Azurite: AuthorizationFailure with curl

Which service(blob, file, queue, table) does this issue concern?

Blob

Which version of the Azurite was used?

3.4.0

Where do you get Azurite? (npm, DockerHub, NuGet, Visual Studio Code Extension)

npm

What’s the Node.js version?

13.3.0

What problem was encountered?

When I try to use azurite through the REST API, I keep getting a AuthorizationFailure response

Steps to reproduce the issue?

I try to create a container with the following call:

curl -X PUT http://127.0.0.1:10000/devstoreaccount1/pictures?restype=container -H "x-ms-date: 2020-01-24T03:56:54.834Z" -H "x-ms-version: 2019-02-02" -H "Authorization: SharedKey devstoreaccount1:Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="

And get the following response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Error>
  <Code>AuthorizationFailure</Code>
  <Message>Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.
RequestId:ce1cc537-128b-46ad-9224-b2b17443c0e9
Time:2020-01-24T03:56:54.834Z</Message>
</Error>

Have you found a mitigation/solution?

No

Logs

2020-01-24T03:56:54.787Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: BlobStorageContextMiddleware: RequestMethod=PUT RequestURL=http://127.0.0.1/devstoreaccount1/pictures?restype=container RequestHeaders:{"host":"127.0.0.1:10000","user-agent":"curl/7.55.1","accept":"*/*","x-ms-date":"`date`","x-ms-version":"2019-02-02","authorization":"SharedKey devstoreaccount1:Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="} ClientIP=127.0.0.1 Protocol=http HTTPVersion=1.1
2020-01-24T03:56:54.787Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: BlobStorageContextMiddleware: Account=devstoreaccount1 Container=pictures Blob=
2020-01-24T03:56:54.787Z ce1cc537-128b-46ad-9224-b2b17443c0e9 verbose: DispatchMiddleware: Dispatching request...
2020-01-24T03:56:54.787Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: DispatchMiddleware: Operation=Container_Create
2020-01-24T03:56:54.787Z ce1cc537-128b-46ad-9224-b2b17443c0e9 verbose: AuthenticationMiddlewareFactory:createAuthenticationMiddleware() Validating authentications.
2020-01-24T03:56:54.787Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: PublicAccessAuthenticator:validate() Start validation against public access.
2020-01-24T03:56:54.787Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: PublicAccessAuthenticator:validate() Getting account properties...
2020-01-24T03:56:54.787Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: PublicAccessAuthenticator:validate() Retrieved account name from context: devstoreaccount1, container: pictures, blob: 
2020-01-24T03:56:54.803Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: PublicAccessAuthenticator:validate() Skip public access authentication. Cannot get public access type for container pictures
2020-01-24T03:56:54.803Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: BlobSharedKeyAuthenticator:validate() Start validation against account shared key authentication.
2020-01-24T03:56:54.818Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: BlobSharedKeyAuthenticator:validate() [STRING TO SIGN]:"PUT\n\n\n\n\n\n\n\n\n\n\n\nx-ms-date:`date`\nx-ms-version:2019-02-02\n/devstoreaccount1/devstoreaccount1/pictures\nrestype:container"
2020-01-24T03:56:54.818Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: BlobSharedKeyAuthenticator:validate() Calculated authentication header based on key1: SharedKey devstoreaccount1:/S7T6ds2y+Gd7wYbOo7ljAx6dJCs0ub4jjvCFkOju9s=
2020-01-24T03:56:54.818Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: BlobSharedKeyAuthenticator:validate() Validation failed.
2020-01-24T03:56:54.818Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: AccountSASAuthenticator:validate() Start validation against account Shared Access Signature pattern.
2020-01-24T03:56:54.818Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: AccountSASAuthenticator:validate() Getting account properties...
2020-01-24T03:56:54.818Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: AccountSASAuthenticator:validate() Retrieved account name from context: devstoreaccount1, container: pictures, blob: 
2020-01-24T03:56:54.818Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: AccountSASAuthenticator:validate() Got account properties successfully.
2020-01-24T03:56:54.818Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: AccountSASAuthenticator:validate() Retrieved signature from URL parameter sig: undefined
2020-01-24T03:56:54.818Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: AccountSASAuthenticator:validate() Failed to get valid account SAS values from request.
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: BlobSASAuthenticator:validate() Start validation against blob service Shared Access Signature pattern.
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: BlobSASAuthenticator:validate() Getting account properties...
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: BlobSASAuthenticator:validate() Retrieved account name from context: devstoreaccount1, container: pictures, blob: 
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: BlobSASAuthenticator:validate() Got account properties successfully.
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: BlobSASAuthenticator:validate() Retrieved signature from URL parameter sig: undefined
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 debug: BlobSASAuthenticator:validate() No signature found in request. Skip blob service SAS validation.
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 error: ErrorMiddleware: Received a MiddlewareError, fill error information to HTTP response
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 error: ErrorMiddleware: ErrorName=StorageError ErrorMessage=Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.  ErrorHTTPStatusCode=403 ErrorHTTPStatusMessage=Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature. ErrorHTTPHeaders={"x-ms-error-code":"AuthorizationFailure","x-ms-request-id":"ce1cc537-128b-46ad-9224-b2b17443c0e9"} ErrorHTTPBody="<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<Error>\n  <Code>AuthorizationFailure</Code>\n  <Message>Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.\nRequestId:ce1cc537-128b-46ad-9224-b2b17443c0e9\nTime:2020-01-24T03:56:54.834Z</Message>\n</Error>" ErrorStack="StorageError: Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.\n    at Function.getAuthorizationFailure (C:\\Users\\Carlo\\AppData\\Roaming\\npm\\node_modules\\azurite\\dist\\src\\blob\\errors\\StorageErrorFactory.js:113:16)\n    at C:\\Users\\Carlo\\AppData\\Roaming\\npm\\node_modules\\azurite\\dist\\src\\blob\\middlewares\\AuthenticationMiddlewareFactory.js:22:56\n    at processTicksAndRejections (internal/process/task_queues.js:97:5)"
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 error: ErrorMiddleware: Set HTTP code: 403
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 error: ErrorMiddleware: Set HTTP status message: Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 error: ErrorMiddleware: Set HTTP Header: x-ms-error-code=AuthorizationFailure
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 error: ErrorMiddleware: Set HTTP Header: x-ms-request-id=ce1cc537-128b-46ad-9224-b2b17443c0e9
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 error: ErrorMiddleware: Set content type: application/xml
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 error: ErrorMiddleware: Set HTTP body: "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n<Error>\n  <Code>AuthorizationFailure</Code>\n  <Message>Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature.\nRequestId:ce1cc537-128b-46ad-9224-b2b17443c0e9\nTime:2020-01-24T03:56:54.834Z</Message>\n</Error>"
2020-01-24T03:56:54.834Z ce1cc537-128b-46ad-9224-b2b17443c0e9 info: EndMiddleware: End response. TotalTimeInMS=47 StatusCode=403 StatusMessage=Server failed to authenticate the request. Make sure the value of the Authorization header is formed correctly including the signature. Headers={"server":"Azurite-Blob/3.4.0","x-ms-error-code":"AuthorizationFailure","x-ms-request-id":"ce1cc537-128b-46ad-9224-b2b17443c0e9","content-type":"application/xml"}

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 2
  • Comments: 23 (5 by maintainers)

Most upvoted comments

I am surprised how overcomplicated this is on MS side.

The format for the Authorization header is Authorization="[SharedKey|SharedKeyLite] <AccountName>:<Signature>" where:

  • SharedKey or SharedKeyLite is the name of the authorization scheme
  • AccountName is the name of the account requesting the resource
  • Signature is a Hash-based Message Authentication Code (HMAC) constructed from the request and computed by using the SHA256 algorithm, and then encoded by using Base64 encoding.

https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key#specifying-the-authorization-header

With a process so complex, it’d be nice to see a concrete start-to-finish example with Azurite’s default account and key, including exactly what each piece of the data should be at each point in the process.

+6
david-sledge on Mar 21, 2023

SharedKey authentication is one of critical features Azurite provides (instead of ignoring authentication) and aligns with Azure Storage. Refer to https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key about how does SharedKey works.

In the same time, you can use this SAS (generated from devstoreaccount1) if you need debug in Curl or Postman.

sv=2016-05-31&sig=SL1tiZVonWXUNfh93EQHCpz5DKYSeie5%2F7jeyK58yeI%3D&st=2018-12-17T06%3A10%3A39Z&se=2020-12-17T06%3A10%3A39Z&srt=sco&ss=bfqt&sp=racupwdl

Append above SAS parameters into your URL without providing Authentication header.

+5
XiaoningLiu on Jul 28, 2020

Authentication key header is dynamically generated every time. You can find out what Azurite expects in debug.log. Not recommend to use curl for debug with sharedkey. Try Azure Storage SDKs or Azure Storage Explorer.

+2
XiaoningLiu on Feb 9, 2020

Tried this and stil get 403 response with v3 Azurite however if you go to Storage Explorer, right click your queue and click Get Shared Access Signature it will create you a URL that you can use

+1
jchannon on May 27, 2021

Can you point me to the documentation on this. Surely curl is the easiest way to see what is actually going on?

+1
linusnorton on Feb 9, 2020

@XiaoningLiu why does it expect that? The README.md says the default key is: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==

Edit: I tried

curl -X PUT http://127.0.0.1:10000/devstoreaccount1/pictures?restype=container -H "Authorization: SharedKey devstoreaccount1:/S7T6ds2y+Gd7wYbOo7ljAx6dJCs0ub4jjvCFkOju9s="

But still get a 403

+1
linusnorton on Feb 3, 2020
Read more comments on GitHub
← azurehpc: BadRequest error creating a GPU VM instance
Azurite: Azurite Durable Functions Connection Refused →