DEV/Test Subscriptions, Azure Blob Storage and You(r sanity)

Published: Feb 28, 2019 by Greg Woodbury

TL;DR: Azure DEV/Test subscriptions save you money, but aren't functionally the same as prod subscriptions

As we’ve built out increasingly complex cloud/hybrid environments, the need for a dedicated, functionally identical test environment has become even more crucial. When you have a team of people creating and maintaining several tiers of function apps, services, etc with an increasingly complex graph of interdependencies, a change to any of these components requires thorough testing (hopefully automated) of the entire system.

security metaphor

To facilitate building an extensive development / test environment, Microsoft Azure provides a dedicated subscription with special pricing. These subscriptions offer savings on windows-powered VMs and services, billing at the comparable linux machine rate. Maybe this means they’re actually linux services in some cases (maybe that’s our problem)? Not having to effectively pay twice your prod environment cost is a no-brainer.

What we found was that our function apps received the following error when attempting to connect to the storage account (blobstore):

Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.

Stack overflow pointed us in a few different directions, mainly with stuff related to renewing tokens, clock issues, and other actual security problems. What had us confused the whole time however, was that our environment was identical to our prod subscription (thanks to infrastructure as code), yet prod was fine. We figured it had to be something with the subscription. When a ticket with Microsoft reached no conclusion, we had them just convert our DEV/Test subscription to an Azure Enterprise subscription. The problem went away.

So unfortunately, a DEV/Test subscription cannot be used in our case, which we’d argue is a fairly common setup. Maybe this will save someone a headache.