Problem using http connector in logic app to append to blob

Anonymous
2021-01-12T01:36:00.38+00:00

I have created a logic app with 3 actions, the first is the http request trigger, second if the Key Vault connector (to get the blob container access key stored there) and then this action below based on the Append Blob Rest APi (https://learn.microsoft.com/en-us/rest/api/storageservices/append-block)

55544-logicapphttp-action.png

Problem is I get the following 403 error and I'm not sure what to do about it

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:14e3f479-e01e-0038-5082-e84210000000
Time:2021-01-12T01:30:47.4593101Z</Message><AuthenticationErrorDetail>The MAC signature found in the HTTP request '54n9b2vXttNR7y7g4T0yz3UnWLRJHpQWentMpJt1eXrdLB9iU9T7CwUziLcQKGCedkpTh5uzDRZ19OdOG6zWbw==' is not the same as any computed signature. Server used following string to sign: 'PUT

292

application/json; charset=utf-8
Tue, 12 Jan 2021 01:30:47 GMT

x-ms-action-tracking-id:f582d583-5f32-41aa-8c43-fb8150148c2e
x-ms-activity-vector:IN.08
x-ms-client-request-id:f8b2560d-2e2a-4b98-8448-c2ac5a78e148
x-ms-client-tracking-id:08585911918384737868179566486CU00
x-ms-correlation-id:f8b2560d-2e2a-4b98-8448-c2ac5a78e148
x-ms-execution-location:westus2
x-ms-tracking-id:f8b2560d-2e2a-4b98-8448-c2ac5a78e148
x-ms-version:2020-04-08
x-ms-workflow-id:408a017c6fe6462faf346488b17e9436
x-ms-workflow-name:TLS_logging_endpoint
x-ms-workflow-operation-name:HTTP
x-ms-workflow-resourcegroup-name:TLS_violation_log
x-ms-workflow-run-id:
x-ms-workflow-run-tracking-id:
x-ms-workflow-subscription-id:
x-ms-workflow-system-id:/locations/westus2/scaleunits/prod-10/workflows/408a017c6fe6462faf346488b17e9436
x-ms-workflow-version:08585911921323974530
/cspreport2/cspreports/csp.report.json
comp:appendblock'.</AuthenticationErrorDetail></Error>

**Another question I have is: Does there exist a "dynamic value" for the content length from the trigger http request? **

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,427 questions
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,839 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pramod Valavala 20,516 Reputation points Microsoft Employee
    2021-01-12T10:01:57.767+00:00

    The access key isn't meant to be used directly. You must use it to encode the request signature string which is sent in the request.

    Since this wouldn't be ideal to construct in logic apps itself, you could switch to using Azure AD based Authentication instead. You could leverage the HTTP with Azure AD Connector to automatically fetch the tokens as required.

    0 comments
  2. Alex B 1 Reputation point
    2021-03-27T09:52:53.273+00:00

    You may have already solved your issue, however I'll share how I managed to do this for the sake of others after having trawled articles for hours and eventually resorting to a support call, of which I was very grateful to the MS Engineer that helped me.

    I was using a managed identity associated with the logic app and given Blob Contributor role to read, write and delete within the required storage account.

    Where I went wrong:
    I had manually created an append blob and uploaded it to the container within the storage account and like original poster above was specifying the Content-Length. I kept getting InvalidHeaderValue with the Content-Length being indicated within the error message.

    What I needed to do was to create the append blob using Method:PUT, "x-ms-blob-type": "AppendBlob", Content-Length : 0,
    x-ms-date : format UTC date like this "Sat, 27 Mar 2021 09:39:44 GMT", x-ms-version: 2019-07-07
    Authentication type: Managed identity
    Managed identity: System-assigned managed identity
    Audience: https://storage.azure.com

    Then append to the newly created blob (same as appending to an existing append blob)
    using Method:PUT,
    at the end of the uri put ?comp=appendblock NB. no need to specify the Content-Length
    "x-ms-blob-type": "AppendBlob",
    x-ms-date : format UTC date like this "Sat, 27 Mar 2021 09:39:44 GMT", x-ms-version: 2019-07-07
    body: put content here
    Authentication type: Managed identity
    Managed identity: System-assigned managed identity
    Audience: https://storage.azure.com

    Because I wanted to automate this, I needed to be able to determine if the append blob already existed and whether to create it or append to it. I put a scope action in the logic app and used a GET Http connector basing the Uri on the day's date.
    NB. I used x-ms-version: 2019-02-02 for the GET because this worked for using managed identity.

    The next action after the GET, was an HTTP PUT action to append to the existing blob as mentioned above, because if the GET was successful then the blob already exists.

    Outside of the scope I used a condition which was configured to run if the scope failed.
    The condition tested the status of the GET and the error returned:
    outputs('name of HTTP Get action')['statusCode'] = 404
    outputs('name of HTTP Get action')['headers']['x-ms-error-code'] = BlobNotFound

    If True, then as mentioned above, create the append blob and then append to it.

    0 comments