0

I already managed to create an account shared access token not a user delegated token

from azure.identity import DefaultAzureCredential, ClientSecretCredential
from azure.storage.blob import BlobServiceClient
import requests
from datetime import datetime, timedelta
from argparse import ArgumentParser
from concurrent.futures import ThreadPoolExecutor
from dotenv import load_dotenv
from pathlib import Path
import os

env_dir = Path('./').resolve()
load_dotenv(os.path.join(env_dir, '.env'))
 
# Retrieve credentials from environment variables
tenant_id = os.environ.get("AZURE_TENANT_ID")
client_id = os.environ.get("AZURE_CLIENT_ID")
client_secret = os.environ.get("AZURE_CLIENT_SECRET")
subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID")
storage_account_name = os.environ.get("STORAGE_ACCOUNT_NAME")
resource_group_name = os.environ.get("RESOURCE_GROUP_NAME")

credential = ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret)

# Create a BlobServiceClient object
blob_service_client = BlobServiceClient(account_url=f"https://{storage_account_name}.blob.core.windows.net", credential=credential,)
token = credential.get_token("https://management.azure.com/.default").token

sas_url = (
    f"https://management.azure.com/subscriptions/{subscription_id}/"
    f"resourceGroups/{resource_group_name}/providers/Microsoft.Storage/"
    f"storageAccounts/{storage_account_name}/listServiceSas/?api-version=2021-09-01"
)

signed_exp = (datetime.utcnow() + timedelta(hours=1)).strftime("%Y-%m-%dT%H:%M:%SZ")
body = {"signedVersion": "2020-02-10", "canonicalizedResource": f"/blob/{storage_account_name}/{storage_account_name}-bronze", "signedResource": "c", "signedPermission": "l", "signedProtocol": "https", "signedExpiry": signed_exp}

response = requests.post(sas_url, headers={"Authorization": f"Bearer {token}"}, json=body)

sas_token = response.json()['serviceSasToken']

the sas_token contains 'sv=2020-02-10&sr=c&spr=https&se=2025-07-22T12%3A26%3A25.0000000Z&sp=l&sig=<the signature generated>' but for some reason when I use it for BlobServiceClient(account_url=f"https://{storage_account_name}.blob.core.windows.net", credential=sas_token) as credential and finally list the all the files inside my container I always get a:

azure.core.exceptions.ClientAuthenticationError: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:b92d6309-f01e-003e-23fb-fa1ee3000000
Time:2025-07-22T11:27:52.2033000Z
ErrorCode:AuthenticationFailed
authenticationerrordetail:Signature did not match. String to sign used was l

error

I Clearly already set the RBAC role for my storage account with Storage Blob Data Contributor and Storage Queue Data Contributor. And followed the query parameters needed to access and at least list the blobs which only has a directory and another file

azure container with files

Why can't I seemingly just run the following lines?

for file in container_client.list_blobs():
    print(file.name)

I've tried even just listing the containers inside the storage account and this doesn't work also. I've also turned off heirarchical namespacing, and kept storage access keys on so what am I doing wrong?

Improve this question
1
  • Please share the full error message. Commented Jul 22 at 13:21
Related questions
0
Problem Generating Azure ADLS Gen2 SAS Token for Container with Python?
1
Azure BLOB storage REST API - using ADAL access token returns 403 and 404 errors
0
How to create a blob in an Azure Storage Container using Python & Azure Functions
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.