Azure的共享访问签名 - 签名不匹配 [英] Azure Shared Access Signature - Signature did not match

问题描述

我得到这个错误：

 ＆LT;错误＆GT;
＆LT; code基AuthenticationFailed＆LT; / code＆GT;
＆LT;消息＆GT;
服务器无法验证请求。确保授权头的值是正确形成，包括签名。请求ID：6c3fc9a8-cdf6-4874-a141-10282b709022时间：2014-07-30T10：48：43.8634735Z
＆LT; /信息＆GT;
＆LT; AuthenticationErrorDetail＆GT;
签名不匹配。串签所用RWL 2014-07-31T04：48：20Z / acoustie / $根2014年2月14日
＆LT; / AuthenticationErrorDetail＆GT;
＆LT; /错误＆GT;
 

我得到它时，我产生一个SAS（共享访问签名），然后粘贴在容器URI的结尾到浏览器的SAS。这是与生成的SAS的完整地址：

<$p$p><$c$c>https://acoustie.blob.core.windows.net/mark?sv=2014-02-14&sr=c&sig=E6w%2B3B8bAXK8Lhvvr62exec5blSxsA62aSWAg7rmX4g%3D&se=2014-07-30T13%3A30%3A14Z&sp=rwl

我有这么冲刷和谷歌曾尝试大量的组合，据我可以告诉我正确的做的一切，我知道我不是，我只是不能看到它...真的希望有人能帮助： - \\

需要明确的是，我是一个容器，而不是特定的blob，而不是根容器上生成的SAS。在BLOB接入被定义为公共斑点。我的最终目标是要简单地允许写入与SAS的容器，而调试我已经加入最权限SharedAccessBlobPolicy。

我曾尝试把在<一个一个\\ href=\"http://stackoverflow.com/questions/13456606/azure-access-denied-on-shared-access-signature-for-storage-2-0\">beginning和结束容器名称。没有变化。

这是code我用它来生成SAS：

  VAR blobClient = storageAccount.CreateCloudBlobClient（）;
    //获取对BLOB容器的引用
    VAR容器= blobClient.GetContainerReference（容器名称）;    //所以SAS立即生效，不要设置开始时间。
    VAR sasConstraints =新SharedAccessBlobPolicy
    {
        SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes（30），
        权限= SharedAccessBlobPermissions.Write
        | SharedAccessBlobPermissions.Read
        | SharedAccessBlobPermissions.List，
    };    VAR sasContainerToken = container.GetSharedAccessSignature（sasConstraints）;    //返回URI字符串的容器，包括SAS令牌。
        VAR SAS =的String.Format（{0} {1}，container.Uri.AbsoluteUri，sasContainerToken）;
        Logger.Debug（SAS：{0}，SAS）;
        返回SAS;
 

它生成一个签名，它只是似乎没有一个有效的签名。

我试过不同的容器，​​改变了访问策略，有和没有开始时间，延长从现在到期时> 12小时（每次我在UTC + 10时区），它似乎没有什么重要呢我改变它导致相同的签名不匹配的错误。

我甚至用WindowsAzure.Storage的旧版本试过了，所以现在我已经试过4.2和4.1。即使想在一个不同的浏览器中的URI，实在不应该有所作为，但嘿...

任何建议都大大AP preciated： - ）

解决方案

答案很简单：

添加补偿=列表和放大器; restype =容器来的SAS网址，你不应该得到这个错误

龙答：

从本质上从SAS URL，Azure存储服务是不是能够确定，如果你要访问的资源是BLOB或容器中，假定它是一个blob。因为它假定资源类型为BLOB，它使用 $根为SAS计算的blob容器（你可以从你的错误信息见）。由于SAS是计算标记的blob容器，你得到这个签名不匹配错误。通过指定 restype =容器你告诉存储服务来对待资源作为容器。 补偿=列表需要按照REST API规范。

I'm getting this error:

<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:6c3fc9a8-cdf6-4874-a141-10282b709022 Time:2014-07-30T10:48:43.8634735Z
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used was rwl 2014-07-31T04:48:20Z /acoustie/$root 2014-02-14
</AuthenticationErrorDetail>
</Error>

I get it when I generate a sas (Shared Access Signature) then paste that sas at the end of the container uri into a browser. This is the full address with the generated sas:

https://acoustie.blob.core.windows.net/mark?sv=2014-02-14&sr=c&sig=E6w%2B3B8bAXK8Lhvvr62exec5blSxsA62aSWAg7rmX4g%3D&se=2014-07-30T13%3A30%3A14Z&sp=rwl

I have scoured SO and Google and have tried lots of combinations, as far as I can tell I'm doing everything correctly, I know I'm not, I just can't see it...really hoping someone can help :-\

To be clear, I am generating a sas on a container, not a specific blob and not on the root container. Access on the blob is defined as Public Blob. My end goal is to simply allow writes to the container with the sas, while 'debugging' I have added most permissions to the SharedAccessBlobPolicy.

I have tried adding a \ at the beginning and ending of the container name. No change.

This is the code I use to generate the sas:

    var blobClient = storageAccount.CreateCloudBlobClient();
    //Get a reference to the blob container 
    var container = blobClient.GetContainerReference(containerName);

    // Do not set start time so the sas becomes valid immediately.
    var sasConstraints = new SharedAccessBlobPolicy 
    {
        SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(30), 
        Permissions = SharedAccessBlobPermissions.Write 
        | SharedAccessBlobPermissions.Read
        | SharedAccessBlobPermissions.List,
    };

    var sasContainerToken = container.GetSharedAccessSignature(sasConstraints);

    //Return the URI string for the container, including the SAS token.
        var sas = string.Format("{0}{1}", container.Uri.AbsoluteUri, sasContainerToken);
        Logger.Debug("SAS: {0}", sas);
        return sas;

It generates a signature, it just doesn't seem to be a valid signature.

I've tried different containers, changing the Access policy, with and without start times, extending the expiry to > 12 hours from now (I'm in a UTC+10 timezone), it doesn't seem to matter what I change it results in the same "signature did not match" error.

I have even tried using an older version of 'WindowsAzure.Storage', so I have now tried 4.2 and 4.1. Even tried the uri in a different browser, really shouldn't make a difference but hey...

Any suggestions are greatly appreciated :-)

解决方案

Short Answer:

Add comp=list&restype=container to your SAS URL and you should not get this error.

Long Answer:

Essentially from your SAS URL, Azure Storage Service is not able to identify if the resource you're trying to access is a blob or a container and assumes it's a blob. Since it assumes the resource type is blob, it makes use of $root blob container for SAS calculation (which you can see from your error message). Since SAS was calculated for mark blob container, you get this Signature Does Not Match error. By specifying restype=container you're telling storage service to treat the resource as container. comp=list is required as per REST API specification.

这篇关于Azure的共享访问签名 - 签名不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！