I'm using the following code to generate a SAS for a blob container using the Storage Client SDK version 8.0.0 to match what AzCopy is using.
CloudStorageAccount storageAccount = CloudStorageAccount.Parse("myconnectionstring");
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy();
sasConstraints.SharedAccessStartTime = DateTime.Now.AddHours(-24);
sasConstraints.SharedAccessExpiryTime = DateTime.Now.AddHours(24);
sasConstraints.Permissions = SharedAccessBlobPermissions.List | SharedAccessBlobPermissions.Read;
string sas = container.GetSharedAccessSignature(sasConstraints, null);
Console.WriteLine(sas);
Console.WriteLine(container.Uri);
StorageCredentials creds = new StorageCredentials(sas);
var sasContainer = new CloudBlobContainer(new Uri(container.Uri + sas));
var items = sasContainer.GetBlobReference("items.txt");
This all works fine in code, but when I copy the SAS token into AzCopy to download a blob as the "SourceSAS" parameter, I get a 403 saying the signature does not match (via Fiddler). The parameters used to create the signature look ok to me. I'm confused as to why this works in code but not via AzCopy.
If I create a SAS token using the Azure Storage Explorer tool, it works fine. This SAS token targets a different version of the service, but I can't force the SDK to change that parameter. Would anyone know why this is happening? I will post the Fiddler content in an update.