Azure Storage: How to avoid clock skew issues with a Blob level SAS token

Question

I'm occasionally having trouble with Azure Storage SAS tokens generated on the server. I don't set anything for start time since this was recommended to avoid clock skew issues, and I set my expiry time to 1 hour after DateTime.UtcNow. Every now and then, the SAS tokens don't work, and I'm guessing this might have to do with a clock skew issue. Here are two errors I received recently:

<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:cb371f2b-801e-0063-16a1-08d06f000000 Time:2021-02-21T22:35:53.9832140Z</Message>
<AuthenticationErrorDetail>Signed expiry time [Sun, 21 Feb 2021 20:39:40 GMT] must be after signed start time [Sun, 21 Feb 2021 22:35:53 GMT]</AuthenticationErrorDetail>
</Error>

<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:8818c581-401e-0058-6477-08717d000000 Time:2021-02-21T17:35:37.1284611Z</Message>
<AuthenticationErrorDetail>Signature not valid in the specified time frame: Start [Sat, 20 Feb 2021 00:15:01 GMT] - Expiry [Sat, 20 Feb 2021 01:30:01 GMT] - Current [Sun, 21 Feb 2021 17:35:37 GMT]</AuthenticationErrorDetail>
</Error>

This is how I generate the token:

var blobSasBuilder = new BlobSasBuilder
{
      BlobContainerName = containerName,
      BlobName = fileName,
      Resource = "b",
      ExpiresOn = DateTime.UtcNow.AddHours(1),
      Protocol = SasProtocol.Https
};

How can I fix this issue? According to the above error, it looks like I tried to access this resource after the token expired, but in reality I tried to access it immediately after the token was generated and sent to the client. As I said, this does not happen often, but it's a recurring problem.

On a second thought, I wonder if this is a bug with the v12 SDK.

Answer 1

According to the error, the start time is later than your expiration time and current time. Please set the start time to be at least 15 minutes in the past.

For example

I use Net SDK Azure.Storage.Blobs

//  Creates a client to the BlobService using the connection string.
var blobServiceClient = new BlobServiceClient(storageConnectionString);

//  Gets a reference to the container.
var blobContainerClient = blobServiceClient.GetBlobContainerClient(<ContainerName>);

//  Gets a reference to the blob in the container
BlobClient blobClient = containerClient.GetBlobClient(<BlobName>);

//  Defines the resource being accessed and for how long the access is allowed.
var blobSasBuilder = new BlobSasBuilder
{
    StartsOn = DateTime.UtcNow.Subtract(-15), 
    ExpiresOn = DateTime.UtcNow.AddHours(1),
    BlobContainerName = <ContainerName>,
    BlobName = <BlobName>,
};
    
//  Defines the type of permission.
blobSasBuilder.SetPermissions(BlobSasPermissions.Write);
       
//  Builds an instance of StorageSharedKeyCredential      
var storageSharedKeyCredential = new StorageSharedKeyCredential(<AccountName>, <AccountKey>);

//  Builds the Sas URI.
var sasQueryParameters = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential);

Answer 2

The code that generates the SAS must run on a machine where the date, time and time zone are correctly set.

The error messages are a little different for both cases. First error: is saying that Signed expiry time is ~1h:56m before the error time, how it can be possible? Maybe the SAS expire time was set to a value that is too early, I mean almost 2 hours earlier and not 15 minutes earlier? or Most likely the SAS start time is greater than the SAS end time?

Second error: the time of error is 21 February, but the SAS expires on 20 February, again, it looks like the SAS time is expired, but this time with more than 35 hours and not 15 minutes.

Maybe the machine that runs the code for generating the SAS has some issues with time? This can be checked by polling that machine for its time at regular intervals(once per minute for example) and comparing the results.