Azure blob storage shared access policies apply/remove

0
votes

I have a container in Azure blob storage with the Access Policy set to "Blob". The container has existing blobs that I would like to protect with a Shared Access Policy.

I noticed if I create a container shared access policy...

var sharedPolicy = new SharedAccessBlobPolicy()
{
    SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(120),
    Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write
};
permissions.SharedAccessPolicies.Add(Guid.NewGuid().ToString(), sharedPolicy);
_blobContainer.SetPermissions(permissions);

I am still able to read the existing blobs. I expected the existing blobs to be "protected" by the newly created SAP.

  1. How can I apply a SAP to an existing blob?

  2. Can all SAP's be removed from a container to expose all the blobs publicly again (assuming you know the url)? Or does removing the SAP make the blobs inaccessible somehow?

  3. If I am using SAP's to protect the blobs, can I set the container's Access Policy to "private" and have it still work?

Thanks!

1
azureazure-storage-blobsazure-blob-storage

1 Answers

0
votes

I tinkered with this for a while. Here is what I observed...

Access Policy = Blob

Anyone that knows the URI to the blob can read the blob (regardless of SAP's).

Access Policy = Private

To read you must...

  1. Connect with the storage access key
  2. OR have a valid Shared Access Signature
  3. OR have a valid Stored Access Policy (on the container)