Terraform + SAS = AuthenticationFailed

delkos · April 26, 2023, 8:56am

Hello.

It’s my first post so I hope to make a good impression (=

With Terraform I created a storage + private container + blob with a file and it works:

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.52.0"
    }
  }
}

[...]

resource "azurerm_storage_account" "exampleSTRGPriv" {
  name                     = "randomname"
  resource_group_name      = azurerm_resource_group.exampleRG.name
  location                 = azurerm_resource_group.exampleRG.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_storage_container" "exampleCONTPriv" {
  name                  = "examplecontainer"
  storage_account_name  = azurerm_storage_account.exampleSTRGPriv.name
  container_access_type = "private"
}

resource "azurerm_storage_blob" "exampleBLOBPriv" {
  name                   = "exampleblob"
  storage_account_name   = azurerm_storage_account.exampleSTRGPriv.name
  storage_container_name = azurerm_storage_container.exampleCONTPriv.name
  type                   = "Block"
  source                 = "ficheros/testeo.sql"
}

So I created a SAS and I tried to use it. This SAS’s code:

data "azurerm_storage_account_sas" "exampleSAS" {
  connection_string = azurerm_storage_account.exampleSTRGPriv.primary_connection_string
  https_only        = true
  signed_version    = "2021-12-02"

  resource_types {
    service   = true
    container = true
    object    = true
  }

  services {
    blob  = true
    queue = false
    table = false
    file  = true
  }

  start  = "2018-03-21T00:00:00Z"
  expiry = "2025-03-21T00:00:00Z"

  permissions {
    read    = true
    write   = false
    delete  = false
    list    = false
    add     = false
    create  = false
    update  = false
    process = false
    tag     = false
    filter  = false
  }
}

output "sas_token_and_blob_url" {
  value = nonsensitive("La firma SAS es :${azurerm_storage_account.exampleSTRGPriv.primary_blob_endpoint}${azurerm_storage_container.exampleCONTPriv.name}/${azurerm_storage_blob.exampleBLOBPriv.name}${data.azurerm_storage_account_sas.exampleSAS.sas}")
}

And It showed the URL + SAS like this:

https://randomname.blob.core.windows.net/examplecontainer/exampleblob?sv=2021-12-02&ss=bf&srt=sco&sp=r&se=2025-03-21T00:00:00Z&st=2018-03-21T00:00:00Z&spr=https&sig=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

but it displayed an error:

Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:62a33832-201e-0048-4315-78afb2000000 Time:2023-04-26T08:00:36.9867626Z

On the other hand, if I use the portal and generate a SAS, it does allow me to access the file and the curious thing is that not all the arguments are the same.

sp=r&st=2023-04-26T08:52:17Z&se=2023-04-26T16:52:17Z&spr=https&sv=2021-12-02&sr=b&sig=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Any idea?

Regards.

delkos · April 28, 2023, 7:48am

Hi eveyone!

I found the solution… it’s the SAS format in version, if I use signed_version = 2019-10-10 it works.

Here there is the info: Shared access signature missing variable options · Issue #18007 · hashicorp/terraform-provider-azurerm · GitHub

Regards.