Accessing Azure blob storage using bash, curl

I am attempting to use the Azure blob storage service from a bash script using the REST API. I know it is possible to accomplish this using various other tools or languages, however I'd like to do it as a bash script.

The script below is an attempt to list the blobs in an Azure storage container.

This script results in an authentication error. The signing string and headers look correct based on the REST API (reference) documentation. I suspect the problem may be in juggling the various parts of the signing process.

Has anyone successfully used bash and curl to access cloud storage resources like Azure or other providers?

#!/bin/bash

# List the blobs in an Azure storage container.

echo "usage: ${0##*/} <storage-account-name> <container-name> <access-key>"

storage_account="$1"
container_name="$2"
access_key="$3"

blob_store_url="blob.core.windows.net"
authorization="SharedKey"

request_method="GET"
request_date=$(TZ=GMT date "+%a, %d %h %Y %H:%M:%S %Z")
storage_service_version="2011-08-18"

# HTTP Request headers
x_ms_date_h="x-ms-date:$request_date"
x_ms_version_h="x-ms-version:$storage_service_version"

# Build the signature string
canonicalized_headers="${x_ms_date_h}\n${x_ms_version_h}"
canonicalized_resource="/${storage_account}/${container_name}"

string_to_sign="${request_method}\n\n\n\n\n\n\n\n\n\n\n\n${canonicalized_headers}\n${canonicalized_resource}\ncomp:list\nrestype:container"

# Decode the Base64 encoded access key, convert to Hex.
decoded_hex_key="$(echo -n $access_key | base64 -d -w0 | xxd -p -c256)"

# Create the HMAC signature for the Authorization header
signature=$(echo -n "$string_to_sign" | openssl dgst -sha256 -mac HMAC -macopt "hexkey:$decoded_hex_key" | sed 's/^.*= //' | base64 -w0)

authorization_header="Authorization: $authorization $storage_account:$signature"

curl \
  -H "$x_ms_date_h" \
  -H "$x_ms_version_h" \
  -H "$authorization_header" \
  "https://${storage_account}.${blob_store_url}/${container_name}?restype=container&comp=list"

Update - The storage service error and the corresponding signing string that the script generated.

Following is what the storage service returns for the AuthenticationFailed error.

<?xml version="1.0" encoding="utf-8"?>
<Error>
  <Code>AuthenticationFailed</Code>
  <Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:27e6337e-52f3-4e85-98c7-2fabaacd9ebc
Time:2013-11-21T22:10:11.7029042Z</Message>
  <AuthenticationErrorDetail>The MAC signature found in the HTTP request
'OGYxYjk1MTFkYmNkMCgzN2YzODQwNzcyNiIyYTQxZDg0OWFjNGJiZDlmNWY5YzM1ZWQzMWViMGFjYTAyZDY4NAo='
is not the same as any computed signature. Server used following string to sign:
'GET

x-ms-date:Thu, 21 Nov 2013 22:10:11 GMT
x-ms-version:2011-08-18
/storage_account_name/storage_container
comp:list
restype:container'
  </AuthenticationErrorDetail>
</Error>

Next is the string_to_sign that the script generates.

GET\n\n\n\n\n\n\n\n\n\n\n\nx-ms-date:Thu, 21 Nov 2013 22:10:11 GMT\nx-ms-version:2011-08-18\n/storage_account_name/storage_container\ncomp:list\nrestype:container

The query parameters are being appended during the assignment of the string_to_sign variable. The authentication error returned from the storage service when I run the script includes the string that Azure used to create its Authorization signature. When I print the string_to_sign variable, it looks exactly like the string that Azure is returning in the error.

Sorry, my bad! Didn't see that code earlier. Can you share the output of string_to_sign created by you and the one returned by Windows Azure. I'm pretty sure there must be some minor issue there.

Another thing to look for is how you decode your account key. Coming from C# world, we do Convert.FromBase64String() to get the account key in bytes. That could be another reason for authentication failure.

I added the output of string_to_sign to the original question. I also included the error XML that the storage service generates in response.

I am most suspicious of any of the various parts of the process to decode the account key, create the signature, then re-encode. I think I might write a simple signature generator using another language, probably Java, and run the signature generation side-by-side to compare.

To more specifically answer your question about decoding the account key. I use base64 -d -W0 to decode the key. This outputs the key bytes which are then passed through a pipe to xxd -p -c256 to directly hex encode the key bytes. This step is necessary because (AFAIK) I can't pass the bytes directly to openssl on the command line so I need to use the hexkey format.

Thanks for the excellent suggestion. Doing this is difficult due to the environment I'm running in. I'll hang onto this suggestion if my debugging continues to be fruitless.

Just a note - I used wazproxy as my reference, you may want to check it out. Also Wireshark is your best friend when it comes to analyzing any traffic/protocols.

Maybe you could help me on this?

I've modified this a bit and added support for downloads. I've pasted here: gist.github.com/jrwren/ff46f4ba177f042ccdc48c080c198f60

decoded_hex_key="$(echo -n $access_key | base64 -d -w0 | xxd -p -c256)" This command gives me base64: invalid input. Is there a work around for this?Still getting the same error