Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,381 questions
Entra ID OAuth2 Token signature failure when listing container
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 62%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECP%3C/text%3E%3C/svg%3E)
Chris Popescu
15
Reputation points
I am trying to use REST & Entra ID token for a user managed identity to list containers and read them for a blob. While I was able to get a token and list the storage account ok like this:
Invoke-WebRequest -Uri (-join ('https://management.azure.com/subscriptions/"subscription_id"/providers/Microsoft.Storage/storageAccounts?api-version=2019-06-01')) -Method GET -Headers @{ Authorization ="Bearer $Token"}
while using same method for container list and read will respond that the Bearer $Token is not supported and signature is incorrectly formed.
Invoke-WebRequest -Uri "https://"storage_account_name".blob.core.windows.net/"container_name"?restype=container&comp=list" -Headers @{ Authorization ="Bearer $Token"}
Invoke-WebRequest:
AuthenticationFailedServer failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:1dafc7a3-301e-006f-6b25-82ece9000000
Time:2025-02-18T16:54:20.4625718ZAuthentication scheme Bearer is not supported in this version.
Can I use Entra ID Token to list the containers with REST API ? I did a lot of searching and can't find a functional example.
Azure CLI works for same user managed identity...
Thank you for your help.
C.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 6%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
Keshavulu Dasari 3,375 Reputation points Microsoft Vendor2025-02-18T18:23:43.5433333+00:00 Hi Chris Popescu ,
To use Entra ID for authenticating requests to Azure Storage, you need to ensure that the token is correctly formed and that the necessary permissions are granted. Here are some steps to help you troubleshoot and resolve the issue:
Make sure that the managed identity has the necessary permissions to access the storage account. You can assign the
Storage Blob Data Readerrole to the managed identity.Ensure that you are acquiring the token with the correct scope. For accessing Azure Storage, the scope should be
https://storage.azure.com/.default.When listing containers, use the correct REST API endpoint and ensure that the token is included in the Authorization header correctly.
If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
-
Chris Popescu 15 Reputation points
2025-02-19T14:42:13.9166667+00:00 Thanks for your time Keshavulu.
I've got a Bearer $access_token on both powershell and bash/curl but can't seem to find the proper structure for the headers when issuing this request.
My bash/curl command:
curl https://"stg_account_name".blob.core.windows.net/"my_container"/file001.txt -H "x-ms-version:2018-02-01" -H "Authorization: Bearer $access_token" -H "x-ms-blob-type: BlockBlob" -H "x-ms-date: $(date -u)"
Response:
<?xml version="1.0" encoding="utf-8"?>
<Error><Code>InvalidHeaderValue</Code><Message>The value for one of the HTTP headers is not in the correct format.
Can you please provide some functional examples that show the full format of those bash/powershell requests that can list a container?
I am really struggling to find the docs with the storage blob REST API versions and their associated proper format requests for headers and supported commands.
-
Keshavulu Dasari 3,375 Reputation points Microsoft Vendor
2025-02-19T18:31:40.3333333+00:00 Hi Chris Popescu ,
Issue with the format of your headers. Go through a couple of examples for both PowerShell and bash/curl to help you list containers and read blobs using the Azure Storage Blob REST API.
Make sure to replace placeholders like
your_tenant_id,your_client_id,your_client_secret,your_storage_account_name,your_container_name, andfile001.txtwith your actual values.For more detailed information:
https://learn.microsoft.com/en-us/rest/api/storageservices/blob-service-rest-apiIf you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
-
Chris Popescu 15 Reputation points
2025-02-20T17:29:59.35+00:00 Hi Keshavulu,
On both PowerShell and Curl , I am able to get the token.
But then on PowerShell seems like I pass the authentication but then I get an authorization error.. From what I in PowerShell script required the creation of a client_secret inside an app registration..? My understanding when running from a computer that has assigned a UM Identity this is not needed. I had to resister an app and create a secret for PowerShell to pass the authentication error but I hit the authorization. This may be normal as the Storage Blob Data Reader are assigned to the UMI and not to app clinetId...
result:
$response = Invoke-WebRequest -Uri $uri -Headers $headers
$response.Content
Invoke-WebRequest : AuthorizationPermissionMismatchThis request is not authorized to perform this operation using this permission.
RequestId:cfadfbaf-601e-0015-3db9-83aa9a000000 Time:2025-02-20T17:02:26.5733505Z
At line:6 char:13
- $response = Invoke-WebRequest -Uri $uri -Headers $headers
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
- FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
-
Chris Popescu 15 Reputation points
2025-02-20T17:46:15.2333333+00:00 Hi Keshavulu,
On PowerShell I get the token and then response show an authorization error. That script is asking for a ' client_secret="your_client_secret" ' ?? which normally is not available for UMI. I had to create and app registration and a secret to get that token. But then how I link the authorized token from registered app to the UMI that has the Storage Blob Data Reader and Storage Blob Data Contributor assigned roles ...???
$response = Invoke-WebRequest -Uri $uri -Headers $headers
$response.Content
Invoke-WebRequest : AuthorizationPermissionMismatchThis request is not authorized to perform this operation using this permission.
RequestId:cfadfbaf-601e-0015-3db9-83aa9a000000 Time:2025-02-20T17:02:26.5733505Z
At line:6 char:13
- $response = Invoke-WebRequest -Uri $uri -Headers $headers
-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~- CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
- FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
-
Keshavulu Dasari 3,375 Reputation points Microsoft Vendor
2025-02-20T18:14:19.72+00:00 Hi Chris Popescu ,
I Understand the issue when trying to use a managed identity to access Azure Storage. I Suggest few more steps to ensure that your managed identity is correctly configured and has the necessary permissions:
Verify that the managed identity is enabled for your Azure resource (e.g., VM, Azure Function, etc.).
Ensure that the managed identity has the "Storage Blob Data Reader" or "Storage Blob Data Contributor" role assigned at the appropriate scope (subscription, resource group, or storage account).
When using a managed identity, ensure you are acquiring the token for the correct resource, which is
https://storage.azure.com/for Azure Storage. Ensure you are using the correct headers in your request.If you still encounter authorization issues, ensure that the managed identity has the necessary permissions and that there are no conflicting role assignments.
Additional information:
Verify Role Assignment: Double-check that the managed identity has the correct role assigned.
Check Token Scope: Ensure the token is acquired for the correct resource (
https://storage.azure.com/).Review API Version: Use a supported API version in your request headers
I hope this information helps! Let us know if you have any further questions. We will be glad to assist you further.
Sign in to comment
Sign in to answer