Accessing Azure blob storage using bash, curl
Solution 1
I was able to get it working.
There were two things wrong with this code, the first, as Patrick Park noted, was replacing the echo -n
with printf
. The second was replacing the sed
magic with the -binary
option on openssl.
Compare the original:
signature=$(echo -n "$string_to_sign" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$decoded_hex_key" -binary | sed 's/^.*= //' | base64 -w0)
with the fixed:
signature=$(printf "$string_to_sign" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$decoded_hex_key" -binary | base64 -w0)
The echo change is needed because echo -n
will not convert the \n
into actual newlines.
The -binary
change is needed because even though you are stripping off the bad part, openssl was still outputting the signature in ascii-encoded-hex, not in binary. So after it was passed to base64
, the result was the b64 encoded version of the hex representation, instead of the raw value.
Solution 2
Use Fiddler (or an equivalent on your platform) to intercept the call to Windows Azure Storage. On failure, this will show you the string that the Storage Service used to authenticate the call and you can compare this with the one you used.
Related videos on Youtube
yozhik
Updated on September 16, 2022Comments
-
yozhik over 1 year
I am attempting to use the Azure blob storage service from a bash script using the REST API. I know it is possible to accomplish this using various other tools or languages, however I'd like to do it as a bash script.
The script below is an attempt to list the blobs in an Azure storage container.
This script results in an authentication error. The signing string and headers look correct based on the REST API (reference) documentation. I suspect the problem may be in juggling the various parts of the signing process.
Has anyone successfully used bash and curl to access cloud storage resources like Azure or other providers?
#!/bin/bash # List the blobs in an Azure storage container. echo "usage: ${0##*/} <storage-account-name> <container-name> <access-key>" storage_account="$1" container_name="$2" access_key="$3" blob_store_url="blob.core.windows.net" authorization="SharedKey" request_method="GET" request_date=$(TZ=GMT date "+%a, %d %h %Y %H:%M:%S %Z") storage_service_version="2011-08-18" # HTTP Request headers x_ms_date_h="x-ms-date:$request_date" x_ms_version_h="x-ms-version:$storage_service_version" # Build the signature string canonicalized_headers="${x_ms_date_h}\n${x_ms_version_h}" canonicalized_resource="/${storage_account}/${container_name}" string_to_sign="${request_method}\n\n\n\n\n\n\n\n\n\n\n\n${canonicalized_headers}\n${canonicalized_resource}\ncomp:list\nrestype:container" # Decode the Base64 encoded access key, convert to Hex. decoded_hex_key="$(echo -n $access_key | base64 -d -w0 | xxd -p -c256)" # Create the HMAC signature for the Authorization header signature=$(echo -n "$string_to_sign" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$decoded_hex_key" | sed 's/^.*= //' | base64 -w0) authorization_header="Authorization: $authorization $storage_account:$signature" curl \ -H "$x_ms_date_h" \ -H "$x_ms_version_h" \ -H "$authorization_header" \ "https://${storage_account}.${blob_store_url}/${container_name}?restype=container&comp=list"
Update - The storage service error and the corresponding signing string that the script generated.
Following is what the storage service returns for the
AuthenticationFailed
error.<?xml version="1.0" encoding="utf-8"?> <Error> <Code>AuthenticationFailed</Code> <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:27e6337e-52f3-4e85-98c7-2fabaacd9ebc Time:2013-11-21T22:10:11.7029042Z</Message> <AuthenticationErrorDetail>The MAC signature found in the HTTP request 'OGYxYjk1MTFkYmNkMCgzN2YzODQwNzcyNiIyYTQxZDg0OWFjNGJiZDlmNWY5YzM1ZWQzMWViMGFjYTAyZDY4NAo=' is not the same as any computed signature. Server used following string to sign: 'GET x-ms-date:Thu, 21 Nov 2013 22:10:11 GMT x-ms-version:2011-08-18 /storage_account_name/storage_container comp:list restype:container' </AuthenticationErrorDetail> </Error>
Next is the
string_to_sign
that the script generates.GET\n\n\n\n\n\n\n\n\n\n\n\nx-ms-date:Thu, 21 Nov 2013 22:10:11 GMT\nx-ms-version:2011-08-18\n/storage_account_name/storage_container\ncomp:list\nrestype:container
-
yozhik over 10 yearsThe query parameters are being appended during the assignment of the
string_to_sign
variable. The authentication error returned from the storage service when I run the script includes the string that Azure used to create its Authorization signature. When I print thestring_to_sign
variable, it looks exactly like the string that Azure is returning in the error. -
Gaurav Mantri over 10 yearsSorry, my bad! Didn't see that code earlier. Can you share the output of
string_to_sign
created by you and the one returned by Windows Azure. I'm pretty sure there must be some minor issue there. -
Gaurav Mantri over 10 yearsAnother thing to look for is how you decode your account key. Coming from C# world, we do
Convert.FromBase64String()
to get the account key in bytes. That could be another reason for authentication failure. -
yozhik over 10 yearsI added the output of
string_to_sign
to the original question. I also included the error XML that the storage service generates in response. -
yozhik over 10 yearsI am most suspicious of any of the various parts of the process to decode the account key, create the signature, then re-encode. I think I might write a simple signature generator using another language, probably Java, and run the signature generation side-by-side to compare.
-
yozhik over 10 yearsTo more specifically answer your question about decoding the account key. I use
base64 -d -W0
to decode the key. This outputs the key bytes which are then passed through a pipe toxxd -p -c256
to directly hex encode the key bytes. This step is necessary because (AFAIK) I can't pass the bytes directly to openssl on the command line so I need to use thehexkey
format. -
yozhik over 10 yearsThanks for the excellent suggestion. Doing this is difficult due to the environment I'm running in. I'll hang onto this suggestion if my debugging continues to be fruitless.
-
KiteRunner over 10 yearsJust a note - I used wazproxy as my reference, you may want to check it out. Also Wireshark is your best friend when it comes to analyzing any traffic/protocols.
-
Munchkin about 7 yearsMaybe you could help me on this?
-
jrwren about 7 yearsI've modified this a bit and added support for downloads. I've pasted here: gist.github.com/jrwren/ff46f4ba177f042ccdc48c080c198f60
-
SureshCS over 5 yearsdecoded_hex_key="$(echo -n $access_key | base64 -d -w0 | xxd -p -c256)" This command gives me base64: invalid input. Is there a work around for this?Still getting the same error