-06&st=2022-11-11T15%3A02%3A30Z&se=2022-11-18T15%3A02%3A30Z&sr=b&sp=rw&sig=TaNGnoBbhXLVCtsw489yUR0H3zf1sB0A9YROmhI%2BVdw%3D