Azure 共享访问签名 - 签名不匹配 [英] Azure Shared Access Signature - Signature did not match

问题描述

我收到此错误:

<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:6c3fc9a8-cdf6-4874-a141-10282b709022 Time:2014-07-30T10:48:43.8634735Z
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used was rwl 2014-07-31T04:48:20Z /acoustie/$root 2014-02-14
</AuthenticationErrorDetail>
</Error>

当我生成 sas(共享访问签名)然后将该 sas 粘贴到容器 uri 的末尾时，我得到了它到浏览器中.这是生成的 sas 的完整地址:

I get it when I generate a sas (Shared Access Signature) then paste that sas at the end of the container uri into a browser. This is the full address with the generated sas:

https://acoustie.blob.core.windows.net/mark?sv=2014-02-14&sr=c&sig=E6w%2B3B8bAXK8Lhvvr62exec5blSxsA62aSWAg7rmX4g%3D&se=2014-07-30T13%3A30%3A14Z&sp=rwl

我已经搜索了 SO 和 Google 并尝试了很多组合，据我所知我做的一切都是正确的，我知道我不是，我只是看不到它......真的希望有人能帮助:-

I have scoured SO and Google and have tried lots of combinations, as far as I can tell I'm doing everything correctly, I know I'm not, I just can't see it...really hoping someone can help :-

明确地说，我是在容器上生成 sas，而不是特定的 blob，也不是在根容器上.对 Blob 的访问被定义为公共 Blob.我的最终目标是简单地允许使用 sas 写入容器，而在调试"时，我已将大部分权限添加到 SharedAccessBlobPolicy.

To be clear, I am generating a sas on a container, not a specific blob and not on the root container. Access on the blob is defined as Public Blob. My end goal is to simply allow writes to the container with the sas, while 'debugging' I have added most permissions to the SharedAccessBlobPolicy.

我尝试在 容器名称的开头和结尾.没有变化.

I have tried adding a at the beginning and ending of the container name. No change.

这是我用来生成 sas 的代码:

This is the code I use to generate the sas:

    var blobClient = storageAccount.CreateCloudBlobClient();
    //Get a reference to the blob container 
    var container = blobClient.GetContainerReference(containerName);

    // Do not set start time so the sas becomes valid immediately.
    var sasConstraints = new SharedAccessBlobPolicy 
    {
        SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(30), 
        Permissions = SharedAccessBlobPermissions.Write 
        | SharedAccessBlobPermissions.Read
        | SharedAccessBlobPermissions.List,
    };

    var sasContainerToken = container.GetSharedAccessSignature(sasConstraints);

    //Return the URI string for the container, including the SAS token.
        var sas = string.Format("{0}{1}", container.Uri.AbsoluteUri, sasContainerToken);
        Logger.Debug("SAS: {0}", sas);
        return sas;

它生成了一个签名，但它似乎不是一个有效的签名.

It generates a signature, it just doesn't seem to be a valid signature.

我尝试了不同的容器，更改了访问策略，无论是否有开始时间，从现在起将到期时间延长至 > 12 小时(我在 UTC+10 时区)，这似乎无关紧要我更改它导致相同的签名不匹配"错误.

I've tried different containers, changing the Access policy, with and without start times, extending the expiry to > 12 hours from now (I'm in a UTC+10 timezone), it doesn't seem to matter what I change it results in the same "signature did not match" error.

我什至尝试过使用旧版本的WindowsAzure.Storage"，所以我现在尝试了 4.2 和 4.1.甚至在不同的浏览器中尝试过 uri，真的不应该有什么不同，但是嘿...

I have even tried using an older version of 'WindowsAzure.Storage', so I have now tried 4.2 and 4.1. Even tried the uri in a different browser, really shouldn't make a difference but hey...

非常感谢任何建议:-)

Any suggestions are greatly appreciated :-)

推荐答案

简短回答:

将 comp=list&restype=container 添加到您的 SAS URL，您应该不会收到此错误.

Add comp=list&restype=container to your SAS URL and you should not get this error.

长答案:

本质上，根据您的 SAS URL，Azure 存储服务无法确定您尝试访问的资源是 blob 还是容器，并假定它是 blob.由于它假定资源类型为 blob，因此它使用 $root blob 容器进行 SAS 计算(您可以从错误消息中看到).由于 SAS 是为 mark blob 容器计算的，因此您会收到此 Signature does Not Match 错误.通过指定 restype=container，您告诉存储服务将资源视为 container.根据 REST API 规范，comp=list 是必需的.

Essentially from your SAS URL, Azure Storage Service is not able to identify if the resource you're trying to access is a blob or a container and assumes it's a blob. Since it assumes the resource type is blob, it makes use of $root blob container for SAS calculation (which you can see from your error message). Since SAS was calculated for mark blob container, you get this Signature Does Not Match error. By specifying restype=container you're telling storage service to treat the resource as container. comp=list is required as per REST API specification.

这篇关于Azure 共享访问签名 - 签名不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！