Azure Gallery Apps The SAS is not valid for source uri (Code: InvalidParameter)

Jody Whitlock 5 Reputation points
2024-08-31T03:20:34.7+00:00

I just can't seem to work this out. I have a Storage Account that has anonymous access disabled. I have msi's and exe's on there that I am wanting to use the Azure Compute Gallery to deploy to the Azure VMs. So, I'm using both the portal and Azure Storage Explorer desktop app to get the SAS URI for a particular MSI. When I use this as the package source in my VM Application package, all I get is "The SAS is not valid for source uri (Code: InvalidParameter)".

Now remember, I'm using Microsoft's own tools to create the URI, I'm not hand managing it. I even used the browse function to locate the package source in the portal, and that even appended a SAS token string to the end of the URI, and it matches what I was given in both the portal and the Azure Storage Explorer for the SAS token, so I am really confused on what parameter is invalid since there's no additional error details to have.

One thing is that the message shows the URI but without the SAS token, so not sure if it's being stripped or not, but I built a BICEP template and still get the exact same error, so there's something somewhere I'm missing in all of this.

The URI does match all the various documentation:

https://

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,787 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. amon 126 Reputation points Microsoft Employee
    2024-09-01T12:08:37.64+00:00

    Hey @Jody Whitlock

    Hopefully you already solved your issue, but I will add an answer here in case anybody else faces the same issue.

    For clarification, the target here is to create a VM Application.
    While creating an app, you need to specify the link to the application bundle which is stored in a storage account.
    To give access to your Compute Gallery to download the application bundle, you need to provide it access, and the recommended way of providing access to files stored in Azure Blob storage is with a User Delegated SAS token.

    There are two important things to note here:

    1. User Delegated SAS Tokens are exactly as they sound - "A user delegation SAS is secured with Microsoft Entra credentials and also by the permissions specified for the SAS". This means that the user creating the token must first have access to the blob the token is generated for.
    2. Even if you have permissions to see the Storage Account resource, you don't necessarily have permissions to read the data plane. Read more about the difference between control and data plane here.

    One interesting thing to note, even if the user does not have permissions to read the blob data, this won't prevent the user from creating the SAS token, because the user still has access to the control plane :O

    So, in summary:

    1. Based on the provided SAS token structure in the question, the token created was a user token
    2. Based on the error, the user did not have sufficient data plane permissions.

    To solve this issue, you have two options:

    1. Grant the user data plane permissions on the blob, such permissions could be: Storage Blob Data Reader
    2. Generate the token using the storage Account Key (not recommended)

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.