question

LarryBilodeau-9315 avatar image
0 Votes"
LarryBilodeau-9315 asked AlexB-7702 edited

Problem using http connector in logic app to append to blob

I have created a logic app with 3 actions, the first is the http request trigger, second if the Key Vault connector (to get the blob container access key stored there) and then this action below based on the Append Blob Rest APi (https://docs.microsoft.com/en-us/rest/api/storageservices/append-block)

55544-logicapphttp-action.png

Problem is I get the following 403 error and I'm not sure what to do about it

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:14e3f479-e01e-0038-5082-e84210000000
Time:2021-01-12T01:30:47.4593101Z</Message><AuthenticationErrorDetail>The MAC signature found in the HTTP request '54n9b2vXttNR7y7g4T0yz3UnWLRJHpQWentMpJt1eXrdLB9iU9T7CwUziLcQKGCedkpTh5uzDRZ19OdOG6zWbw==' is not the same as any computed signature. Server used following string to sign: 'PUT


292

application/json; charset=utf-8
Tue, 12 Jan 2021 01:30:47 GMT





x-ms-action-tracking-id:f582d583-5f32-41aa-8c43-fb8150148c2e
x-ms-activity-vector:IN.08
x-ms-client-request-id:f8b2560d-2e2a-4b98-8448-c2ac5a78e148
x-ms-client-tracking-id:08585911918384737868179566486CU00
x-ms-correlation-id:f8b2560d-2e2a-4b98-8448-c2ac5a78e148
x-ms-execution-location:westus2
x-ms-tracking-id:f8b2560d-2e2a-4b98-8448-c2ac5a78e148
x-ms-version:2020-04-08
x-ms-workflow-id:408a017c6fe6462faf346488b17e9436
x-ms-workflow-name:TLS_logging_endpoint
x-ms-workflow-operation-name:HTTP
x-ms-workflow-resourcegroup-name:TLS_violation_log
x-ms-workflow-run-id:
x-ms-workflow-run-tracking-id:
x-ms-workflow-subscription-id:
x-ms-workflow-system-id:/locations/westus2/scaleunits/prod-10/workflows/408a017c6fe6462faf346488b17e9436
x-ms-workflow-version:08585911921323974530
/cspreport2/cspreports/csp.report.json
comp:appendblock'.</AuthenticationErrorDetail></Error>

Another question I have is: Does there exist a "dynamic value" for the content length from the trigger http request?




azure-logic-appsazure-blob-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PramodValavala-MSFT avatar image
0 Votes"
PramodValavala-MSFT answered

The access key isn't meant to be used directly. You must use it to encode the request signature string which is sent in the request.

Since this wouldn't be ideal to construct in logic apps itself, you could switch to using Azure AD based Authentication instead. You could leverage the HTTP with Azure AD Connector to automatically fetch the tokens as required.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlexB-7702 avatar image
0 Votes"
AlexB-7702 answered AlexB-7702 edited

You may have already solved your issue, however I'll share how I managed to do this for the sake of others after having trawled articles for hours and eventually resorting to a support call, of which I was very grateful to the MS Engineer that helped me.

I was using a managed identity associated with the logic app and given Blob Contributor role to read, write and delete within the required storage account.

Where I went wrong:
I had manually created an append blob and uploaded it to the container within the storage account and like original poster above was specifying the Content-Length. I kept getting InvalidHeaderValue with the Content-Length being indicated within the error message.

What I needed to do was to create the append blob using Method:PUT, "x-ms-blob-type": "AppendBlob", Content-Length : 0,
x-ms-date : format UTC date like this "Sat, 27 Mar 2021 09:39:44 GMT", x-ms-version: 2019-07-07
Authentication type: Managed identity
Managed identity: System-assigned managed identity
Audience: https://storage.azure.com

Then append to the newly created blob (same as appending to an existing append blob)
using Method:PUT,
at the end of the uri put ?comp=appendblock NB. no need to specify the Content-Length
"x-ms-blob-type": "AppendBlob",
x-ms-date : format UTC date like this "Sat, 27 Mar 2021 09:39:44 GMT", x-ms-version: 2019-07-07
body: put content here
Authentication type: Managed identity
Managed identity: System-assigned managed identity
Audience: https://storage.azure.com

Because I wanted to automate this, I needed to be able to determine if the append blob already existed and whether to create it or append to it. I put a scope action in the logic app and used a GET Http connector basing the Uri on the day's date.
NB. I used x-ms-version: 2019-02-02 for the GET because this worked for using managed identity.

The next action after the GET, was an HTTP PUT action to append to the existing blob as mentioned above, because if the GET was successful then the blob already exists.

Outside of the scope I used a condition which was configured to run if the scope failed.
The condition tested the status of the GET and the error returned:
outputs('name of HTTP Get action')['statusCode'] = 404
outputs('name of HTTP Get action')['headers']['x-ms-error-code'] = BlobNotFound

If True, then as mentioned above, create the append blob and then append to it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.