Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

huangapple go评论65阅读模式
英文:

Azure blob storage "Server failed to authenticate the request. Please refer to the information in the www-authenticate header."

问题

I have translated the non-code content you provided:

"Following the quickstart here

I use DefaultAzureCredential
My code

import os
import uuid
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient, ContainerClient, BlobClient

try:
    account_url = 'https://kindglacierblob.blob.core.windows.net'
    default_credential = DefaultAzureCredential()
    blob_service_client = BlobServiceClient(account_url, credential=default_credential)
    container_name = str(uuid.uuid4())
    container_client = blob_service_client.create_container(container_name)

except Exception as e:
    print(e) # See error details below

Server failed to authenticate the request.

<Error>
<Code>InvalidAuthenticationInfo</Code>
<Message>
    Server failed to authenticate the request. 
    Please refer to the information in the www-authenticate header.
    RequestId:23153837-001e-0019-6585-855a4a000000
    Time:2023-05-13T10:28:57.2758247Z
</Message>
<AuthenticationErrorDetail>
    Issuer validation failed. Issuer did not match.
</AuthenticationErrorDetail>
</Error>

When I print e.response.request.url:

'https://kindglacierblob.blob.core.windows.net/40803991-619c-4cc6-8931-cfdbae302438?restype=container'

When I print e.response.request.headers:

{
    'Accept': 'application/xml',
    'Authorization': 'Bearer '
                     'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3N0b3JhZ2UuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvY2M5ZjFhMTgtMDk4Yy00YWE0LWE1MmUtZjA3YTk3N2ZhMTIwLyIsImlhdCI6MTY4Mzk3MjQ0OSwibmJmIjoxNjgzOTcyNDQ5LCJleHAiOjE2ODM5Nzc3MTIsImFjciI6IjEiLCJhaW8iOiJBVlFBcS84VEFBQUFBT0FkU1RPZnNHMTNtdmV6M1VrVzlzakVpK0lRckxVanU4SGxZSG9EM3JGbkFJOExJQUdLclYwbGtEMmp2SFBLWk5Oa2h1YU1GdGFMRzd2aVA1SEUxZ1hDcVo1dmVyaEFnL0xTbG9PdUpIQT0iLCJhbHRzZWNpZCI6IjE6bGl2ZS5jb206MDAwMzAwMDBBQzU4MkZCNSIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiIwNGIwNzc5NS04ZGRiLTQ2MWEtYmJlZS0wMmY5ZTFiZjdiNDYiLCJhcHBpZGFjciI6IjAiLCJlbWFpbCI6InRoZXJlZHBlYUBnbWFpbC5jb20iLCJmYW1pbHlfbmFtZSI6IkFuZGVyc29uIiwiZ2l2ZW5fbmFtZSI6Ik5hdGUiLCJncm91cHMiOlsiNGI2MDEyNTQtMGJmMi00ZD6i
    'User-Agent': 'azsdk-python-storage-blob/12.16.0 Python/3.11.2 '
                  '(Windows-10-10.0.19044-SP0)',
    'x-ms-client-request-id': 'f69db4e3-f178-11ed-b2a7-f89e94c65957',
    'x-ms-date': 'Sat, 13 May 2023 10:28:55 GMT',
    'x-ms-version': '2022-11-02'
}

When I print e.response.headers (notice the value of the www-authenticate header):

{
    'Content-Length': '402',
    'Content-Type': 'application/xml',
    'Date': 'Sat, 13 May 2023 10:28:56 GMT',
    'Server': 'Microsoft-HTTPAPI/2.0',
    'WWW-Authenticate': 'Bearer '
                        'authorization_uri=https://login.microsoftonline.com/0091f901-8eb9-49ad-a413-3bd58cb1aff0/oauth2/authorize '
                        'resource_id=https://storage.azure.com',
    'x-ms-error-code': 'InvalidAuthenticationInfo',
    'x-ms-request-id': '23153837-001e-0019-6585-855a4a000000'
}

Similar questions/ what I tried:

I assigned myself "Storage Blob Data Contributor" for the kindglacierblob Blob, as described here (screenshot below)

[![screenshot of Azure Portal IAM showing I assigned myself "Storage

英文:

Following the quickstart here

I use DefaultAzureCredential
My code

import os
import uuid
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient, ContainerClient, BlobClient

try:
    account_url = &#39;https://kindglacierblob.blob.core.windows.net&#39;
    default_credential = DefaultAzureCredential()
    blob_service_client = BlobServiceClient(account_url, credential=default_credential)
    container_name = str(uuid.uuid4())
    container_client = blob_service_client.create_container(container_name)

except Exception as e:
    print(e) # See error details below

Server failed to authenticate the request.

&lt;Error&gt;
&lt;Code&gt;InvalidAuthenticationInfo&lt;/Code&gt;
&lt;Message&gt;
    Server failed to authenticate the request. 
    Please refer to the information in the www-authenticate header.
    RequestId:23153837-001e-0019-6585-855a4a000000
    Time:2023-05-13T10:28:57.2758247Z
&lt;/Message&gt;
&lt;AuthenticationErrorDetail&gt;
    Issuer validation failed. Issuer did not match.
&lt;/AuthenticationErrorDetail&gt;
&lt;/Error&gt;

When I print e.response.request.url:

&#39;https://kindglacierblob.blob.core.windows.net/40803991-619c-4cc6-8931-cfdbae302438?restype=container&#39;

When I print e.response.request.headers:

{   &#39;Accept&#39;: &#39;application/xml&#39;,
    &#39;Authorization&#39;: &#39;Bearer &#39;
                     &#39;eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3N0b3JhZ2UuYXp1cmUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvY2M5ZjFhMTgtMDk4Yy00YWE0LWE1MmUtZjA3YTk3N2ZhMTIwLyIsImlhdCI6MTY4Mzk3MjQ0OSwibmJmIjoxNjgzOTcyNDQ5LCJleHAiOjE2ODM5Nzc3MTIsImFjciI6IjEiLCJhaW8iOiJBVlFBcS84VEFBQUFBT0FkU1RPZnNHMTNtdmV6M1VrVzlzakVpK0lRckxVanU4SGxZSG9EM3JHbkFJOExJQUdLclYwbGtEMmp2SFBLWk5Oa2h1YU1GdGFMRzd2aVA1SEUxZ1hDcVo1dmVyaEFnL0xTbG9PdUpIQT0iLCJhbHRzZWNpZCI6IjE6bGl2ZS5jb206MDAwMzAwMDBBQzU4MkZCNSIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiIwNGIwNzc5NS04ZGRiLTQ2MWEtYmJlZS0wMmY5ZTFiZjdiNDYiLCJhcHBpZGFjciI6IjAiLCJlbWFpbCI6InRoZXJlZHBlYUBnbWFpbC5jb20iLCJmYW1pbHlfbmFtZSI6IkFuZGVyc29uIiwiZ2l2ZW5fbmFtZSI6Ik5hdGUiLCJncm91cHMiOlsiNGI2MDEyNTQtMGJmMi00ZDZiLWI3NzEtMmUyNWIxOGZjMDE2Il0sImlkcCI6ImxpdmUuY29tIiwiaXBhZGRyIjoiNzEuMjExLjE4NS4yMzQiLCJuYW1lIjoiTmF0ZSBBbmRlcnNvbiIsIm9pZCI6ImQ2ZTg0ODcxLTBkZWQtNDJlYS04YTNhLTY2NjYxMTMwMzZjMyIsInB1aWQiOiIxMDAzM0ZGRjk0OTI3QzFCIiwicmgiOiIwLkFSZ0FHQnFmekl3SnBFcWxMdkI2bDMtaElJR21CdVRVODZoQ2tMYkNzQ2xKZXZFWUFPSS4iLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJzdWIiOiJJX3BUeUJRNDZLdDNBUkJ6eEpQYnYyQklUbWlTbjdYbzFiNTN3ZDZITlBjIiwidGlkIjoiY2M5ZjFhMTgtMDk4Yy00YWE0LWE1MmUtZjA3YTk3N2ZhMTIwIiwidW5pcXVlX25hbWUiOiJsaXZlLmNvbSN0aGVyZWRwZWFAZ21haWwuY29tIiwidXRpIjoidUtGbnU3eHpqVVM1QnFpMWVGMFFBQSIsInZlciI6IjEuMCJ9.qM56mzD09cB1oLW2sa-aZiPsgCCr7cnZ8mlYv5cTHK8pZLlEyXf5404EVrIas7N5tPhiBFL6qq_7znD-4NPFBFK0qWdGIi4BN66T1c5U81wJQl1VgDK4KoHxh2LmUtfYiDHne8LKQ7dLO_WSd-LWb_eTVSEg_0rEOxWjRpcgwRSrvYw98sWdIoIp0doPAmqXeI_IQcDdvWEu6rSMsTd74CjMRaTwFAFpclDazzCWz_kFOMRfaro4s03Ki-7CYRZj-JI49mKvCThXrphLBfOU2B_VrEg4HJNwOb55nFc2WS5l9r0WBh1AlhQa9i7NvmP-OoEZi8gox4HMJeKz6h-pDg&#39;,
    &#39;User-Agent&#39;: &#39;azsdk-python-storage-blob/12.16.0 Python/3.11.2 &#39;
                  &#39;(Windows-10-10.0.19044-SP0)&#39;,
    &#39;x-ms-client-request-id&#39;: &#39;f69db4e3-f178-11ed-b2a7-f89e94c65957&#39;,
    &#39;x-ms-date&#39;: &#39;Sat, 13 May 2023 10:28:55 GMT&#39;,
    &#39;x-ms-version&#39;: &#39;2022-11-02&#39;}

When I print e.response.headers (notice the value of the www-authenticate header):

{   &#39;Content-Length&#39;: &#39;402&#39;,
    &#39;Content-Type&#39;: &#39;application/xml&#39;,
    &#39;Date&#39;: &#39;Sat, 13 May 2023 10:28:56 GMT&#39;,
    &#39;Server&#39;: &#39;Microsoft-HTTPAPI/2.0&#39;,
    &#39;WWW-Authenticate&#39;: &#39;Bearer &#39;
                        &#39;authorization_uri=https://login.microsoftonline.com/0091f901-8eb9-49ad-a413-3bd58cb1aff0/oauth2/authorize &#39;
                        &#39;resource_id=https://storage.azure.com&#39;,
    &#39;x-ms-error-code&#39;: &#39;InvalidAuthenticationInfo&#39;,
    &#39;x-ms-request-id&#39;: &#39;23153837-001e-0019-6585-855a4a000000&#39;}

Similar questions/ what I tried:

I assigned myself "Storage Blob Data Contributor" for the kindglacierblob Blob, as described here (screenshot below)

Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

Running with Visual Studio Code
I logged in using the VS Code "Azure Account Extension", as shown in the screenshot below:

Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

I tried to login by opening Azure CLI in a new VS Code Terminal, but I get an unrelated error:

Error: Cannot find module &#39;vscode&#39;
Require stack:
- c:\Users\nateanderson\.vscode\extensions\ms-vscode.azure-account-0.11.4\dist\cloudConsoleLauncher.js

With the popup:

The terminal process &quot;node.exe &#39;-e&#39;, &#39;require(&#39;c:\\Users\\nateanderson\\.vscode\\extensions\\ms-vscode.azure-account-0.11.4\\dist\\cloudConsoleLauncher&#39;).main()&#39;&quot; terminated with exit code: 1.

答案1

得分: 1

When I decode your JWT in https://jwt.io I get:

Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

and looking at the idp claim:

Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

This to me looks as though the DefaultAzureCredential has picked up an active login to your Microsoft account that has been issued by the Windows Live authorization server, rather than the Azure Active Directory authorization server, and that would seem to be different enough that this isn't good enough for Azure - even though they clearly share the same identity database since you can sign into both with your Microsoft account. I'm not familiar with the Python SDK so can't suggest what options might be available to fine-tune this.

EDIT

You can decode the JWT used in the Authorization header to see username is being used to log in (screenshot below)

As explained in the comments, it was not the username you expected.

Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

With the Python azure-login library, you can specify the username you really want to use with the shared_cache_username keyword argument, as shown here:
Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

Analogous to the .NET DefaultAzureCredentialOptions.SharedTokenCacheUsername property, the Python shared_cache_username argument is described as:

> Preferred username for azure.identity.SharedTokenCacheCredential.
> Defaults to the value of environment variable AZURE_USERNAME, if any.

Therefore another option (instead of setting shared cache username in your code) is to SET the AZURE_USERNAME environment variable (which can be done using Git Bash (shown below), or Windows cmd.exe):

export AZURE_USERNAME=<your_username>;

Or if you're using VSCode to develop and debug, you could add the environment variable into your launch.json file, you could try adding this:

{
  "version": "0.2.0",
  "configurations": [
    {
      "name": "Python: Current File",
      "type": "python",
      "request": "launch",
      "program": "${file}",
      "console": "integratedTerminal",
      "env": {
        "AZURE_USERNAME": "{your username here}"
      },
    ...

Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

英文:

When I decode your JWT in https://jwt.io I get:

Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

and looking at the idp claim:

Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

This to me looks as though the DefaultAzureCredential has picked up an active login to your Microsoft account that has been issued by the Windows Live authorization server, rather than the Azure Active Directory authorization server, and that would seem to be different enough that this isn't good enough for Azure - even though they clearly share the same identity database since you can sign into both with your Microsoft account. I'm not familiar with the Python SDK so can't suggest what options might be available to fine-tune this.

EDIT

You can decode the JWT used in the Authorization header to see username is being used to log in (screenshot below)

As explained in the comments, it was not the username you expected.

Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

With the Python azure-login library, you can specify the username you really want to use with the shared_cache_username keyword argument, as shown here:
Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

Analogous to the .NET DefaultAzureCredentialOptions.SharedTokenCacheUsername property, the Python shared_cache_username argument is described as:

> Preferred username for azure.identity.SharedTokenCacheCredential.
> Defaults to the value of environment variable AZURE_USERNAME, if any.

Therefore another option (instead of setting shared cache username in your code) is to SET the AZURE_USERNAME environment variable (which can be done using Git Bash (shown below), or Windows cmd.exe):

export AZURE_USERNAME=&lt;your_username&gt;

Or if you're using VSCode to develop and debug, you could add the environment variable into your launch.json file, you could try adding this:

{
  &quot;version&quot;: &quot;0.2.0&quot;,
  &quot;configurations&quot;: [
    {
      &quot;name&quot;: &quot;Python: Current File&quot;,
      &quot;type&quot;: &quot;python&quot;,
      &quot;request&quot;: &quot;launch&quot;,
      &quot;program&quot;: &quot;${file}&quot;,
      &quot;console&quot;: &quot;integratedTerminal&quot;,
      &quot;env&quot;: {
        &quot;AZURE_USERNAME&quot;: &quot;{your username here}&quot;
      },
    ...

Azure Blob存储“服务器无法验证请求。请参阅www-authenticate头中的信息。”

huangapple
  • 本文由 发表于 2023年5月13日 18:40:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/76242291.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定