
Unable to generate a valid Azure Storage SAS token in Cpp

I have tried several methods, but they all give the same error when creating a SAS token programatically.

version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:32b24722-801e-0024-1e9c-3b3c1d000000 Time:2024-11-20T22:36:21.0299082Z</Message><AuthenticationErrorDetail>Signature fields not well formed.</AuthenticationErrorDetail></Error>

Of course, this all works when using a SAS token generated in the portal. I have a (working) storage account and container and the containers key (I assume this is base64 encoded and needs to be decoded prior to signing).

bool downloadFile(const std::string& blobName, const std::string& localFilePath) {
        if (!m_curl) {
            std::cerr << "Failed to initialize cURL" << std::endl;
            return false;

        // Generate SAS token just before the file download
        //IotHubHelpers iotHubHelper;
        std::string resourceUri = m_storage_account + "" + m_container_name + "/" + blobName;
        std::string account_key = "Only Half the eyJBuYU2S2G99MDFfb5K6aGRrZJRdAlonKchD+AStQfq0Ig==";  // Your container access key
        std::string start_time = "2024-11-19T19:21:22Z";
        std::string expiry_time = "2028-11-20T03:21:22Z";
        std::string permissions = "rwdlacupiyx";

         std::string sasToken = generate_blob_sas_token(
            account_key //,

        if (sasToken.empty()) {
            std::cerr << "Error: Failed to generate SAS token." << std::endl;
            return false;

        std::cout << "SAS Token: " << sasToken << std::endl;

        // Construct URL with SAS token
        std::string url = "https://" + resourceUri + "?" + sasToken;
        std::cout << "Downloading from URL: " << url << std::endl;

        // Open the file stream in binary mode
        std::ofstream outFile(localFilePath, std::ios::binary);
        if (!outFile) {
            std::cerr << "Failed to open file for writing: " << localFilePath << std::endl;
            return false;

        // Set cURL options
        curl_easy_setopt(m_curl, CURLOPT_URL, url.c_str());
        curl_easy_setopt(m_curl, CURLOPT_WRITEFUNCTION, writeData);
        curl_easy_setopt(m_curl, CURLOPT_WRITEDATA, &outFile);
        curl_easy_setopt(m_curl, CURLOPT_SSL_VERIFYPEER, 1L);
        curl_easy_setopt(m_curl, CURLOPT_SSL_VERIFYHOST, 2L);

        CURLcode res = curl_easy_perform(m_curl);
        if (res != CURLE_OK) {
            std::cerr << "cURL error: " << curl_easy_strerror(res) << std::endl;
            return false;

        return true;

This is the Token generator, where I cant replicate a token from Azure Portal.

std::string generate_blob_sas_token(const std::string& key) {
        const std::string canonicalizedResource = "/blob/fotacontainer/fota/testfile.txt";

        std::vector<std::pair<std::string, std::string>> sas_token_properties = {
            {"sp", "r"},
            {"st", "2024-11-19T19:21:22Z"}, //get_utc_time(-120)},
            {"se", "2025-11-19T19:21:22Z"}, //get_utc_time(1440)},
            {"canonicalizedResource", canonicalizedResource},
            {"si", ""},
            {"sip", ""},
            {"spr", "https"},
            {"sv", "2023-01-03"},
            {"sr", "b"},
            {"sst", ""},
            {"ses", ""},
            {"rscc", ""},
            {"rscd", ""},
            {"rsce", ""},
            {"rscl", ""},
            {"rsct", ""}

        std::vector<std::string> values;
        for (const auto& entry : sas_token_properties) {

        std::string string_to_sign = join_with_newline(values);
        std::cout << string_to_sign << std::endl;

        // The keys we get from the storage account are base64 encoded, so we need to decode them first
        std::string decoded_key = base64_decode(key);
        unsigned char* digest = HMAC(EVP_sha256(),, decoded_key.size(),
                                     reinterpret_cast<const unsigned char*>(, string_to_sign.size(), nullptr, nullptr);

        std::string signature = base64_encode(digest, SHA256_DIGEST_LENGTH);

        std::vector<std::string> parameters;
        for (const auto& entry : sas_token_properties) {
            if (!entry.second.empty() && entry.first != "canonicalizedResource") {
                parameters.push_back(entry.first + "=" + url_encode(entry.second));
        parameters.push_back("sig=" + url_encode(signature));

        return join(parameters, "&");

Using the code above (needs cleanup, yes), I get the error message

<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:32b24722-801e-0024-1e9c-3b3c1d000000 Time:2024-11-20T22:36:21.0299082Z</Message><AuthenticationErrorDetail>Signature fields not well formed.</AuthenticationErrorDetail></Error> I must be missing something basic in the algorithm to assemble and generate the SAS Token. I've read the docs, and looking online. still no solution I can find.


    You can use the below code to generate Azure blob sas token using cpp with crypto library.


    #include <iostream>
    #include <iomanip>
    #include <sstream>
    #include <ctime>
    #include <string>
    #include <cryptopp/cryptlib.h>
    #include <cryptopp/hex.h>
    #include <cryptopp/hmac.h>
    #include <cryptopp/sha.h>
    #include <cryptopp/base64.h>
    #include <cryptopp/filters.h>
    #include <cctype>
    #include <iomanip>
    using namespace CryptoPP;
    std::string GenerateSas(const std::string& storageAccountKey, const std::string& input) {
        std::string decodedKey;
        StringSource(storageAccountKey, true, new Base64Decoder(new StringSink(decodedKey)));
        // Create HMAC-SHA256 signature
        std::string digest;
        HMAC<SHA256> hmac((const byte*), decodedKey.size());
        StringSource(input, true,
            new HashFilter(hmac, new StringSink(digest))); // Compute HMAC digest
        // Encode the digest to Base64
        std::string encodedDigest;
        StringSource(digest, true, new Base64Encoder(new StringSink(encodedDigest), false));
        encodedDigest.erase(std::remove(encodedDigest.begin(), encodedDigest.end(), '\n'), encodedDigest.end());
        return encodedDigest; 
    std::string TimePointToString(const std::chrono::seconds& timePoint) {
        std::time_t t = timePoint.count();
        std::tm tm{};
        gmtime_s(&tm, &t);
        std::ostringstream oss;
        oss << std::put_time(&tm, "%Y-%m-%dT%H:%M:%SZ");
        return oss.str();
    // URL encode function
    std::string UrlEncode(const std::string& str) {
        std::ostringstream escaped;
        for (char c : str) {
            if (std::isalnum(c) || c == '-' || c == '_' || c == '.' || c == '~') {
                escaped << c;
            else {
                escaped << '%' << std::setw(2) << std::setfill('0') << std::hex << (int)(unsigned char)c;
        return escaped.str();
    // Function to generate SAS token
    void GenerateSasToken(const std::string& blobName, const std::string& accessKey, const std::string& containerName) {
        // Define SAS token parameters
        auto currentTime = std::chrono::system_clock::now();
        auto currentTimeSeconds = std::chrono::duration_cast<std::chrono::seconds>(currentTime.time_since_epoch());
        auto expirationTime = currentTimeSeconds + std::chrono::minutes(120);
        // Convert time to ISO 8601 format
        std::string signedStart = TimePointToString(currentTimeSeconds);
        std::string signedExpiry = TimePointToString(expirationTime);
        // Define other SAS parameters
        std::string signedPermissions = "rwl";
        std::string signedService = "b"; // 'b' for blob
        std::string signedProtocol = "https";
        std::string signedVersion = "2022-11-02";
        std::string accountName = "venkat326123";
        // Create canonicalized resource
        std::string canonicalizedResource = "/blob/" + accountName + "/" + containerName + "/" + blobName;
        // Construct the string to sign
        std::ostringstream stringToSign;
        stringToSign << signedPermissions << "\n"
            << signedStart << "\n"
            << signedExpiry << "\n"
            << canonicalizedResource << "\n"
            << "\n\n"
            << signedProtocol << "\n"
            << signedVersion << "\n"
            << signedService << "\n"
            << "\n\n\n\n\n\n";
        // Generate the signature
        std::string signature = GenerateSas(accessKey, stringToSign.str());
        // URL encode the signature
        std::string urlEncodedSignature = UrlEncode(signature);
        // Construct the SAS token
        std::ostringstream sasToken;
        sasToken << "sv=" << signedVersion
            << "&sr=" << signedService
            << "&sp=" << signedPermissions
            << "&st=" << signedStart
            << "&se=" << signedExpiry
            << "&spr=" << signedProtocol
            << "&sig=" << urlEncodedSignature;
        std::cout << "Blob URL: https://" << accountName << ""
            << containerName << "/" << blobName << "?" << sasToken.str() << std::endl;
    int main() {
        // Define blob details
        std::string blobName = "scenery.jpg";
        std::string containerName = "test";
        std::string accessKey = "<storage account key>";
        // Generate SAS token
        GenerateSasToken(blobName, accessKey, containerName);
        return 0;


    Blob URL:

    I verified the blob URL in the browser.

