Problems with xbcloud and AZURE returning : HTTP/1.1 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature

Problems with xbcloud and AZURE returning HTTP 403 Authorization errors

( xbcloud ver 2.4.27 rev aae8e82 Linux x86_64 )

Hi I am trying to use xbcloud to put / get a blob in Azure Storage Container.

I have already succeeded in using the latest az client which i installed into my linux vm ( in azure ) and creating a storage account and creating a container and a small blob, which i can also subsequently see using the az client.

When I try and use the xbcloud ( which i installed on the same linux vm ) i am having http 403 errors ( authorization failed responses ) from Azure.

Can someone let me know if i missed something ? or perhaps show a clear example of how this should / could work ? ( the documentation doesnt really show a clear working example with azure ).

Thanks in advance.

Matt.

1 Like

Heres what I tried :

admin@m85zda42b matt]$ xbcloud put --storage=azure --verbose --azure-storage-account=“maria1acab19201982975047” --azure-access-key=‘abcdefN8AHMKFseEZpp7vn3iCguBrJ6WvacrMSgFDMwqhnkrO+IhZ6HsV0edRTkGbLXk3k8quwiT+AStgF7uVxyz’ --azure-container-name=‘mattsstoragecontainer’ --azure-endpoint=“https://maria1acab19201982975047.blob.core.windows_net/” --azure-tier-class=“Cool” mattstestBlob1

  • Trying 10.56.185.6…
  • TCP_NODELAY set
  • Connected to maria1acab19201982975047.blob.core.windows_net (10.56.185.6) port 443 (#0)
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: CN=*.blob.core.windows.net
  • start date: Sep 18 11:51:41 2022 GMT
  • expire date: Sep 18 11:51:41 2023 GMT
  • subjectAltName: host “maria1acab19201982975047.blob.core.windows_net” matched cert’s “*.blob.core.windows.net”
  • issuer: C=US; O=Microsoft Corporation; CN=Microsoft RSA TLS CA 02
  • SSL certificate verify ok.

HEAD /mattsstoragecontainer?comp=metadata&restype=container HTTP/1.1
Host: maria1acab19201982975047.blob.core.windows_net
Accept: /
Accept-Encoding: gzip
Authorization: SharedKey maria1acab19201982975047:abcdefq3PoYCPNG2QaqUUonGa51sjxcWza+QCjbuVxyz
x-ms-access-tier: Cool
x-ms-date: Wed, 07 Dec 2022 17:32:33 GMT
x-ms-version: 2020-06-12

< HTTP/1.1 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
< Transfer-Encoding: chunked
< Server: Microsoft-HTTPAPI/2.0
< x-ms-request-id: 5021a68c-301e-0091-2c61-0a3733000000
< x-ms-error-code: AuthenticationFailed
< Date: Wed, 07 Dec 2022 17:32:33 GMT
<

  • Connection #0 to host maria1acab19201982975047.blob.core.windows_net left intact
    [admin@m85zda42b matt]$

[admin@m85zda42b matt]$ xbcloud --version
xbcloud Ver 2.4.27 for Linux (x86_64) (revision id: aae8e82)
[admin@m85zda42b matt]$

[admin@m85zda42b matt]$ az storage blob show --account-key ‘abcdefN8AHMKFseEZpp7vn3iCguBrJ6WvacrMSgFDMwqhnkrO+IhZ6HsV0edRTkGbLXk3k8quwiT+AStgF7uVxyz’ -c mattsstoragecontainer --name mattstestBlob1 --output table
Name Blob Type Blob Tier Length Content Type Last Modified Snapshot


mattstestBlob1 BlockBlob Cool 19 application/octet-stream 2022-12-05T17:21:46+00:00
[admin@m85zda42b matt]$

1 Like

Hi @iL_Mattone

Try removing your endpoint. I just tested it and it works (with my credentials):

cat compressed.xbs | xbcloud put --storage=azure --azure-storage-account=pxbtesting --azure-container-name=backups --azure-access-key='REDACTED' marce
221207 16:27:30 xbcloud: successfully uploaded chunk: marce/ibdata1.qp.00000000000000000000, size: 167055
221207 16:27:30 xbcloud: successfully uploaded chunk: marce/ibdata1.qp.00000000000000000001, size: 24
221207 16:27:30 xbcloud: successfully uploaded chunk: marce/sys/sys_config.ibd.qp.00000000000000000000, size: 4021
221207 16:27:31 xbcloud: successfully uploaded chunk: marce/sys/sys_config.ibd.qp.00000000000000000001, size: 35
221207 16:27:33 xbcloud: successfully uploaded chunk: marce/mysql.ibd.qp.00000000000000000000, size: 2355036
221207 16:27:34 xbcloud: successfully uploaded chunk: marce/mysql.ibd.qp.00000000000000000001, size: 26
221207 16:27:34 xbcloud: successfully uploaded chunk: marce/undo_002.qp.00000000000000000000, size: 287261
221207 16:27:34 xbcloud: successfully uploaded chunk: marce/undo_002.qp.00000000000000000001, size: 25
221207 16:27:35 xbcloud: successfully uploaded chunk: marce/undo_001.qp.00000000000000000000, size: 296435
221207 16:27:35 xbcloud: successfully uploaded chunk: marce/undo_001.qp.00000000000000000001, size: 25
221207 16:27:35 xbcloud: successfully uploaded chunk: marce/mysql/general_log_224.sdi.qp.00000000000000000000, size: 1532
221207 16:27:36 xbcloud: successfully uploaded chunk: marce/mysql/general_log_224.sdi.qp.00000000000000000001, size: 42
221207 16:27:36 xbcloud: successfully uploaded chunk: marce/mysql/general_log.CSM.qp.00000000000000000000, size: 150
221207 16:27:36 xbcloud: successfully uploaded chunk: marce/mysql/general_log.CSM.qp.00000000000000000001, size: 38
221207 16:27:37 xbcloud: successfully uploaded chunk: marce/mysql/slow_log_225.sdi.qp.00000000000000000000, size: 1789
221207 16:27:37 xbcloud: successfully uploaded chunk: marce/mysql/slow_log_225.sdi.qp.00000000000000000001, size: 39
...
221207 16:27:40 xbcloud: Upload completed.

Btw, testing with the same credentials you share on your post via the az client I also receive a 403 error:

az storage blob show --verbose --account-key 'abcdefN8AHMKFseEZpp7vn3iCguBrJ6WvacrMSgFDMwqhnkrO+IhZ6HsV0edRTkGbLXk3k8quwiT+AStgF7uVxyz' -c mattsstoragecontainer --account-name maria1acab19201982975047 --name mattstestBlob1 --output table
Try to get storage auth_mode value from environment variables or config file.
Try to get storage sas_token value from environment variables or config file.
Request URL: 'https://maria1acab19201982975047.blob.core.windows.net/mattsstoragecontainer/mattstestBlob1'
Request method: 'HEAD'
Request headers:
    'x-ms-version': 'REDACTED'
    'Accept': 'application/xml'
    'User-Agent': 'AZURECLI/2.43.0 (DEB) azsdk-python-storage-blob/12.12.0 Python/3.10.8 (Linux-5.15.0-53-generic-x86_64-with-glibc2.31)'
    'x-ms-client-request-id': '5145597c-7667-11ed-af81-5938095187d8'
    'CommandName': 'REDACTED'
    'ParameterSetName': 'REDACTED'
    'x-ms-date': 'REDACTED'
    'Authorization': 'REDACTED'
No body was attached to the request
Response status: 403
Response headers:
    'Transfer-Encoding': 'chunked'
    'Server': 'Microsoft-HTTPAPI/2.0'
    'x-ms-request-id': '4f197c79-b01e-0044-7874-0ad8be000000'
    'x-ms-error-code': 'REDACTED'
    'Date': 'Wed, 07 Dec 2022 19:42:43 GMT'

Authentication failure. This may be caused by either invalid account key, connection string or sas token value provided for your storage account.
                    
Command ran in 1.312 seconds (init: 0.173, invoke: 1.140)
1 Like

Hi,

Many thanks for your feedback.

Apologies - I had to obfuscate the keys i posted for security reasons ( I should have made that clear in the original post ).

I am still facing issues with the xbcloud command with azure and authentication errors.

Can you please clarify for the key thats expected when using the xbcloud command from : Use the xbcloud binary with Microsoft Azure Cloud Storage - Percona XtraBackup :

–azure-access-key=name AZURE_ACCESS_KEY A generated key that can be used to authorize access to data in your account using the Shared Key authorization.

  • i.e. that this is one of :

  • the key ( i.e. key1 ) from the azure gui / storage accounts / access keys / key1 ?

or

  • generated token from the sas section ? ( azure gui / storage accounts / shared access signature / generated sas token )

or some other key perhaps ?

Thanks again for your help.

Matt.

1 Like