authentication error from sharing SAS URL

[gladysmcgan]

Preflight Checklist

• [X] I have installed the latest version of Storage Explorer.
• [X] I have checked existing resources, including the troubleshooting guide and the release notes.
• [X] I have searched for similar issues.

Storage Explorer Version

1.33.1

Regression From

No response

Architecture

arm64

Storage Explorer Build Number

20240410.2

Platform

macOS

OS Version

Sonoma 14.1

Bug Description

I would like to share access to a storage account with collaborators outside my company. I tried to generate a SAS URL but I get the Authenticator Error when I try to open blob storage. I have a Storage Blob Data Contributor role in this storage account. I also checked my public network access setting, and it is enabled from all networks.

Steps to Reproduce

1. Connect to storage account
2. Use Shared Access signature
3. Paste SAS URL
4. Open blob containers node
5. Error window appears

Actual Experience

I used the below settings to generate the SAS URL:

But got this pop up window when I connected to the storage account and tried to open the blob containers in the explorer:

This request is not authorized to perform this operation.

This storage account's 'Firewalls & virtual networks' settings may be blocking access to storage services. Try adding your client IP address to the firewall exceptions, or by allowing access from 'all networks' instead of 'selected networks'. To learn more about Azure Storage firewalls and virtual networks, visit http://go.microsoft.com/fwlink/?LinkId=845443.

Error Details: { "name": "RestError", "code": "AuthorizationFailure", "statusCode": 403, "request": { "streamResponseStatusCodes": {}, "url": "https://aufgehdlstrcoreprodweu01.blob.core.windows.net/?sv=2022-11-02&ss=b&srt=sco&sp=rwdlacyx&se=2024-04-29T15:24:36Z&st=2024-04-29T07:24:36Z&sip=0.0.0.0&spr=https&sig=AzureSAS Token Redacted&comp=list&include=metadata", "method": "GET", "headers": { "_headersMap": { "x-ms-version": { "name": "x-ms-version", "value": "2023-01-03" }, "accept": { "name": "Accept", "value": "application/xml" }, "user-agent": { "name": "User-Agent", "value": "Microsoft Azure Storage Explorer/1.33.1 (darwin) azsdk-js-storageblob/12.15.0 (NODE-VERSION v18.18.2; Darwin 23.1.0)" }, "x-ms-client-request-id": { "name": "x-ms-client-request-id", "value": "039c4a2d-614a-48e2-ae83-9ab24b457ebc" } } }, "withCredentials": false, "timeout": 0, "keepAlive": true, "decompressResponse": false, "requestId": "039c4a2d-614a-48e2-ae83-9ab24b457ebc" }, "response": { "request": { "streamResponseStatusCodes": {}, "url": "https://aufgehdlstrcoreprodweu01.blob.core.windows.net/?sv=2022-11-02&ss=b&srt=sco&sp=rwdlacyx&se=2024-04-29T15:24:36Z&st=2024-04-29T07:24:36Z&sip=0.0.0.0&spr=https&sig=AzureSAS Token Redacted&comp=list&include=metadata", "method": "GET", "headers": { "_headersMap": { "x-ms-version": { "name": "x-ms-version", "value": "2023-01-03" }, "accept": { "name": "Accept", "value": "application/xml" }, "user-agent": { "name": "User-Agent", "value": "Microsoft Azure Storage Explorer/1.33.1 (darwin) azsdk-js-storageblob/12.15.0 (NODE-VERSION v18.18.2; Darwin 23.1.0)" }, "x-ms-client-request-id": { "name": "x-ms-client-request-id", "value": "039c4a2d-614a-48e2-ae83-9ab24b457ebc" } } }, "withCredentials": false, "timeout": 0, "keepAlive": true, "decompressResponse": false, "requestId": "039c4a2d-614a-48e2-ae83-9ab24b457ebc" }, "status": 403, "headers": { "_headersMap": { "content-length": { "name": "content-length", "value": "246" }, "content-type": { "name": "content-type", "value": "application/xml" }, "date": { "name": "date", "value": "Mon, 29 Apr 2024 07:25:30 GMT" }, "server": { "name": "server", "value": "Microsoft-HTTPAPI/2.0" }, "x-ms-client-request-id": { "name": "x-ms-client-request-id", "value": "039c4a2d-614a-48e2-ae83-9ab24b457ebc" }, "x-ms-error-code": { "name": "x-ms-error-code", "value": "AuthorizationFailure" }, "x-ms-request-id": { "name": "x-ms-request-id", "value": "6e4caa70-301e-0015-4106-9aed19000000" } } }, "bodyAsText": "<Error><Code>AuthorizationFailure</Code><Message>This request is not authorized to perform this operation.\nRequestId:6e4caa70-301e-0015-4106-9aed19000000\nTime:2024-04-29T07:25:30.4108810Z</Message></Error>", "parsedBody": { "message": "This request is not authorized to perform this operation.\nRequestId:6e4caa70-301e-0015-4106-9aed19000000\nTime:2024-04-29T07:25:30.4108810Z", "code": "AuthorizationFailure" }, "parsedHeaders": { "errorCode": "AuthorizationFailure", "content-length": "246", "content-type": "application/xml", "date": "Mon, 29 Apr 2024 07:25:30 GMT", "server": "Microsoft-HTTPAPI/2.0", "x-ms-client-request-id": "039c4a2d-614a-48e2-ae83-9ab24b457ebc", "x-ms-request-id": "6e4caa70-301e-0015-4106-9aed19000000" } }, "details": { "errorCode": "AuthorizationFailure", "content-length": "246", "content-type": "application/xml", "date": "Mon, 29 Apr 2024 07:25:30 GMT", "server": "Microsoft-HTTPAPI/2.0", "x-ms-client-request-id": "039c4a2d-614a-48e2-ae83-9ab24b457ebc", "x-ms-request-id": "6e4caa70-301e-0015-4106-9aed19000000", "message": "This request is not authorized to perform this operation.\nRequestId:6e4caa70-301e-0015-4106-9aed19000000\nTime:2024-04-29T07:25:30.4108810Z", "code": "AuthorizationFailure" } }

Expected Experience

No response

Additional Context

No response

[MRayermannMSFT]

@gladysmcgan are you able to access the storage account, using Storage Explorer, on the same machine, if you sign in (instead of SAS attach)?

[gladysmcgan]

@MRayermannMSFT Yes I'm able to

[MRayermannMSFT]

@MRayermannMSFT Yes I'm able to

Thanks. Can I ask why you have 0.0.0.0 for allowed IP addresses? I think that is likely the problem here. That is saying a client's IP address needs to be 0.0.0.0. If you are ok with any IP address, you can just leave that blank.

[MRayermannMSFT]

Closing due to lack of response. If you require further help we recommend opening an Azure support ticket via the portal. Alternatively you can open a new issue here. This one will no longer be monitored.