Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbidden Response using Table-Level SAS Token on Get-AzStorageTable #14394

Closed
gwalkey opened this issue Mar 2, 2021 · 12 comments
Closed

Forbidden Response using Table-Level SAS Token on Get-AzStorageTable #14394

gwalkey opened this issue Mar 2, 2021 · 12 comments
Assignees
@blueww
Labels
customer-reported question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team. Storage

Comments

@gwalkey
Copy link

gwalkey commented Mar 2, 2021

Using AzTable 2.04

Sas Token was created 3 different ways

Azure Portal - right Click on Table "Get SAS Token"
Powershell New-AzStorageTableSASToken
Azure Storage Explorer
All three SAS Tokens created on the Table ALONE fail
Using a SAS Token on the ENTIRE STORAGE ACCOUNT Always works

Code is:
Import-Module -Name Az.Storage
Import-Module -Name Az.Resources
Import-Module -Name AzTable

$AzStorageAccount = "storage_accountname"
$TableName = 'TableName'
$TableSasToken ="?st=2021-02-25T15%3A40%3A11Z&se=2022-01-01T04%3A59%3A00Z&sp=raud&sv=2018-03-28&tn=TableName&sig=mysig"
$StorageCtx = New-AzStorageContext -StorageAccountName $AzStorageAccount -SasToken $TableSasToken
$Table = Get-AzStorageTable -Name $tableName -Context $StorageCtx

throws
Forbidden

DEBUG: 1:04:10 PM - GetAzureStorageTableCommand end processing, Start 7 remote calls. Finish 7 remote calls. Elapsed time 1538702.92 ms. Client operation id: Azure-Storage-PowerShell-ee008953-9bf3-4536-9ad2-74a5b8742830.

DEBUG: AzureQoSEvent: CommandName - Get-AzStorageTable; IsSuccess - False; Duration - 00:00:01.8729751;; Exception - Microsoft.Azure.Cosmos.Table.StorageException: Forbidden
at Microsoft.WindowsAzure.Commands.Storage.Model.Contract.StorageTableManagement.DoesTableExist(CloudTable table, TableRequestOptions requestOptions, OperationContext operationContext)
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.d__12.MoveNext()
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.WriteTablesWithStorageContext(IEnumerable`1 tableList)
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Request Information

RequestID:7b83f525-9002-0011-80a0-0b6c7f000000
RequestDate:Thu, 25 Feb 2021 18:04:08 GMT
StatusMessage:Forbidden
ErrorCode:
ErrorMessage:This request is not authorized to perform this operation.
RequestId:7b83f525-9002-0011-80a0-0b6c7f000000
Time:2021-02-25T18:04:08.4574077Z;
DEBUG: Finish sending metric.
DEBUG: 1:04:10 PM - GetAzureStorageTableCommand end processing.

hitting the URL in a browser works fine
using the same Table-level SAS Token against the REST API directly also works fine
@gwalkey gwalkey added the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Mar 2, 2021
@ghost ghost added the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Mar 2, 2021
@ghost
Copy link

ghost commented Mar 2, 2021

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @wmengmsft, @MehaKaushik, @shurd, @anfeldma-ms

@ghost ghost added the customer-reported label Mar 2, 2021
@dingmeng-xue dingmeng-xue added Service Attention This issue is responsible by Azure service team. Storage labels Mar 4, 2021
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Mar 4, 2021
@ghost
Copy link

ghost commented Mar 4, 2021

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

Issue Details

Using AzTable 2.04

Sas Token was created 3 different ways

Azure Portal - right Click on Table "Get SAS Token"
Powershell New-AzStorageTableSASToken
Azure Storage Explorer
All three SAS Tokens created on the Table ALONE fail
Using a SAS Token on the ENTIRE STORAGE ACCOUNT Always works

Code is:
Import-Module -Name Az.Storage
Import-Module -Name Az.Resources
Import-Module -Name AzTable

$AzStorageAccount = "storage_accountname"
$TableName = 'TableName'
$TableSasToken ="?st=2021-02-25T15%3A40%3A11Z&se=2022-01-01T04%3A59%3A00Z&sp=raud&sv=2018-03-28&tn=TableName&sig=mysig"
$StorageCtx = New-AzStorageContext -StorageAccountName $AzStorageAccount -SasToken $TableSasToken
$Table = Get-AzStorageTable -Name $tableName -Context $StorageCtx

throws
Forbidden

DEBUG: 1:04:10 PM - GetAzureStorageTableCommand end processing, Start 7 remote calls. Finish 7 remote calls. Elapsed time 1538702.92 ms. Client operation id: Azure-Storage-PowerShell-ee008953-9bf3-4536-9ad2-74a5b8742830.

DEBUG: AzureQoSEvent: CommandName - Get-AzStorageTable; IsSuccess - False; Duration - 00:00:01.8729751;; Exception - Microsoft.Azure.Cosmos.Table.StorageException: Forbidden
at Microsoft.WindowsAzure.Commands.Storage.Model.Contract.StorageTableManagement.DoesTableExist(CloudTable table, TableRequestOptions requestOptions, OperationContext operationContext)
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.d__12.MoveNext()
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.WriteTablesWithStorageContext(IEnumerable`1 tableList)
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Request Information

RequestID:7b83f525-9002-0011-80a0-0b6c7f000000
RequestDate:Thu, 25 Feb 2021 18:04:08 GMT
StatusMessage:Forbidden
ErrorCode:
ErrorMessage:This request is not authorized to perform this operation.
RequestId:7b83f525-9002-0011-80a0-0b6c7f000000
Time:2021-02-25T18:04:08.4574077Z;
DEBUG: Finish sending metric.
DEBUG: 1:04:10 PM - GetAzureStorageTableCommand end processing.

hitting the URL in a browser works fine
using the same Table-level SAS Token against the REST API directly also works fine

Author: gwalkey
Assignees: -
Labels:

Service Attention, Storage, customer-reported, needs-triage, question
Milestone: -

@blueww blueww self-assigned this Mar 5, 2021
@blueww
Copy link
Member

blueww commented Mar 5, 2021
edited
Loading

@gwalkey
You are using a table Service SAS (with tn=), which applies only to entity operations in a single table. See detail in following doc, you can see all table service sas permissions on only on entities.
https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas#permissions-for-a-table

If you would like to use the Get-AzStorageTable cmdlet then consider using an Account SAS instead. Per you above comments, you should already get account sas work.

@gwalkey
Copy link
Author

gwalkey commented Mar 5, 2021 via email
edited
Loading

@gwalkey
Copy link
Author

gwalkey commented Mar 5, 2021
edited
Loading

Ill make it clearer:

Get-AzStorageTable Fails with Table-Level SAS Token with ALL Permissions
$AzStorageAccount = "StorageAccountName"
$TableName = "TableName"
$TableSasToken = "?sp=raud&st=2021-02-24T18:07:07Z&se=2022-02-24T18:22:00Z&sv=2020-02-10&sig=SomeSig&tn=TableName"
$StorageCtx = New-AzStorageContext -StorageAccountName $AzStorageAccount -SasToken $TableSasToken
$Table = Get-AzStorageTable -Name $tableName -Context $StorageCtx
Get-AzTableRow -Table $Table.CloudTable

Succeeds with SAME TOKEN
$URI = "https://"+$AzStorageAccount+".table.core.windows.net/"+$TableName+$TableSasToken
$Now = (Get-Date).ToUniversalTime().toString('R')
$Headers = @{
'x-ms-date' = "$now"
'Accept' = 'application/json;odata=fullmetadata'
'Content-Type'= 'application/json'
}
$TableRows = Invoke-RestMethod -Method Get -Uri $URI -ContentType 'application/json' -Headers $Headers
$TableRows.value | select-object -property PartitionKey, RowKey, Timestamp | Out-GridView

@blueww
Copy link
Member

blueww commented Mar 9, 2021
edited
Loading

@gwalkey

  1. The cmdlet name should be "Get-AzStorageTable" ("Get-AzureStorageTable" is the old name, they actually do same thing)
  2. Your rest API script runs success, since it only do inside table query, which the SAS has permission. The PSH script not work since "Get-AzStorageTable" will get table properties, which need account sas.
  3. If you just need to create a table object with the SAS for following inside table query, you can run it from a table SAS Uri like following:
$tableSASUri = "https://[accountName].table.core.windows.net/[tableName]?sv=2017-07-29&tn=[tableName]&sig=[hidden]&se=2021-03-15T07%3A00%3A09Z&sp=raud"

$uri = [System.Uri]$tableSASUri
$CloudTable= New-Object -TypeName Microsoft.Azure.Cosmos.Table.CloudTable $uri 

Get-AzTableRow -Table $CloudTable

@gwalkey
Copy link
Author

gwalkey commented Mar 9, 2021

although you still misunderstand which cmdlet I am using ( NOT USING Get-AzureStorageTable), please read my code again
that worked!

Nowhere in MS Documentation is there an example of NOT using the AzModule and referencing the Cosmos Assembly Directly
(Isnt that the whole Idea of using Posh Modules)?

"3) If you just need to create a table object with the SAS for following inside table query, you can run it from a table SAS Uri like following:"

This doc needs your example showing how to do this using a Table-Level SAS Token ONLY:
https://docs.microsoft.com/en-us/azure/storage/tables/table-storage-how-to-use-powershell#retrieve-all-entities

thank you

@gwalkey gwalkey mentioned this issue Mar 9, 2021
Closed
@blueww
Copy link
Member

blueww commented Mar 10, 2021
edited
Loading

@gwalkey

Thanks for your reply!
Just to confirm, can the script in my before comment make your scenario work?
If so, I will try to contact the doc writer to see if can update the doc with the example.
(As you closed the issue, I think it's resolved. Just to confirm)

Besides that, I am a little confused, I think you use "Get-AzStorageTable" , is that correct? (I do see it in your script. I don't think you are using "Get-AzStorageTable", just want to clarify the 2 names actually are old and new cmdlet name point to same function.)
As your before comments, the failure happens in "Get-AzStorageTable". This is caused by the table sas doesn't have permission to run it.

@gwalkey
Copy link
Author

gwalkey commented Mar 10, 2021
edited
Loading

  1. "just to confirm, can the script in my before comment make your scenario work?"
    Yes, but Nowhere in MS Documentation is there an example of referencing the Cosmos Assembly Directly
    (Isnt that the whole Idea of using Posh Modules)?

  2. "Besides that, I am a little confused",
    Indeed
    Sometimes its easier to re-read the OP question and multiple code samples to be clear

  3. "This is caused by the table sas doesn't have permission to run it."
    It does have enough permission.
    If you look at my code sample, my table-level SAS token has raud permissions

  4. Why is Table Storage not documented?

  5. And why does the MS Docs for Table Storage take me to Paulo's site here?
    https://paulomarquesc.github.io/working-with-azure-storage-tables-from-powershell/

Is Table Storage not supported by MS Az Module?
https://docs.microsoft.com/en-us/azure/storage/tables/table-storage-how-to-use-powershell

@gwalkey
Copy link
Author

gwalkey commented Mar 10, 2021
edited
Loading

Also, according to these issues, AzTable seems unsupported by MS
#12596
"AzTables is not included because it is not Azure PowerShell module. User needs to install it separately if required."
"Thanks for reporting. AzTable is not in Azure/azure-powershell repo and not developed by Azure PowerShell team."

#12597
"AzTable is not related to Azure PowerShell. It is a module for interacting with data-plane of both Cosmos DB Table API and Azure Storage Table service, developed entirely independently from Azure Powershell. There are no plans for integrating AzTable with Az.CosmosDB or offer its functionality in Az.CosmosDB."

@blueww
Copy link
Member

blueww commented Mar 11, 2021

@gwalkey

Thanks for your reply and questions!
To answer you questions:

#3: Per the doc , even the table sas has permission raud, it only has permission to handle entities inside table , but don't have permission to get table properties like Get-AzStorageTable. This is server design, PowerShell has to follow it.

#4: For "not documented", which document do you mean? There's document for AzTable like https://docs.microsoft.com/en-us/azure/storage/tables/table-storage-how-to-use-powershell#retrieve-all-entities

#5: I will inform document team for your concern of the doc, and see if they can improve that.

AzTable module not inside Azure Powershell release. Anyway, we will work with that module owner to make sure it can work with table cmdlets in Az.Storage module.

@gwalkey
Copy link
Author

gwalkey commented Mar 11, 2021

never mind

@gwalkey gwalkey closed this as completed Mar 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blueww blueww

Labels
customer-reported question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention This issue is responsible by Azure service team. Storage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blueww @gwalkey @dingmeng-xue