As noticed here, the shared access signature is not supported in the Azure SDK for PHP. So I developed my own function to generate the signed-url using the Miscrosoft Azure documentation (here) and the PHPAzure Codeplex project and source code (here)
I want to generate an signed-url that may be called directly in a web browser vithout using a developed software client.
My generated signed-url always returns an "AuthenticationFailed" with the detail "Signature did not match. Signature did not match. String to sign used was r 2013-11-03 2013-11-05 /ntgstblog/netgemvno netgemvno_default_policy"
Here my source code to generate a shared access signature and my signed url. Can you help me to debug it ?
$config = array(
'blob_account' => <mystroage_accountname>,
'blob_key' => <mystroage_accesskey>,
'blob_protocol' => 'http'
);
$_id = 'netgemvno_default_policy';
...
/* Define the policy of the container */
$_data = array(
'SignedIdentifier' => array (
'Id' => $_id,
'AccessPolicy' => array(
'Start' => date("Y-m-d", strtotime('-1 years')),
'Expiry' => date("Y-m-d", strtotime('+1 year')),
'Permission' => 'r'
)
)
);
$_containerAcl = ContainerAcl::create(PublicAccessType::NONE, $_data);
$rest->blob_service->setContainerAcl($oem, $_containerAcl);
...
/* get shared access url to my private blob */
$_start = date('Y-m-d', strtotime('-1 day'));
//$_start = '';
$_expiry = date('Y-m-d', strtotime('+1 day'));
//$_expiry = '';
$_permission = 'r';
$_container = 'netgemvno';
$_blob = strtolower(
"netgemvno/backup/2013/10/29/20131029_ack.log"
);
/* Create the signature */
$_arraysign = array();
$_arraysign[] = $_permission;
$_arraysign[] = $_start;
$_arraysign[] = $_expiry;
$_arraysign[] = '/' . $config['blob_account'] . '/' . $_container;
$_arraysign[] = $_id;
$_str2sign = implode("
", $_arraysign);
$_signature = base64_encode(
hash_hmac('sha256', $_str2sign, $config['blob_key'], true)
);
/* Create the signed query part */
$_parts = array();
$_parts[] = (!empty($_start))?'st=' . urlencode($_start):'';
$_parts[] = (!empty($_expiry))?'se=' . urlencode($_expiry):'';
$_parts[] = (!empty($_permission))?'sp=' . $_permission:'';
$_parts[] = 'sr=' . 'c';
$_parts[] = (!empty($_id))?'si=' . urlencode($_id):'';
$_parts[] = 'sig=' . urlencode($_signature);
/* Create the signed blob URL */
$_url = $config['blob_protocol'] . '://'
. $config['blob_account'] . '.blob.core.windows.net/'
. $_blob . '?'
. implode('&', $_parts);
return $_url;
Assuming you're storing your account key as base64 encoded (something like AmSacgtnBFBvyqPHTNfpThcBCFWqzE3PIl09Pr1IQBGNjln1a8fZeUTs0+fehSmGt6ujf/7DQ51ef+DEXEZziA==), try changing the following line of code:
$_signature = base64_encode(
hash_hmac('sha256', $_str2sign, $config['blob_key'], true)
);
To
$_signature = base64_encode(
hash_hmac('sha256', $_str2sign, base64_decode($config['blob_key']), true)
);
I wanted to provide some additional information to this post to reflect the changes made to the Azure REST API for accessing containers/blobs since this post was made. Pursuant to the docs I had to do a bit more work as of 9/2014.
Here is SAS generation code that worked for me for uploading a blob to a private container in PHP:
private function testSASGeneration($container, $blob, $resourceType, $permissions, $start, $expiry){
/* Create the signature */
$_arraysign = array();
$_arraysign[] = $permissions;
$_arraysign[] = $start;
$_arraysign[] = $expiry;
$_arraysign[] = '/' . $this->blobServiceAccountName . '/' . $container;
$_arraysign[] = '';
$_arraysign[] = "2013-08-15"; //the API version is now required
$_arraysign[] = '';
$_arraysign[] = "file; attachment";
$_arraysign[] = '';
$_arraysign[] = '';
$_arraysign[] = 'binary';
$_str2sign = implode("
", $_arraysign);
//signature requires url decode and utf-8 encode, as illustrated in docs linked in this post.
$_signature = base64_encode(
hash_hmac('sha256', urldecode(utf8_encode($_str2sign)), base64_decode($this->blobServicePrimaryKey), true)
);
/* Create the signed query part */
$_parts = array();
$_parts[] = (!empty($start))?'st=' . urlencode($start):'';
$_parts[] = (!empty($expiry))?'se=' . urlencode($expiry):'';
$_parts[] = 'sr=' . $resourceType;
$_parts[] = (!empty($permissions))?'sp=' . $permissions:'';
$_parts[] = (!empty($permissions))?'rscd=' . urlencode("file; attachment"):'';
$_parts[] = (!empty($permissions))?'rsct=' . urlencode("binary"):'';
//$_parts[] = (!empty($_id))?'si=' . urlencode($_id):'';
$_parts[] = 'sig=' . urlencode($_signature);
$_parts[] = 'sv=2013-08-15'; //addition of API version in query
/* Create the signed blob URL */
$_url = 'https://'
. $this->blobServiceAccountName . '.blob.core.windows.net/'
. $container . '/'
. $blob . '?'
. implode('&', $_parts);
return $_url;
}
Hope this helps anyone that is forced to use PHP to communicate with Azure, as the API is severely lacking compared to its C# counterpart.