django-storages: Azure - Authentication error when `AZURE_CUSTOM_DOMAIN` set to Azure CDN
Ever since the Azure backend was updated to the new azure-storage-blob library in v1.12, using django-storages with AZURE_CUSTOM_DOMAIN set results in Authentication errors when uploading files. For me this only happens with Akamai CDNs, but as reported by others below it affects other CDN types as well.
v1.12 changed how AZURE_CUSTOM_DOMAIN is used with BlobServiceClient. In v1.11 and earlier, the custom domain was only used to get blob URLs. All other operations like uploading, streaming, getting metadata were being done by making requests to the actual storage account endpoint (https://<accountname>.blob.core.windows.net) even if a custom domain was specified.
In v1.12, the behaviour changed so that the custom domain endpoint is used for all storage operations. This uncovered several different upstream issues causing various storage requests to fail with auth errors.
Issues
1. Auth error due to MAC signature mismatch when AZURE_CUSTOM_DOMAIN set to Akamai CDN
Upstream issue: https://github.com/Azure/azure-sdk-for-python/issues/26381
Uploads fail with the following error:
ClientAuthenticationError: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
...
authenticationerrordetail:The MAC signature found in the HTTP request '5dC3N7RcRW9V...' is not the same as any computed signature. Server used following string to sign: 'PUT
1
application/octet-stream
x-ms-blob-type:BlockBlob
x-ms-client-request-id:xxxx
x-ms-date:Mon, 21 Feb 2022 07:34:35 GMT
x-ms-version:2020-10-02
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed
correctly including the signature.
RequestId:xxx
Time:2022-02-21T07:34:35.1058206Z</Message><AuthenticationErrorDetail>The MAC signature found in the HTTP request '5dC3N7RcRW9V...' is not the same as any computed
signature. Server used following string to sign: 'PUT
2. Forbidden ClientAuthenticationError when AZURE_CUSTOM_DOMAIN set to Microsoft CDN
Upstream issue: https://github.com/Azure/azure-sdk-for-python/issues/23640
Uploads fail with the following error (different than above):
azure.core.exceptions.ClientAuthenticationError: Operation returned an invalid status 'Forbidden'
ErrorCode:AuthenticationFailed
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 16 (6 by maintainers)
@jschneier , when will we get a new PyPi release with this change rolled in? Thank you for the great library!
I created a PR #1176 to revert back to the old behaviour so that
AZURE_CUSTOM_DOMAINis used only for generating file URLs. This is in line with the other storage backends. I also updated the docs to clarify thisFor anyone following or looking at this thread, the fix is in the published 1.13.2 version. Thank you!
Did you report the problem that opens this thread to the Azure SDK repository? Since that repro didn’t involve django-storages at all, it’s clear that any fix would need to be upstream.
Of course it might make sense to implement some workaround while waiting for upstream to sort this. But this is not the only codebase that uses blob storage - it’s better for the world if this can be fixed at root!
I am using Microsoft CDN + Azure Storage Account. I agree, with your proposed fix, see my comment above.