Forbidden Response using Table-Level SAS Token on Get-AzStorageTable

[gwalkey]

Using AzTable 2.04

Sas Token was created 3 different ways

Azure Portal - right Click on Table "Get SAS Token"
Powershell New-AzStorageTableSASToken
Azure Storage Explorer
All three SAS Tokens created on the Table ALONE fail
Using a SAS Token on the ENTIRE STORAGE ACCOUNT Always works

Code is:
Import-Module -Name Az.Storage
Import-Module -Name Az.Resources
Import-Module -Name AzTable

$AzStorageAccount = "storage_accountname"
$TableName = 'TableName'
$TableSasToken ="?st=2021-02-25T15%3A40%3A11Z&se=2022-01-01T04%3A59%3A00Z&sp=raud&sv=2018-03-28&tn=TableName&sig=mysig"
$StorageCtx = New-AzStorageContext -StorageAccountName $AzStorageAccount -SasToken $TableSasToken
$Table = Get-AzStorageTable -Name $tableName -Context $StorageCtx

throws
Forbidden

DEBUG: 1:04:10 PM - GetAzureStorageTableCommand end processing, Start 7 remote calls. Finish 7 remote calls. Elapsed time 1538702.92 ms. Client operation id: Azure-Storage-PowerShell-ee008953-9bf3-4536-9ad2-74a5b8742830.

DEBUG: AzureQoSEvent: CommandName - Get-AzStorageTable; IsSuccess - False; Duration - 00:00:01.8729751;; Exception - Microsoft.Azure.Cosmos.Table.StorageException: Forbidden
at Microsoft.WindowsAzure.Commands.Storage.Model.Contract.StorageTableManagement.DoesTableExist(CloudTable table, TableRequestOptions requestOptions, OperationContext operationContext)
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.d__12.MoveNext()
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.WriteTablesWithStorageContext(IEnumerable`1 tableList)
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Request Information

RequestID:7b83f525-9002-0011-80a0-0b6c7f000000
RequestDate:Thu, 25 Feb 2021 18:04:08 GMT
StatusMessage:Forbidden
ErrorCode:
ErrorMessage:This request is not authorized to perform this operation.
RequestId:7b83f525-9002-0011-80a0-0b6c7f000000
Time:2021-02-25T18:04:08.4574077Z;
DEBUG: Finish sending metric.
DEBUG: 1:04:10 PM - GetAzureStorageTableCommand end processing.

hitting the URL in a browser works fine
using the same Table-level SAS Token against the REST API directly also works fine

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @wmengmsft, @MehaKaushik, @shurd, @anfeldma-ms

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

Issue Details

---

Using AzTable 2.04

Sas Token was created 3 different ways

Azure Portal - right Click on Table "Get SAS Token"
Powershell New-AzStorageTableSASToken
Azure Storage Explorer
All three SAS Tokens created on the Table ALONE fail
Using a SAS Token on the ENTIRE STORAGE ACCOUNT Always works

Code is:
Import-Module -Name Az.Storage
Import-Module -Name Az.Resources
Import-Module -Name AzTable

$AzStorageAccount = "storage_accountname"
$TableName = 'TableName'
$TableSasToken ="?st=2021-02-25T15%3A40%3A11Z&se=2022-01-01T04%3A59%3A00Z&sp=raud&sv=2018-03-28&tn=TableName&sig=mysig"
$StorageCtx = New-AzStorageContext -StorageAccountName $AzStorageAccount -SasToken $TableSasToken
$Table = Get-AzStorageTable -Name $tableName -Context $StorageCtx

throws
Forbidden

DEBUG: 1:04:10 PM - GetAzureStorageTableCommand end processing, Start 7 remote calls. Finish 7 remote calls. Elapsed time 1538702.92 ms. Client operation id: Azure-Storage-PowerShell-ee008953-9bf3-4536-9ad2-74a5b8742830.

DEBUG: AzureQoSEvent: CommandName - Get-AzStorageTable; IsSuccess - False; Duration - 00:00:01.8729751;; Exception - Microsoft.Azure.Cosmos.Table.StorageException: Forbidden
at Microsoft.WindowsAzure.Commands.Storage.Model.Contract.StorageTableManagement.DoesTableExist(CloudTable table, TableRequestOptions requestOptions, OperationContext operationContext)
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.d__12.MoveNext()
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.WriteTablesWithStorageContext(IEnumerable`1 tableList)
at Microsoft.WindowsAzure.Commands.Storage.Table.Cmdlet.GetAzureStorageTableCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Request Information

RequestID:7b83f525-9002-0011-80a0-0b6c7f000000
RequestDate:Thu, 25 Feb 2021 18:04:08 GMT
StatusMessage:Forbidden
ErrorCode:
ErrorMessage:This request is not authorized to perform this operation.
RequestId:7b83f525-9002-0011-80a0-0b6c7f000000
Time:2021-02-25T18:04:08.4574077Z;
DEBUG: Finish sending metric.
DEBUG: 1:04:10 PM - GetAzureStorageTableCommand end processing.

hitting the URL in a browser works fine
using the same Table-level SAS Token against the REST API directly also works fine

Author:	gwalkey
Assignees:	-
Labels:	Service Attention, Storage, customer-reported, needs-triage, question
Milestone:	-

[blueww]

@gwalkey
You are using a table Service SAS (with tn=), which applies only to entity operations in a single table. See detail in following doc, you can see all table service sas permissions on only on entities.
https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas#permissions-for-a-table

If you would like to use the Get-AzStorageTable cmdlet then consider using an Account SAS instead. Per you above comments, you should already get account sas work.

[gwalkey]

Let me recap 1) Account Level Token works with a) REST API b) Get-AzStorageTable (NOT THE RM Module, the AZ Module) (for some reason you are changing my request to using the RM module. Im not using the RM Module, im using AZ Module. See my Code Below) 2) Table-Level Token works fine in REST API, throws FORBIDDEN error with raud using Get-AzStorageTable this is the bug im reporting, obviously the Token is not the issue as it works with the REST API (Code Below) It doesnt work with Get-AzStorageTable cmdlet 3) I will NEVER have access to an account-level token, the Boss gave me this token and said make it work with Powershell

[gwalkey]

Ill make it clearer:

Get-AzStorageTable Fails with Table-Level SAS Token with ALL Permissions
$AzStorageAccount = "StorageAccountName"
$TableName = "TableName"
$TableSasToken = "?sp=raud&st=2021-02-24T18:07:07Z&se=2022-02-24T18:22:00Z&sv=2020-02-10&sig=SomeSig&tn=TableName"
$StorageCtx = New-AzStorageContext -StorageAccountName $AzStorageAccount -SasToken $TableSasToken
$Table = Get-AzStorageTable -Name $tableName -Context $StorageCtx
Get-AzTableRow -Table $Table.CloudTable

Succeeds with SAME TOKEN
$URI = "https://"+$AzStorageAccount+".table.core.windows.net/"+$TableName+$TableSasToken
$Now = (Get-Date).ToUniversalTime().toString('R')
$Headers = @{
'x-ms-date' = "$now"
'Accept' = 'application/json;odata=fullmetadata'
'Content-Type'= 'application/json'
}
$TableRows = Invoke-RestMethod -Method Get -Uri $URI -ContentType 'application/json' -Headers $Headers
$TableRows.value | select-object -property PartitionKey, RowKey, Timestamp | Out-GridView

[blueww]

@gwalkey

1. The cmdlet name should be "Get-AzStorageTable" ("Get-AzureStorageTable" is the old name, they actually do same thing)
2. Your rest API script runs success, since it only do inside table query, which the SAS has permission. The PSH script not work since "Get-AzStorageTable" will get table properties, which need account sas.
3. If you just need to create a table object with the SAS for following inside table query, you can run it from a table SAS Uri like following:

$tableSASUri = "https://[accountName].table.core.windows.net/[tableName]?sv=2017-07-29&tn=[tableName]&sig=[hidden]&se=2021-03-15T07%3A00%3A09Z&sp=raud"

$uri = [System.Uri]$tableSASUri
$CloudTable= New-Object -TypeName Microsoft.Azure.Cosmos.Table.CloudTable $uri 

Get-AzTableRow -Table $CloudTable

[gwalkey]

although you still misunderstand which cmdlet I am using ( NOT USING Get-AzureStorageTable), please read my code again
that worked!

Nowhere in MS Documentation is there an example of NOT using the AzModule and referencing the Cosmos Assembly Directly
(Isnt that the whole Idea of using Posh Modules)?

"3) If you just need to create a table object with the SAS for following inside table query, you can run it from a table SAS Uri like following:"

This doc needs your example showing how to do this using a Table-Level SAS Token ONLY:
https://docs.microsoft.com/en-us/azure/storage/tables/table-storage-how-to-use-powershell#retrieve-all-entities

thank you