Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New-AzStorageContainerSasToken won't work with New-AzStorageContext -UseConnectedAuth #10423

Closed
JustinGrote opened this issue Oct 30, 2019 · 10 comments
Closed

New-AzStorageContainerSasToken won't work with New-AzStorageContext -UseConnectedAuth #10423

JustinGrote opened this issue Oct 30, 2019 · 10 comments
Labels
Service Attention This issue is responsible by Azure service team. Storage

Comments

@JustinGrote
Copy link

Description

This example doesn't work: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-powershell.

-UseConnectedAccount does fetch an oauth token, but New-AzStorage*SasToken commands fail with Cannot create Shared Access Signature unless Account Key credentials are used.

Steps to reproduce

Tested with a subscription owner (full permissions)

Issue

$context = New-AzStorageContext -StorageAccountName $StorageAccountName -UseConnectedAccount

#This will be blank
$context.storageaccount.credentials.ExportBase64EncodedKey()
#Will be true
$context.storageaccount.credentials.IsToken

New-AzStorageContainerSasToken -Context $context -Container $container -Permission r

Cannot create Shared Access Signature unless Account Key credentials are used.
At line:3 char:1
+ New-AzStorageContainerSasToken -Context $context -Container $containe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzStorageContainerSASToken], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.NewAzureStorageContainerSasTokenCommand

Workarounds

1. Get storage account and derive context from that. Requires Contribute rights to the management of the storage account in order to run Get-AzStorageAccount (not ideal)

$storageAccount = Get-AzStorageAccount -Name $storageAccountName -ResourceGroupName $resourcegroupname
$context = $storageAccount.context
#This will actually show a key available
$context.storageaccount.credentials.ExportBase64EncodedKey()
#Will be true since it fetched an access key with Get-AzStorageAccount
$context.storageaccount.credentials.issharedkey

New-AzStorageContainerSasToken -Context $context -Container $container -Permission r

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.19008.1
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19008.1
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

Name          Version
----          -------
Az.Accounts   1.6.3  
Az.Automation 1.3.4
Az.Resources  1.7.0
Az.Storage    1.8.0

Also reproduced on powershell core and Azure Cloud Shell

Debug output

$context = New-AzStorageContext -StorageAccountName $StorageAccountName -UseConnectedAccount
DEBUG: 6:04:51 PM - NewAzureStorageContext begin processing with ParameterSet 'OAuthAccount'.
DEBUG: [Common.Authentication]: Authenticating using configuration values: Domain: '46a492ab-992f-49e9-a3d4-32120e848c35', Endpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirect: 'urn:ietf:wg:oauth:2.0:oob', ResourceClientUri: 'https://storage.azure.com', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using context with Authority 'https://login.microsoftonline.com/46a492ab-992f-49e9-a3d4-32120e848c35/', CorrelationId: '00000000-0000-0000-0000-000000000000', ValidateAuthority: 'True'
DEBUG: [Common.Authentication]: Acquiring token using AdalConfiguration with Domain: '46a492ab-992f-49e9-a3d4-32120e848c35', AdEndpoint: 'https://login.microsoftonline.com/', ClientId: '1950a258-227b-4e31-a9cf-717495945fc2', ClientRedirectUri: urn:ietf:wg:oauth:2.0:oob
DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.0703630Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.0706791Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: ADAL PCL.CoreCLR with assembly version '3.19.2.6005', file version '3.19.50302.0130' and informational version '2a8bec6c4c76d0c1ef819b55bdc3cda2d2605056' is running...

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.0714262Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: === Token Acquisition started: 
        CacheType: null
        Authentication Target: User
        , Authority Host: login.microsoftonline.com

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.0716497Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: === Token Acquisition started:
        Authority: https://login.microsoftonline.com/46a492ab-992f-49e9-a3d4-32120e848c35/
        Resource: https://storage.azure.com
        ClientId: 1950a258-227b-4e31-a9cf-717495945fc2
        CacheType: null
        Authentication Target: User

DEBUG: [ADAL]: Verbose: 2019-10-30T01:04:51.5059265Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: Loading from cache.

DEBUG: [ADAL]: Verbose: 2019-10-30T01:04:51.5060693Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: Loading from cache.

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5091087Z: 00000000-0000-0000-0000-000000000000 - LoggerBase.cs: Deserialized 8 items to token cache.

DEBUG: [ADAL]: Verbose: 2019-10-30T01:04:51.5139173Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: Looking up cache for a token...

DEBUG: [ADAL]: Verbose: 2019-10-30T01:04:51.5140311Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: Looking up cache for a token...

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5173095Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: An item matching the requested resource was found in the cache

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5174001Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: An item matching the requested resource was found in the cache

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5190203Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: 51.6141169316667 minutes left until token in cache expires

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5190886Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: 51.6141169316667 minutes left until token in cache expires

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5191453Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5191803Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: A matching item (access token or refresh token or both) was found in the cache

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5220298Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 10/30/2019 1:56:28 AM +00:00

DEBUG: [ADAL]: Information: 2019-10-30T01:04:51.5221453Z: 8f250429-e91b-45f3-bdee-1d4d16eb7a80 - LoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 10/30/2019 1:56:28 AM +00:00Access Token Hash: T+2dWRFJaKyeHp6ojkc82lA098NQs1Py/rhQbupFwR0=
         User id: 2325542a-426b-4a67-a949-4baa3f28b69c

DEBUG: [Common.Authentication]: Renewing Token with Type: 'Bearer', Expiry: '10/30/2019 01:56:28 +00:00', MultipleResource? 'True', Tenant: '46a492ab-992f-49e9-a3d4-32120e848c35', UserId: '[email protected]'DEBUG: [Common.Authentication]: User info for token DisplayId: '[email protected]', Name:  , IdProvider: 'https://sts.windows.net/2f46c040-48e3-4eb8-8fbf-418417f64401/', Uid: '2325542a-426b-4a67-a949-4baa3f28b69c'
DEBUG: [Common.Authentication]: Checking token expiration, token expires '10/30/2019 01:56:28 +00:00' Comparing to '10/30/2019 01:04:51 +00:00' With threshold '00:05:00', calculated time until token expiry: '00:51:36.8413749'
DEBUG: 10/29/2019 6:04:51 PM: token:eyJ0eXA<truncated>

Error output

New-AzStorageContainerSasToken -Context $context -Container $container -Permission r

Cannot create Shared Access Signature unless Account Key credentials are used.
At line:3 char:1
+ New-AzStorageContainerSasToken -Context $context -Container $containe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzStorageContainerSASToken], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.NewAzureStorageContainerSasTokenCommand
@blueww
Copy link
Member

blueww commented Oct 30, 2019

@JustinGrote
Please note, the feature is not GA, so only available in preview module of Az.Storage.
In https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-powershell, it says you need install Az.storage 1.3.1-preview in Step #5, and need to import it after step #6

But you use Az.Storage 1.8.0, which is stable release, and not support this feature.
You can install the latest preview module 1.8.2-preview to use it.

Install-Module Az.Storage `
    –Repository PSGallery `
    -RequiredVersion 1.8.2-preview `
    –AllowPrerelease `
    –AllowClobber `
    –Force

@wyunchi-ms wyunchi-ms added Service Attention This issue is responsible by Azure service team. Storage and removed triage labels Oct 30, 2019
@ghost
Copy link

ghost commented Oct 30, 2019

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage

1 similar comment
@ghost
Copy link

ghost commented Oct 30, 2019

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage

@JustinGrote
Copy link
Author

JustinGrote commented Oct 30, 2019 via email

@blueww blueww closed this as completed Oct 30, 2019
@vnextcoder
Copy link

it appears that the issue is again back with Az.Storage Version 2.3 . I have just experienced the same as per the @JustinGrote

get-module -name Az.Storage

ModuleType Version Name ExportedCommands

Script 2.3.0 Az.Storage {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolic...

get-module -name Az.Accounts

ModuleType Version Name ExportedCommands

Script 1.9.1 Az.Accounts {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Connect-AzAccount...

$ctx = New-AzStorageContext -StorageAccountName secretstore -UseConnectedAccount
New-AzStorageContainerSASToken -Context $ctx `

-Name appdata  `
-Permission racwdl `
-ExpiryTime 22-07-2020

New-AzStorageContainerSASToken : This request is not authorized to perform this operation using this permission. HTTP Status Code:
403 - HTTP Error Message: This request is not authorized to perform this operation using this permission.
ErrorCode: AuthorizationPermissionMismatch
ErrorMessage: This request is not authorized to perform this operation using this permission.
RequestId:f725bc07-701e-0002-08dd-5d3828000000
Time:2020-07-19T15:01:46.8890151Z
At line:1 char:1

  • New-AzStorageContainerSASToken -Context $ctx `
    • FullyQualifiedErrorId : StorageException,Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.NewAzureStorageContainerSasToken

@blueww
Copy link
Member

blueww commented Jul 20, 2020

@vnextcoder

The error is because your oauth account don't have permission to generateUserDelegationKey.
To get SAS with Oauth storage context (New-AzStorageContext -UseConnectedAuth), we need first generate UserDelegationKey from server , then use the key to generate the SAS token.

Please check have you assigned correct roles to the Oauth login user (with Connect-AzAccount). like at least one of the following 4 roles on the specific storage account:

  • Storage Blob Data Owner
  • Storage Blob Data Contributor
  • Storage Blob Data Reader
  • Storage Blob Delegator

@vnextcoder
Copy link

Well, I was using my Administrator Account. still I should be required to get a new Context ?

@blueww
Copy link
Member

blueww commented Jul 20, 2020
edited
Loading

The administrator account might only have the management plans roles, but not dataplane roles. (Like the management plane row "owner" don't have dataplane permission, but can assign the dataplane role to yourself)
Please make sure your login account has at least one of the above 4 roles on the related storage account.

You can find the details of all roles in link.

@vnextcoder
Copy link

I think I confused you in earlier comment.
I am using the Account which was used to Sign Up the Azure Subscription (Global Administrator) .

Should it not work with Global Administrator as well ?

@blueww
Copy link
Member

blueww commented Jul 20, 2020

@vnextcoder
When the account doesn't have the above 4 roles on the storage account ,even it's Global Administrator, it won't work to generate Oauth sas.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Service Attention This issue is responsible by Azure service team. Storage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@blueww @vnextcoder @JustinGrote @wyunchi-ms