Uploading blob with container client fails with auth error but succeeds with blob client when using Azure CDN

[JeffreyCA]

• Package Name: azure-storage-blob
• Package Version: 12.9.0
• Operating System: Windows 10
• Python Version: 3.10.2

Describe the bug
I have an Azure Storage account that is configured with an Azure CDN. When using BlobServiceClient with the account URL set to an Azure CDN, uploading a file using the container client fails with an authentication error, while it succeeds when using a blob client.

Both succeed when the account URL is set to the actual Storage Account URL.

To Reproduce
Steps to reproduce the behavior:

from azure.storage.blob import BlobServiceClient

edge_url = 'https://edgeaccount.azureedge.net'
storage_url = 'https://account.blob.core.windows.net'
service = BlobServiceClient(account_url=edge_url, credential={'account_name': 'abc', 'account_key': 'xyz'})

blob_client = service.get_blob_client('container', 'blobname')
container_client = service.get_container_client('container')

with open("./testfile", "rb") as stream:
    # This succeeds
    blob_client.upload_blob(stream, overwrite=True)
    # This fails with authentication error
    container_client.upload_blob('blobname', stream, overwrite=True)

Authentication error

authenticationerrordetail:The MAC signature found in the HTTP request '5dC3N7RcRW9V...' is not the same as any computed signature. Server used following string to sign: 'PUT


1

application/octet-stream






x-ms-blob-type:BlockBlob
x-ms-client-request-id:xxxx
x-ms-date:Mon, 21 Feb 2022 07:34:35 GMT
x-ms-version:2020-10-02
Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed 
correctly including the signature.
RequestId:xxx
Time:2022-02-21T07:34:35.1058206Z</Message><AuthenticationErrorDetail>The MAC signature found in the HTTP request '5dC3N7RcRW9V...' is not the same as any computed 
signature. Server used following string to sign: 'PUT

Expected behavior
The container client should upload the blob successfully.

[jalauzon-msft]

Hi @JeffreyCA, thanks for reporting this. We will look into it and get back to you.

[jalauzon-msft]

Hi again @JeffreyCA, I have tried out your sample with an Azure CDN configured on a Storage Account and was not able to reproduce the auth error. Both the BlobClient and ContainerClient method worked as expected with no errors. I tried a couple different combinations of how the container was initially created, etc.

Is this a consistent or intermittent? Is there anything special (outside of default) configured on your Storage Account or CDN? I was testing with a pretty much default Storage Account and CDN configuration.

Could you share a recent request id from a failed request? I can look at it on the service side to see if that reveals anything. (The more recent, the better, since the service logs roll over fairly quickly, ~2 days)

[JeffreyCA]

Strange I cannot reproduce it anymore now, the uploads are succeeding again. My storage account is a Blob storage not the V2 one.

I did manage to save one request: d81ed268-301e-0068-63f7-263995000000

Content: <?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
api_1          | RequestId:d81ed268-301e-0068-63f7-263995000000
api_1          | Time:2022-02-21T07:46:18.3875170Z</Message><AuthenticationErrorDetail>The MAC signature found in the HTTP request 'Ge9LF9U/IxrXWwnRDkxLL5+JCv/Sz2kGIbEmVG9SWR0=' is not the same as any computed signature. Server used following string to sign: 'PUT
api_1          |
api_1          |
api_1          | 109264
api_1          |
api_1          | application/octet-stream
api_1          |
api_1          |
api_1          |
api_1          |
api_1          |
api_1          |
api_1          | x-ms-blob-content-disposition:attachment
api_1          | x-ms-blob-content-type:audio/mpeg
api_1          | x-ms-blob-type:BlockBlob
api_1          | x-ms-client-request-id:5ab7e560-92ea-11ec-9174-0242ac120006
api_1          | x-ms-date:Mon, 21 Feb 2022 07:46:18 GMT
api_1          | x-ms-version:2020-10-02
api_1          | /spleeterweb/gpu/uploads/dd50891f-cd77-48f6-aef1-76f5d928cb20/a.mp3
api_1          | timeout:20'.</AuthenticationErrorDetail></Error>

[jalauzon-msft]

Hi @JeffreyCA Jeffery, unfortunately the service logs for this request have rolled over (I did check soon after you provided it). Are you able to reproduce the issue again and provide another request id? Thanks

[JeffreyCA]

Hi @JeffreyCA Jeffery, unfortunately the service logs for this request have rolled over (I did check soon after you provided it). Are you able to reproduce the issue again and provide another request id? Thanks

No I'm not able to reproduce it anymore

[jalauzon-msft]

@JeffreyCA so the issue is no longer happening and requests to the CDN endpoint are working as expected now?

If that is the case, I would probably say this was an intermittent issue with the service. Perhaps it took longer than expected for your CDN settings to take affect or there was a problem on the backend that got resolved.

[jalauzon-msft]

Looks like this may have been a service issue that recovered. I'm going to close this but please feel free to re-open if this reoccurs. Thanks.