"az storage account generate-sas" Doesn't Generate Working Tokens

[shanerowley-ds]

Describe the bug

I created a SAS Token in Azure (in the browser). The SAS Token is setup to read an Azure Storage Account's Table. It appears as;

2022-11-02&ss=bt&srt=sco&sp=rlatfx&se=2030-02-24T07:46:03Z&st=2025-02-23T23:46:03Z&spr=https&sig=zQrREDACTEDREDACTEDREDACTED3RJk=

I tested my SAS token and it works. (PowerShell)

$storageAccount = "REDACTED"
$tableName = "REDACTED"
$sasToken = "2022-11-02&ss=bt&srt=sco&sp=rlatfx&se=2030-02-24T07:46:03Z&st=2025-02-23T23:46:03Z&spr=https&sig=zQrAREDACTEDREDACTEDREDACTED3RJk=" 

$requestUrl = "https://$storageAccount.table.core.windows.net/$tableName`?`sv=$sasToken"
$headers = @{
    "Accept" = "application/json"
}

$response = ""
$response = Invoke-RestMethod -Uri $requestUrl -Method Get -Headers $headers

$response

I want to created a script to generate SAS tokens for a list Storage Accounts, in theory with the same permissions. (PowerShell using Azure CLI 2.69.0). I'm using this command.

$accountName = "REDACTED"
$storageKey = "nRQREDACTEDREDACTEDREDACTEDREDACTEDREDACTEDREDACTED2oQ=="

# Generate SAS token
$sasToken = az storage account generate-sas `
    --account-name $accountName `
    --services bt `
    --resource-types sco `
    --permissions rlatfx `
    --expiry 2030-01-01T00:00:00Z `
    --start 2025-02-23T23:46:03Z `
    --account-key $storageKey `
    -o tsv

Write-Host "SAS Token is: $sasToken"

$decodedSasToken = [System.Web.HttpUtility]::UrlDecode($sasToken)
Write-Host "Decoded SAS Token: $decodedSasToken"

[1] I don't know why the "$sasToken" is generated as url encoded (containing %3D instead of =). My token is;
st=2025-02-23T23%3A46%3A03Z&se=2030-01-01T00%3A00%3A00Z&sp=rxlaft&sv=2022-11-02&ss=tb&srt=sco&sig=G4pREDACTEDREDACTED%2BREDACTED%2BREDACTEDREDACTED%3D

[2] Neither raw or url decoded SAS tokens work. Running the script that works for the Azure browser generated token for the Azure CLI generated tokens result in this error

Invoke-RestMethod : 
  AuthenticationFailed
  Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:a44ab880-0002-0033-340f-8842ff000000
Time:2025-02-26T05:33:13.0742603Z
At line:20 char:13
+ $response = Invoke-RestMethod -Uri $requestUrl -Method Get -Headers $ ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

[3] A curious difference is that the 'az storage account generate-sas' version is not preceded with '2022-11-02'. I don't know how or why Azure (in the browser) did this.

May be it isn't a bug per se and the "az storage account generate-sas" works in mysterious ways.

Related command

az storage account generate-sas

Errors

AuthenticationFailed

Issue script & Debug output

See Bug Description for context.

Expected behavior

Either the Azure CLI generated SAS Token to work or better instructions/help to diagnose why the SAS tokens doesn't work and how to get it to work.

Ultimately, I want to create a SAS token via Azure CLI, and that SAS token can read an Azure Account Storage Account's table, and no further permissions are required.

Environment Summary

Azure CLI 2.69.0

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Valid SAS token for a blob container works in ASE but not in Azure CLI #19424
• storage blob generate-sas generates an invalid token/uri #9771
• Unable to list containers from CLI generated sas-token #26280

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

When specifying --auth-mode key, CLI is expecting an --account-key instead of --sas-token. For --sas-token usage, you just need to provide --account-name. So just update your command: az storage blob list --container-name {some_container} --account-name {some_account} --sas-token and see if it can work.

Reference:

• Valid SAS token for a blob container works in ASE but not in Azure CLI #19424 (comment)

Solution 2:

Try to generate a new SAS token for the current time frame. The parameters are good. I don't see any issue. One more thing to try is to remove both --account-key $STORAGE_KEY and --auth-mode key. CLI should find the right key.

Reference:

• storage blob generate-sas generates an invalid token/uri #9771 (comment)

Powered by issue-sentinel

[calvinhzy]

Hi @shanerowley-ds
You can see here $requestUrl = "https://$storageAccount.table.core.windows.net/$tableName?sv=$sasToken" where $sasToken = "2022-11-02&ss=bt&srt=sco&sp=rlatfx&se=2030-02-24T07:46:03Z&st=2025-02-23T23:46:03Z&spr=https&sig=zQrAREDACTEDREDACTEDREDACTED3RJk="

And the cli generated token is like this st=2025-02-23T23%3A46%3A03Z&se=2030-01-01T00%3A00%3A00Z&sp=rxlaft&sv=2022-11-02&ss=tb&srt=sco&sig=G4pREDACTEDREDACTED%2BREDACTED%2BREDACTEDREDACTED%3D where the sv=2022-11-02 is in the middle.

For the cli one, sv= is not needed at the beginning, you can run $requestUrl = "https://$storageAccount.table.core.windows.net/$tableName?$sasToken where the $sasToken="st=2025-02-23T23%3A46%3A03Z&se=2030-01-01T00%3A00%3A00Z&sp=rxlaft&**sv=2022-11-02**&ss=tb&srt=sco&sig=G4pREDACTEDREDACTED%2BREDACTED%2BREDACTEDREDACTED%3D"