As noticed here, the shared access signature is not supported in the Azure SDK for PHP. So I developed my own function to generate the signed-url using the Miscrosoft Azure documentation (here) and the PHPAzure Codeplex project and source code (here)

I want to generate an signed-url that may be called directly in a web browser vithout using a developed software client.

My generated signed-url always returns an "AuthenticationFailed" with the detail "Signature did not match. Signature did not match. String to sign used was r 2013-11-03 2013-11-05 /ntgstblog/netgemvno netgemvno_default_policy"

Here my source code to generate a shared access signature and my signed url. Can you help me to debug it ?

    $config = array(
         'blob_account'   => <mystroage_accountname>,
         'blob_key'       => <mystroage_accesskey>,
         'blob_protocol'  => 'http'
    );

    $_id = 'netgemvno_default_policy';

    ...

    /* Define the policy of the container */
    $_data = array(
        'SignedIdentifier' => array (
            'Id' => $_id,
            'AccessPolicy' => array(
                'Start' => date("Y-m-d", strtotime('-1 years')),
                'Expiry' => date("Y-m-d", strtotime('+1 year')),
                'Permission' => 'r'
            )
        )
    );
    $_containerAcl = ContainerAcl::create(PublicAccessType::NONE, $_data);
    $rest->blob_service->setContainerAcl($oem, $_containerAcl);

    ...

    /* get shared access url to my private blob */       
    $_start = date('Y-m-d', strtotime('-1 day'));
    //$_start = '';
    $_expiry = date('Y-m-d', strtotime('+1 day'));
    //$_expiry = '';
    $_permission = 'r';
    $_container = 'netgemvno';
    $_blob = strtolower(
        "netgemvno/backup/2013/10/29/20131029_ack.log"
    );

    /* Create the signature */
    $_arraysign = array();
    $_arraysign[] = $_permission;
    $_arraysign[] = $_start;
    $_arraysign[] = $_expiry;
    $_arraysign[] = '/' . $config['blob_account'] . '/' . $_container;
    $_arraysign[] = $_id;
    $_str2sign = implode("\n", $_arraysign);
    $_signature = base64_encode(
        hash_hmac('sha256', $_str2sign, $config['blob_key'], true)
    );

    /* Create the signed query part */
    $_parts = array();
    $_parts[] = (!empty($_start))?'st=' . urlencode($_start):'';
    $_parts[] = (!empty($_expiry))?'se=' . urlencode($_expiry):'';
    $_parts[] = (!empty($_permission))?'sp=' . $_permission:'';
    $_parts[] = 'sr=' . 'c';
    $_parts[] = (!empty($_id))?'si=' . urlencode($_id):'';
    $_parts[] = 'sig=' . urlencode($_signature);

    /* Create the signed blob URL */
    $_url = $config['blob_protocol'] . '://'
        . $config['blob_account'] . '.blob.core.windows.net/'
        . $_blob . '?'
        . implode('&', $_parts);

    return $_url;

• What is wrong when I generate the signature ?
• Is there any information missing or invalid ?
• Do I need to hash using the my storage key ?

Assuming you're storing your account key as base64 encoded (something like AmSacgtnBFBvyqPHTNfpThcBCFWqzE3PIl09Pr1IQBGNjln1a8fZeUTs0+fehSmGt6ujf/7DQ51ef+DEXEZziA==), try changing the following line of code:

$_signature = base64_encode(
        hash_hmac('sha256', $_str2sign, $config['blob_key'], true)
    );

To

$_signature = base64_encode(
        hash_hmac('sha256', $_str2sign, base64_decode($config['blob_key']), true)
    );

I wanted to provide some additional information to this post to reflect the changes made to the Azure REST API for accessing containers/blobs since this post was made. Pursuant to the docs I had to do a bit more work as of 9/2014.

Here is SAS generation code that worked for me for uploading a blob to a private container in PHP:

private function testSASGeneration($container, $blob, $resourceType, $permissions, $start, $expiry){

     /* Create the signature */
    $_arraysign = array();
    $_arraysign[] = $permissions;
    $_arraysign[] = $start;
    $_arraysign[] = $expiry;
    $_arraysign[] = '/' . $this->blobServiceAccountName . '/' . $container;
    $_arraysign[] = '';
    $_arraysign[] = "2013-08-15"; //the API version is now required
    $_arraysign[] = '';
    $_arraysign[] = "file; attachment";
    $_arraysign[] = '';
    $_arraysign[] = '';
    $_arraysign[] = 'binary';

    $_str2sign = implode("\n", $_arraysign);

    //signature requires url decode and utf-8 encode, as illustrated in docs linked in this post.
    $_signature = base64_encode(
        hash_hmac('sha256', urldecode(utf8_encode($_str2sign)), base64_decode($this->blobServicePrimaryKey), true)
    );

     /* Create the signed query part */
    $_parts = array();
    $_parts[] = (!empty($start))?'st=' . urlencode($start):'';
    $_parts[] = (!empty($expiry))?'se=' . urlencode($expiry):'';
    $_parts[] = 'sr=' . $resourceType;
    $_parts[] = (!empty($permissions))?'sp=' . $permissions:'';
    $_parts[] = (!empty($permissions))?'rscd=' . urlencode("file; attachment"):'';
    $_parts[] = (!empty($permissions))?'rsct=' . urlencode("binary"):'';


    //$_parts[] = (!empty($_id))?'si=' . urlencode($_id):'';
    $_parts[] = 'sig=' . urlencode($_signature);
    $_parts[] = 'sv=2013-08-15'; //addition of API version in query

    /* Create the signed blob URL */
    $_url = 'https://'
    . $this->blobServiceAccountName . '.blob.core.windows.net/'
    . $container . '/'
    . $blob . '?'
    . implode('&', $_parts);

    return $_url;

}

Hope this helps anyone that is forced to use PHP to communicate with Azure, as the API is severely lacking compared to its C# counterpart.