SAS Token generated by Set-AzKeyVaultManagedStorageSasDefinition throws Signature did not match errors

Question

I am trying to leverage https://learn.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultmanagedstoragesasdefinition?view=azps-9.2.0 to create a managed sas definition.

The SAS token I use as a template does work, and I am able to validate by querying my blob storage account via the following:

https://myaccount.blob.core.windows.net/lockedcontainer/checkmark.png?{sas-token}

When trying to do the same with the SAS token stored in the secret (which is retrieved via the following)

Get-AzKeyVaultSecret -VaultName {myvault} -Name {myStorageAccount}-SecretName -AsPlainText 

I receive a Signature did not match error, which from some googling/research seems to be fairly generic.

The secret SAS token was generated to be active for 30 days +, and no key rotation has happened since the secret was generated.

Am I misusing the generated secret sas token?

Answer 1

I tried to reproduce the same in my environment and got the same error like below:

I generated the managed SAS definition by using below script:

$sa = Get-AzStorageAccount -Name rukk01 -ResourceGroupName ruk
$kv = Get-AzKeyVault -VaultName 'StorageTestVault'
Add-AzKeyVaultManagedStorageAccount -VaultName $kv.VaultName -AccountName $sa.StorageAccountName -AccountResourceId $sa.Id -ActiveKeyName key1 -RegenerationPeriod ([System.Timespan]::FromDays(180))
$sctx = New-AzStorageContext -StorageAccountName $sa.StorageAccountName -Protocol Https -StorageAccountKey Key1
$start = [System.DateTime]::Now.AddDays(-1)
$end = [System.DateTime]::Now.AddMonths(1)
$at = "sv=2018-03-28&ss=bfqt&srt=sco&sp=rw&spr=https"
$sas = Set-AzKeyVaultManagedStorageSasDefinition -AccountName $sa.StorageAccountName -VaultName $kv.VaultName -Name accountsas -TemplateUri $at -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(30))

I retrieved the SAS Token stored in the Key Vault by using the below command:

Get-AzKeyVaultSecret -VaultName VaultName -Name $sas.Sid.Substring($sas.Sid.LastIndexOf('/')+1) -AsPlainText

I used the above SAS token, and I am able to access the Blob successfully like below:

https://StorageAcc.blob.core.windows.net/test.png?sas-token

The error usually occurs if the SAS Token is not matching the resource while requesting on Azure Storage.

Check whether your Azure key Vault is assigned Storage Account Key Operator Service Role like below:

If still the persists, regenerate the SAS Token and check.