英文:
Azure blob storage "Server failed to authenticate the request. Please refer to the information in the www-authenticate header."
问题
I have translated the non-code content you provided:
"Following the quickstart here
I use DefaultAzureCredential
My code
import os
import uuid
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient, ContainerClient, BlobClient
try:
account_url = 'https://kindglacierblob.blob.core.windows.net'
default_credential = DefaultAzureCredential()
blob_service_client = BlobServiceClient(account_url, credential=default_credential)
container_name = str(uuid.uuid4())
container_client = blob_service_client.create_container(container_name)
except Exception as e:
print(e) # See error details below
Server failed to authenticate the request.
<Error>
<Code>InvalidAuthenticationInfo</Code>
<Message>
Server failed to authenticate the request.
Please refer to the information in the www-authenticate header.
RequestId:23153837-001e-0019-6585-855a4a000000
Time:2023-05-13T10:28:57.2758247Z
</Message>
<AuthenticationErrorDetail>
Issuer validation failed. Issuer did not match.
</AuthenticationErrorDetail>
</Error>
When I print e.response.request.url
:
'https://kindglacierblob.blob.core.windows.net/40803991-619c-4cc6-8931-cfdbae302438?restype=container'
When I print e.response.request.headers
:
{
'Accept': 'application/xml',
'Authorization': 'Bearer '
'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3N0b3JhZ2UuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvY2M5ZjFhMTgtMDk4Yy00YWE0LWE1MmUtZjA3YTk3N2ZhMTIwLyIsImlhdCI6MTY4Mzk3MjQ0OSwibmJmIjoxNjgzOTcyNDQ5LCJleHAiOjE2ODM5Nzc3MTIsImFjciI6IjEiLCJhaW8iOiJBVlFBcS84VEFBQUFBT0FkU1RPZnNHMTNtdmV6M1VrVzlzakVpK0lRckxVanU4SGxZSG9EM3JGbkFJOExJQUdLclYwbGtEMmp2SFBLWk5Oa2h1YU1GdGFMRzd2aVA1SEUxZ1hDcVo1dmVyaEFnL0xTbG9PdUpIQT0iLCJhbHRzZWNpZCI6IjE6bGl2ZS5jb206MDAwMzAwMDBBQzU4MkZCNSIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiIwNGIwNzc5NS04ZGRiLTQ2MWEtYmJlZS0wMmY5ZTFiZjdiNDYiLCJhcHBpZGFjciI6IjAiLCJlbWFpbCI6InRoZXJlZHBlYUBnbWFpbC5jb20iLCJmYW1pbHlfbmFtZSI6IkFuZGVyc29uIiwiZ2l2ZW5fbmFtZSI6Ik5hdGUiLCJncm91cHMiOlsiNGI2MDEyNTQtMGJmMi00ZD6i
'User-Agent': 'azsdk-python-storage-blob/12.16.0 Python/3.11.2 '
'(Windows-10-10.0.19044-SP0)',
'x-ms-client-request-id': 'f69db4e3-f178-11ed-b2a7-f89e94c65957',
'x-ms-date': 'Sat, 13 May 2023 10:28:55 GMT',
'x-ms-version': '2022-11-02'
}
When I print e.response.headers
(notice the value of the www-authenticate
header):
{
'Content-Length': '402',
'Content-Type': 'application/xml',
'Date': 'Sat, 13 May 2023 10:28:56 GMT',
'Server': 'Microsoft-HTTPAPI/2.0',
'WWW-Authenticate': 'Bearer '
'authorization_uri=https://login.microsoftonline.com/0091f901-8eb9-49ad-a413-3bd58cb1aff0/oauth2/authorize '
'resource_id=https://storage.azure.com',
'x-ms-error-code': 'InvalidAuthenticationInfo',
'x-ms-request-id': '23153837-001e-0019-6585-855a4a000000'
}
Similar questions/ what I tried:
- AzureStorage Blob Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature
- I synced my PC's time as suggested in the accepted answer, I think it's accurately showing GMT
- How to fix Server failed to authenticate the request. Please refer to the information in the www-authenticate header
- but I'm not using a SAS / Account Key in my URL
- Azure Blob Storage - Server failed to authenticate the request
- but I don't have the same error message "Make sure the value of Authorization header is formed correctly including the signature."
I assigned myself "Storage Blob Data Contributor" for the kindglacierblob Blob, as described here (screenshot below)
[![screenshot of Azure Portal IAM showing I assigned myself "Storage
英文:
Following the quickstart here
I use DefaultAzureCredential
My code
import os
import uuid
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient, ContainerClient, BlobClient
try:
account_url = 'https://kindglacierblob.blob.core.windows.net'
default_credential = DefaultAzureCredential()
blob_service_client = BlobServiceClient(account_url, credential=default_credential)
container_name = str(uuid.uuid4())
container_client = blob_service_client.create_container(container_name)
except Exception as e:
print(e) # See error details below
Server failed to authenticate the request.
<Error>
<Code>InvalidAuthenticationInfo</Code>
<Message>
Server failed to authenticate the request.
Please refer to the information in the www-authenticate header.
RequestId:23153837-001e-0019-6585-855a4a000000
Time:2023-05-13T10:28:57.2758247Z
</Message>
<AuthenticationErrorDetail>
Issuer validation failed. Issuer did not match.
</AuthenticationErrorDetail>
</Error>
When I print e.response.request.url
:
'https://kindglacierblob.blob.core.windows.net/40803991-619c-4cc6-8931-cfdbae302438?restype=container'
When I print e.response.request.headers
:
{ 'Accept': 'application/xml',
'Authorization': 'Bearer '
'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3N0b3JhZ2UuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvY2M5ZjFhMTgtMDk4Yy00YWE0LWE1MmUtZjA3YTk3N2ZhMTIwLyIsImlhdCI6MTY4Mzk3MjQ0OSwibmJmIjoxNjgzOTcyNDQ5LCJleHAiOjE2ODM5Nzc3MTIsImFjciI6IjEiLCJhaW8iOiJBVlFBcS84VEFBQUFBT0FkU1RPZnNHMTNtdmV6M1VrVzlzakVpK0lRckxVanU4SGxZSG9EM3JHbkFJOExJQUdLclYwbGtEMmp2SFBLWk5Oa2h1YU1GdGFMRzd2aVA1SEUxZ1hDcVo1dmVyaEFnL0xTbG9PdUpIQT0iLCJhbHRzZWNpZCI6IjE6bGl2ZS5jb206MDAwMzAwMDBBQzU4MkZCNSIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiIwNGIwNzc5NS04ZGRiLTQ2MWEtYmJlZS0wMmY5ZTFiZjdiNDYiLCJhcHBpZGFjciI6IjAiLCJlbWFpbCI6InRoZXJlZHBlYUBnbWFpbC5jb20iLCJmYW1pbHlfbmFtZSI6IkFuZGVyc29uIiwiZ2l2ZW5fbmFtZSI6Ik5hdGUiLCJncm91cHMiOlsiNGI2MDEyNTQtMGJmMi00ZDZiLWI3NzEtMmUyNWIxOGZjMDE2Il0sImlkcCI6ImxpdmUuY29tIiwiaXBhZGRyIjoiNzEuMjExLjE4NS4yMzQiLCJuYW1lIjoiTmF0ZSBBbmRlcnNvbiIsIm9pZCI6ImQ2ZTg0ODcxLTBkZWQtNDJlYS04YTNhLTY2NjYxMTMwMzZjMyIsInB1aWQiOiIxMDAzM0ZGRjk0OTI3QzFCIiwicmgiOiIwLkFSZ0FHQnFmekl3SnBFcWxMdkI2bDMtaElJR21CdVRVODZoQ2tMYkNzQ2xKZXZFWUFPSS4iLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJzdWIiOiJJX3BUeUJRNDZLdDNBUkJ6eEpQYnYyQklUbWlTbjdYbzFiNTN3ZDZITlBjIiwidGlkIjoiY2M5ZjFhMTgtMDk4Yy00YWE0LWE1MmUtZjA3YTk3N2ZhMTIwIiwidW5pcXVlX25hbWUiOiJsaXZlLmNvbSN0aGVyZWRwZWFAZ21haWwuY29tIiwidXRpIjoidUtGbnU3eHpqVVM1QnFpMWVGMFFBQSIsInZlciI6IjEuMCJ9.qM56mzD09cB1oLW2sa-aZiPsgCCr7cnZ8mlYv5cTHK8pZLlEyXf5404EVrIas7N5tPhiBFL6qq_7znD-4NPFBFK0qWdGIi4BN66T1c5U81wJQl1VgDK4KoHxh2LmUtfYiDHne8LKQ7dLO_WSd-LWb_eTVSEg_0rEOxWjRpcgwRSrvYw98sWdIoIp0doPAmqXeI_IQcDdvWEu6rSMsTd74CjMRaTwFAFpclDazzCWz_kFOMRfaro4s03Ki-7CYRZj-JI49mKvCThXrphLBfOU2B_VrEg4HJNwOb55nFc2WS5l9r0WBh1AlhQa9i7NvmP-OoEZi8gox4HMJeKz6h-pDg',
'User-Agent': 'azsdk-python-storage-blob/12.16.0 Python/3.11.2 '
'(Windows-10-10.0.19044-SP0)',
'x-ms-client-request-id': 'f69db4e3-f178-11ed-b2a7-f89e94c65957',
'x-ms-date': 'Sat, 13 May 2023 10:28:55 GMT',
'x-ms-version': '2022-11-02'}
When I print e.response.headers
(notice the value of the www-authenticate
header):
{ 'Content-Length': '402',
'Content-Type': 'application/xml',
'Date': 'Sat, 13 May 2023 10:28:56 GMT',
'Server': 'Microsoft-HTTPAPI/2.0',
'WWW-Authenticate': 'Bearer '
'authorization_uri=https://login.microsoftonline.com/0091f901-8eb9-49ad-a413-3bd58cb1aff0/oauth2/authorize '
'resource_id=https://storage.azure.com',
'x-ms-error-code': 'InvalidAuthenticationInfo',
'x-ms-request-id': '23153837-001e-0019-6585-855a4a000000'}
Similar questions/ what I tried:
- AzureStorage Blob Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature
- I synced my PC's time as suggested in the accepted answer, I think it's accurately showing GMT
- How to fix Server failed to authenticate the request. Please refer to the information in the www-authenticate header
- but I'm not using a SAS / Account Key in my URL
- Azure Blob Storage - Server failed to authenticate the request
- but I don't have the same error message "Make sure the value of Authorization header is formed correctly including the signature."
I assigned myself "Storage Blob Data Contributor" for the kindglacierblob Blob, as described here (screenshot below)
Running with Visual Studio Code
I logged in using the VS Code "Azure Account Extension", as shown in the screenshot below:
I tried to login by opening Azure CLI in a new VS Code Terminal, but I get an unrelated error:
Error: Cannot find module 'vscode'
Require stack:
- c:\Users\nateanderson\.vscode\extensions\ms-vscode.azure-account-0.11.4\dist\cloudConsoleLauncher.js
With the popup:
The terminal process "node.exe '-e', 'require('c:\\Users\\nateanderson\\.vscode\\extensions\\ms-vscode.azure-account-0.11.4\\dist\\cloudConsoleLauncher').main()'" terminated with exit code: 1.
答案1
得分: 1
When I decode your JWT in https://jwt.io I get:
and looking at the idp claim:
This to me looks as though the DefaultAzureCredential
has picked up an active login to your Microsoft account that has been issued by the Windows Live authorization server, rather than the Azure Active Directory authorization server, and that would seem to be different enough that this isn't good enough for Azure - even though they clearly share the same identity database since you can sign into both with your Microsoft account. I'm not familiar with the Python SDK so can't suggest what options might be available to fine-tune this.
EDIT
You can decode the JWT used in the Authorization header to see username is being used to log in (screenshot below)
As explained in the comments, it was not the username you expected.
With the Python azure-login
library, you can specify the username you really want to use with the shared_cache_username
keyword argument, as shown here:
Analogous to the .NET DefaultAzureCredentialOptions.SharedTokenCacheUsername
property, the Python shared_cache_username
argument is described as:
> Preferred username for azure.identity.SharedTokenCacheCredential
.
> Defaults to the value of environment variable AZURE_USERNAME
, if any.
Therefore another option (instead of setting shared cache username in your code) is to SET the AZURE_USERNAME
environment variable (which can be done using Git Bash (shown below), or Windows cmd.exe):
export AZURE_USERNAME=<your_username>;
Or if you're using VSCode to develop and debug, you could add the environment variable into your launch.json file, you could try adding this:
{
"version": "0.2.0",
"configurations": [
{
"name": "Python: Current File",
"type": "python",
"request": "launch",
"program": "${file}",
"console": "integratedTerminal",
"env": {
"AZURE_USERNAME": "{your username here}"
},
...
英文:
When I decode your JWT in https://jwt.io I get:
and looking at the idp claim:
This to me looks as though the DefaultAzureCredential
has picked up an active login to your Microsoft account that has been issued by the Windows Live authorization server, rather than the Azure Active Directory authorization server, and that would seem to be different enough that this isn't good enough for Azure - even though they clearly share the same identity database since you can sign into both with your Microsoft account. I'm not familiar with the Python SDK so can't suggest what options might be available to fine-tune this.
EDIT
You can decode the JWT used in the Authorization header to see username is being used to log in (screenshot below)
As explained in the comments, it was not the username you expected.
With the Python azure-login
library, you can specify the username you really want to use with the shared_cache_username
keyword argument, as shown here:
Analogous to the .NET DefaultAzureCredentialOptions.SharedTokenCacheUsername
property, the Python shared_cache_username
argument is described as:
> Preferred username for azure.identity.SharedTokenCacheCredential
.
> Defaults to the value of environment variable AZURE_USERNAME
, if any.
Therefore another option (instead of setting shared cache username in your code) is to SET the AZURE_USERNAME
environment variable (which can be done using Git Bash (shown below), or Windows cmd.exe):
export AZURE_USERNAME=<your_username>
Or if you're using VSCode to develop and debug, you could add the environment variable into your launch.json file, you could try adding this:
{
"version": "0.2.0",
"configurations": [
{
"name": "Python: Current File",
"type": "python",
"request": "launch",
"program": "${file}",
"console": "integratedTerminal",
"env": {
"AZURE_USERNAME": "{your username here}"
},
...
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论