Generate blob sasurl using SAS

0
votes

I want to get a reference to the blob and generate a SAS URL for it.

How? Without exposing my storage account key?

What all have I tried? Getting the reference to blob by using SAS (of blob container or storage account). My references: https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

The exception that I see: "Can not create Shared Access Signature unless Account Key credentials are used"

But I do not (obviously) want to expose my account key! Is this even possible? If not, is there any other way of doing it?

1
c#azureazure-storageazure-storage-blobs
You could implement an API that runs in Azure and has one of your two account keys to generate a SAS token. This way it will stay insied Azure. Or store the key in Key Vault and retrieve it from there as soon as you need to generate a token.rickvdbosch
Are there any other ways of using SAS to generate blob SAS? @RickvandenBoschSheena Agrawal
A SAS doesn't expose your api key. You need your api key when creating a SAS. You'd never have to share your key publicly - you'd create a SAS within your app.David Makogon

1 Answers

5
votes

In short: no, there's no other way to do that besides using one of the keys. You need one of the Access Keys to be able to create a SAS token. Here's why you cannot do that with an existing SAS token:

The signature is an HMAC computed over the string-to-sign and key using the SHA256 algorithm, and then encoded using Base64 encoding.

This means the signature that is part of your SAS token is a calculated value. Part of that calculation is based on (one of the) key(s), since that is used to calculate the non-reversible hash. The fact that this hash is non-reversible means you cannot retrieve the Access Key used to calculate the hash. And therefor, you cannot use a SAS token to create another SAS token: you don't have an Access Key available to calculate the signature.

When you create a storage account, you get two storage access keys, which provide full control over the storage account contents. These keys are admin credentials.

More information: Constructing a Service SAS