Azure SAS and Permission

1
votes

GetSaSForBlobContainer(container,SharedAccessBlobPermissions.List|SharedAccessBlobPermissions.Read);

public static string **GetSaSForBlobContainer**(CloudBlobContainer blobContainer, SharedAccessBlobPermissions permission)
    {
        var sas = blobContainer.GetSharedAccessSignature(new SharedAccessBlobPolicy()
        {
            Permissions = permission,
            SharedAccessStartTime = DateTime.UtcNow.AddMinutes(-5),//SAS Start time is back by 5 minutes to take clock skewness into consideration
            SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(15),
        });
        return string.Format(CultureInfo.InvariantCulture, "{0}{1}", blobContainer.Uri, sas);
    }

-- When I try this, my container access in my stroge account is private.Can I list blobs in the container with Internet Explorer ? I try with blob and container access types the fail is always :

AuthenticationFailed Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:2c504f81-0001-00ea-3815-be7271000000 Time:2017-04-25T22:47:20.9382490Z Signature did not match. String to sign used was rl 2017-04-25T22:38:15Z 2017-04-25T22:58:15Z /blob/onlineeducation/$root 2015-12-11

But when I try this I can see the blobs ,

 foreach (IListBlobItem blob in blobs)
{
   CloudBlockBlob blob1 = new CloudBlockBlob(blob.Uri);
   string name = blob1.Name;

}

1-) I dont understand one thing when I create GetSaSForBlobContainer and my container access type is private what will happen (for Internet Explorer and code) ?.

2-) When I get reference without permission my private container, and then create blob uri + SAS.Example what will happen can I see my containers ? or can I only write referenced blob (my blob permission is only write)..

3-What will happen, Container uri + sas - Blob uri + sas (Permission is read) => Can I only upload the file or can I see the containers when try in Internet Explorer .

4-)What is the different here ,

  • My container access type is private in my storage I get the reference of continer without any permssion and SAS, and then create blob URI with read permssion and SAS .

  • Container acces type is private in my storage I get the reference of container with permssion and SAS, and then create blob URI with read permssion and SAS

1
azureazure-storage-blobs
Can you please elaborate what you mean by Explorer? Do you mean Microsoft's Azure Storage Explorer or Internet Explorer (browser)?Gaurav Mantri
yes sir ,Internet Explorer I edited now :)Alican Kablan

1 Answers

3
votes

When I try this, my container access in my stroge account is private.Can I list blobs in the container with Internet Explorer ? I try with blob and container access types the fail is always

To fix this issue, first please add List as the permission in your SAS and then add &restype=container&comp=list to your request URL. For more explanation on this issue, please see this thread: Azure Shared Access Signature - Signature did not match.

1-) I dont understand one thing when I create GetSaSForBlobContainer and my container access type is private what will happen (for Internet Explorer and code) ?

Nothing will happen unless you do something with it :). Depending on the permissions included in SAS, user who's in possession of this SAS URL will be able to perform certain operations. For example, if you create a SAS with List permission then the user will be able to only list the blobs in that container. They will not be able to even download the blobs (for that the SAS must include Read permission).

2-) When I get reference without permission my private container, and then create blob uri + SAS.Example what will happen can I see my containers ? or can I only write referenced blob (my blob permission is only write)..

No, you can't see your containers as the SAS is for a container only. Again because you're including Read permission, you will only be able to read blob contents. You will not be able to upload the blobs.

3-What will happen, Container uri + sas - Blob uri + sas (Permission is read) => Can I only upload the file or can I see the containers when try in Internet Explorer .

No, with Read permission you can't upload the file. You can't even view the blobs list with Read permission. For this you would need List permission.

Regarding #4, there's no difference till the time you actually use that SAS URL. In 1st case you will get an error and in the 2nd one you will be able to see the blob.