Search code examples
azure-storagesas-token

Node.js failed to connect azure-blob using SAS token when domain is customized

Following the official doc, I write this script trying to connect a custom domain azure storage space:

const { BlobServiceClient } = require("@azure/storage-blob");

const account = "validaccount";
const sas = "sv=xxxx&.......";

const blobServiceClient = new BlobServiceClient(`https://${account}.blob.core.customdomain.name${sas}`);

//===============

async function main() {
  let i = 1;
  let containers = blobServiceClient.listContainers();
  for await (const container of containers) {
    console.log(`Container ${i++}: ${container.name}`);
  }
}

main();

I got error: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

I'm sure the SASURI is valid, I can use it in azure blob storage explorer, but in my code it doesn't work.

I tried some combinations like:

  1. https://${account}.blob.core.customdomain.name?${sas} //add a '?'
  2. https://${account}.blob.core.customdomain.name/abc?${sas} //abc is a valid container name
  3. https://${account}.blob.core.customdomain.name/abc${sas} //remove '?' but keep container name
  4. https://${account}.blob.core.customdomain.name',sas //try to pass as two parameters.

But all failed.

I'm not sure there is another method.

I guess it maybe because the SAS token is only authorized to the abc container, it can't read the domains root.

but if so, why the 2nd combination was also failed.

I use @azure/storage-blob v12.3.0

Solution

  • I found the right answer.

    The core of the problem is the SAS Token they gave me, was already bound to the container named "abc".

    The SAS Token was not an authorization to everything under the domain, the token only authorized me to visit the container "abc".

    So when I created the BlobServiceClient object, the "position" (if I can say so) was already under the container 'abc'. Since I'm already in a container, I can't list container anymore.

    When I change the full path and try to connect the root, the token was actually not allowed. Of course the authorization failed.

    Conclude:

    The SAS token is already bounded to the specific container 'abc', so neither I can list the containers, nor I can visit the domain's root path.

    I can only list the data of blobs in the specific container.

    The blob-storage package's error message is not very clear.

    Here't the code

    const { BlobServiceClient } = require("@azure/storage-blob");
const account = "validaccount";
const sas = "sv=xxxx&.......";
const blobServiceClient = new BlobServiceClient(`https://${account}.blob.core.customdomain.name/abc?${SAS}`);

////====== just change 'list container' code to 'list blobs' code

const containerName = ""; //empty string, since you already in the container.

async function main() {
  const containerClient = blobServiceClient.getContainerClient(containerName);
  let i = 1;
  let blobs = containerClient.listBlobsFlat();
  for await (const blob of blobs) {
    console.log(`Blob ${i++}: ${blob.name}`);
  }
}

main();