答案很简单：

添加补偿=列表和放大器; restype =容器来的SAS网址，你不应该得到这个错误

龙答：

从本质上从SAS URL，Azure存储服务是不是能够确定，如果你要访问的资源是BLOB或容器中，假定它是一个blob。因为它假定资源类型为BLOB，它使用 $根为SAS计算的blob容器（你可以从你的错误信息见）。由于SAS是计算标记的blob容器，你得到这个签名不匹配错误。通过指定 restype =容器你告诉存储服务来对待资源作为容器。 补偿=列表需要按照REST API规范。

I'm getting this error:

<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:6c3fc9a8-cdf6-4874-a141-10282b709022 Time:2014-07-30T10:48:43.8634735Z
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used was rwl 2014-07-31T04:48:20Z /acoustie/$root 2014-02-14
</AuthenticationErrorDetail>
</Error>

I get it when I generate a sas (Shared Access Signature) then paste that sas at the end of the container uri into a browser. This is the full address with the generated sas:

https://acoustie.blob.core.windows.net/mark?sv=2014-02-14&sr=c&sig=E6w%2B3B8bAXK8Lhvvr62exec5blSxsA62aSWAg7rmX4g%3D&se=2014-07-30T13%3A30%3A14Z&sp=rwl

I have scoured SO and Google and have tried lots of combinations, as far as I can tell I'm doing everything correctly, I know I'm not, I just can't see it...really hoping someone can help :-\

To be clear, I am generating a sas on a container, not a specific blob and not on the root container. Access on the blob is defined as Public Blob. My end goal is to simply allow writes to the container with the sas, while 'debugging' I have added most permissions to the SharedAccessBlobPolicy.

I have tried adding a \ at the beginning and ending of the container name. No change.

This is the code I use to generate the sas:

    var blobClient = storageAccount.CreateCloudBlobClient();
    //Get a reference to the blob container 
    var container = blobClient.GetContainerReference(containerName);

    // Do not set start time so the sas becomes valid immediately.
    var sasConstraints = new SharedAccessBlobPolicy 
    {
        SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(30), 
        Permissions = SharedAccessBlobPermissions.Write 
        | SharedAccessBlobPermissions.Read
        | SharedAccessBlobPermissions.List,
    };

    var sasContainerToken = container.GetSharedAccessSignature(sasConstraints);

    //Return the URI string for the container, including the SAS token.
        var sas = string.Format("{0}{1}", container.Uri.AbsoluteUri, sasContainerToken);
        Logger.Debug("SAS: {0}", sas);
        return sas;

It generates a signature, it just doesn't seem to be a valid signature.

I've tried different containers, changing the Access policy, with and without start times, extending the expiry to > 12 hours from now (I'm in a UTC+10 timezone), it doesn't seem to matter what I change it results in the same "signature did not match" error.

I have even tried using an older version of 'WindowsAzure.Storage', so I have now tried 4.2 and 4.1. Even tried the uri in a different browser, really shouldn't make a difference but hey...

Any suggestions are greatly appreciated :-)

Short Answer:

Add comp=list&restype=container to your SAS URL and you should not get this error.

Long Answer:

Essentially from your SAS URL, Azure Storage Service is not able to identify if the resource you're trying to access is a blob or a container and assumes it's a blob. Since it assumes the resource type is blob, it makes use of $root blob container for SAS calculation (which you can see from your error message). Since SAS was calculated for mark blob container, you get this Signature Does Not Match error. By specifying restype=container you're telling storage service to treat the resource as container. comp=list is required as per REST API specification.