Search code examples
azure-storageazure-blob-storage

Azure Storage : Unable to access Container blobs with defined Credentials

We are setting a Key for the Storage Account and then using to access the contents as below;

var storageCredentials = new StorageCredentials(mediaStorageAccountName, base64EncodedKey);
var storageAccount = new CloudStorageAccount(storageCredentials, true);
var connString = storageAccount.ToString(true);

Then, using the same "storageAccount" to create the Blob Client;

CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

And to get the Container;

var container = blobClient.GetContainerReference(ContainerName);

"storageAccount" Credential properties are "IsSAS" FALSE, "IsSharedKey" TRUE, "IsToken" FALSE and "KeyName" is NULL.

But, when Blob is being accessed with OpenReadAsync, its failing with following exception;

The remote server returned an error: (403) Forbidden.,The remote server returned an error: (403) Forbidden. Line number: Microsoft.WindowsAzure.Storage Trace: at Microsoft.WindowsAzure.Storage.Core.Executor.Executor.EndExecuteAsync[T](IAsyncResult result) at Microsoft.WindowsAzure.Storage.Blob.CloudBlob.EndExists(IAsyncResult asyncResult) at Microsoft.WindowsAzure.Storage.Core.Util.AsyncExtensions.<>c__DisplayClass2`1.b__0(IAsyncResult ar)

It is basically getting all the references to Container/Blobs etc correctly (gives correct name), but when its tried to read/download/upload those, it fails.

Also, instead of using the "storageAccount" reference directly, even if it is secured with following, it gives same exception;

CloudStorageAccount storageAccount = new CloudStorageAccount(
   new Microsoft.WindowsAzure.Storage.Auth.StorageCredentials(storageAccountName, base64EncodedKey), true);

What is wrong here and how to fix this? Why is KeyName NULL? Is that causing this issue?

Solution

  • The 403 forbidden exception often caused by a wrong access key is used.

    As you are using Authorize with Shared Key, all authorized requests must include the Coordinated Universal Time (UTC) timestamp for the request. You can specify the timestamp either in the x-ms-date header, or in the standard HTTP/HTTPS Date header.

    The storage services ensure that a request is no older than 15 minutes by the time it reaches the service. This guards against certain security attacks, including replay attacks. When this check fails, the server returns response code 403 (Forbidden).

    So, review your server datatime.