Cant get correct SAS token on Azure web app - Authentication Failed. Python

Question

I'm calling the generate_sas_token API which generates an SAS token that I append to the end of the url to be able to access it. I had it working before but then I kept getting this error:

<Error> <Code> AuthenticationFailed </Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:ae350ec9-c01e-0010-06ca-257999000000
Time:2022-02-19T19:55:49.7901043Z
</Message>

<AuthenticationErrorDetail>
Signature did not match. String to sign used was rt

2022-02-19T21:55:49Z/blob/storage/files/someimage.jpg  

2020-10-02
b

Added my call

def generate_sas_token(file_name, img_url):

    pattern = r'\bhttps:\/\/lenstorage.blob.core.windows.net\/files\/\b'
    file_name = re.sub(pattern,'', img_url)

    AZURE_ACC_NAME = settings.AZURE_ACCOUNT_NAME
    AZURE_PRIMARY_KEY = settings.AZURE_PRIMARY_KEY
    AZURE_CONTAINER = settings.AZURE_CONTAINER

    sas = generate_blob_sas(account_name=AZURE_ACC_NAME,
                            account_key=AZURE_PRIMARY_KEY,
                            container_name=AZURE_CONTAINER,
                            blob_name=file_name,
                            permission=BlobSasPermissions(read=True),
                            expiry=datetime.utcnow() + timedelta(hours=2))

    
    sas_url ='https://'+AZURE_ACC_NAME+'.blob.core.windows.net/'+AZURE_CONTAINER+'/'+file_name+'?'+sas

    return sas_url

After many hours of reading I done the following: I've made sure both resources are in the same region and the times are both the same on both servers. I've checked all my environment variables and they are fine. I've manually generated a token and attached it to the url to access the image. I've somewhat gone through the configuration of azure storages but need some direction as to what would cause this as the error message doesn't provide much.

Update after suggestions

I added the start time and made it 15 minutes in the past in case of time skew. I also added tag as permission for good measure.

The aim being to make sure all the parameters/arguments were correct and matched as the signature wasn't matching.

No luck!

Thank you wizards!

Answer 1

tl:dr

Make sure your file_name has no whitespace and check all the arguments you're passing are in the correct format.

---

The problem was with %20 also known as whitespace in the file_name I naively Azure would handle it or provide a warning or error.

My file name structure in Azure Blob storage (file_name) was like this:

targets/my name/logo/Logo-H.jpg

which translates to:

targets/my%20name/logo/Logo-H.jpg

Purely my mistake and an oversight but I assumed Azure would have some type of catch/handle for this. I stripped out the whitespace from the URL and replaced with - resulting in..

targets/my-name/logo/Logo-H.jpg