generate_blob_sas creating invalid SAS token

Question

I'm updating some scripts that were using Microsoft's older azure-storage module and switching up the the v12 SDK.

I'm encountering an issue generating SAS tokens for blobs. Using the following code:

from datetime import datetime, timedelta
from azure.storage.blob import (
    BlobServiceClient,
    BlobSasPermissions,
    generate_blob_sas,
)

client = BlobServiceClient(account_url=account_url, credential=account_key)
token = generate_blob_sas(
            account_name=client.account_name,
            account_key=client.credential.account_key,
            container_name="tempcontainer",
            blob_name="test.txt",
            permissions=BlobSasPermissions(read=True),
            expiry=datetime.utcnow() + timedelta(hours=1),
        )

I receive tokens that look like this:

se=2021-05-04T01%3A50%3A41Z&sv=2020-06-12&sr=b&sig=___________________________________________%3D

Which when I attempt to use to download the resource returns the following error:

<Error>
  <link type="text/css" rel="stylesheet" id="dark-mode-custom-link"/>
  <link type="text/css" rel="stylesheet" id="dark-mode-general-link"/>
  <style lang="en" type="text/css" id="dark-mode-custom-style"/>
  <style lang="en" type="text/css" id="dark-mode-native-style"/>
  <Code>AuthenticationFailed</Code>
  <Message>
      Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:7c78e0c4-001e-010f-6b7f-40cd26000000 Time:2021-05-04T00:48:24.8329422Z
  </Message>
  <AuthenticationErrorDetail>sp is mandatory. Cannot be empty</AuthenticationErrorDetail>
</Error>

Using the same account and credentials, I'm still able to successfully generate SAS tokens using the older version:

from azure.storage.blob import BlockBlobService, ContainerPermissions

token = self.client.generate_blob_shared_access_signature(
    "tempcontainer",
    "test.txt",
    ContainerPermissions.READ,
    datetime.now() + duration,
)

Which produces working tokens, with the "sp" query param being included.

se=2021-06-03T16%3A57%3A59Z&sp=r&sv=2017-04-17&sr=b& sig=___________________________________________%3D

I've also tested with Azure Storage Explorer to verify that the account/key that I'm using aren't the problem, and I'm able to generate SAS links via that tool as well.

Here's the output of pip list and all the azure modules installed in my venv:

azure-common                  1.1.25
azure-core                    1.13.0
azure-identity                1.3.1
azure-keyvault-secrets        4.1.0
azure-mgmt-core               1.2.2
azure-mgmt-keyvault           2.2.0
azure-storage-blob            12.8.1

Is there something I'm doing wrong with the new SDK to generate these SAS tokens? Is this somehow a different token, or there's some extra param that I'm missing? Maybe a different/better way to generate SAS tokens with this new version?

Many thanks in advance for any help in this!

Answer 1

In your code using V12 SDK, for generate_blob_sas function, the param name should be permission instead of permissions

This is my test code based on the code you shared:

from datetime import datetime, timedelta
from azure.storage.blob import (
    BlobSasPermissions,
    generate_blob_sas
)

token = generate_blob_sas(
            account_name='<account name>',
            account_key='<account key>',
            container_name='<container name>',
            blob_name='<blob name>',
            permission=BlobSasPermissions(read=True),
            expiry=datetime.utcnow() + timedelta(hours=1),
        )

print(token)

Result: