Error message
VM: raise ApiException.from_response(
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/venv/lib/python3.12/site-packages/EnclaveSDK/exceptions.py", line 144, in from_response
raise BadRequestException(http_resp=http_resp, body=body, data=data)
EnclaveSDK.exceptions.BadRequestException: (400) Reason: Bad Request
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json; charset=utf-8', 'Date': 'Wed, 01 Apr 2026 17:32:46 GMT', 'Content-Length': '1041'})
HTTP response body: {"error":"failed to list blobs: GET https://aznsnshdadstg01d.blob.core.windows.net/beekeeper-validation
--------------------------------------------------------------------------------
RESPONSE 403: 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
ERROR CODE: AuthenticationFailed
--------------------------------------------------------------------------------
<?xml version=\"1.0\" encoding=\"utf-8\"?>
<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:a660a0b1-f01e-0014-1cfd-c1b08f000000
Time:2026-04-01T17:32:46.1128042Z
</Message>
<AuthenticationErrorDetail>Signed Directory Depth Invalid</AuthenticationErrorDetail>
</Error>
--------------------------------------------------------------------------------
"}
Cause
- The SAS was generated at the wrong scope (blob or directory) and/or without List permission. Because the workflow calls List at the container level, authentication fails with a 403 and Signed Directory Depth Invalid.
- This is an example of a SAS token generated at the folder level, if the azure storage account is created with Hierarchical Namespace enabled. It displays the folder name after the container name (testcontainer/covid), and at the end, you can see sdd=1. This format is not accepted.
- https://test255425.blob.core.windows.net/testcontainer/covid?sp=rl&st=2026-04-02T20:31:46Z&se=2026-04-05T04:46:46Z&spr=https&sv=2024-11-04&sr=d&sig=GEq3TT56oI6%2Fyx939iLeZ@3^8Brv7xlDYxo10HsBtc8#3D&sdd=1
Impact
- Validation runs fail and cannot complete end-to-end.
- Datasets may appear unavailable even though they exist in storage.
Resolution / Workaround
- Generate a SAS URL at container scope: create the SAS for the target container used by the workflow.
- Include required permissions: at minimum List (l) and Read (r); add additional permissions only if needed.
- Refer to 'Generate a Signed URL for the Dataset' in EscrowAI User Manual
- The following is the example of the valid SAS token generated at container level
- https://test255425.blob.core.windows.net/testcontainer?sp=rl&st=2026-04-02T20:50:01Z&se=2026-04-03T05:05:01Z&spr=https&sv=2024-11-04&sr=c&sig=cvVXwY5yvKmq0%2FYV3Gk1%2FfiRy%2BROA%2FBdtoc7ax4sW2k%3D
- https://test255425.blob.core.windows.net/testcontainer?sp=rl&st=2026-04-02T20:50:01Z&se=2026-04-03T05:05:01Z&spr=https&sv=2024-11-04&sr=c&sig=cvVXwY5yvKmq0%2FYV3Gk1%2FfiRy%2BROA%2FBdtoc7ax4sW2k%3D
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article