How to create SAS token to list\delete blobs

0
votes

I tried creating SAS like this (ADDING "Read" permission changes nothing):

enter image description here

But it didnt work for me. I only want my script to get blob list, read metadata and delete old blobs.

Get-AzureStorageContainer : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation.

Also, I'd like to know whats the minimum possible permissions to achieve my goal.

$ctx = New-AzureStorageContext -StorageAccountName xxx -SasToken zzz
$Containers = Get-AzureStorageContainer -Context $ctx

sample sas token:

?sv=2017-07-29&ss=b&srt=co&sp=dl&se=2018-03-31T21:24:06Z&st=2018-03-31T09:24:06Z&spr=https&sig=bWsg5sSPZF%2FaBXxfW6RoCH%2BlcFKBT6MFyMKTRM3I2jI%3D
1
azureauthenticationazure-storageazure-powershell
This Cmdlet lists the containers in an account. For listing blobs, the cmdlet is Get-AzureStorageBlob. But nonetheless you shouldn’t get 403 error. Can you edit your question and include how are you calling this Cmdlet and how are you creating the storage context?Gaurav Mantri
well, i'm not asking for that :) i'm asking: "how to create a proper sas token" @GauravMantri4c74356b41
Based on the screenshot (partial though), I believe you’ve selected the right permissions so your SAS token should be right. Please share your SAS token so that it can be checked for correctness.Gaurav Mantri
is that documented anywhere? @GauravMantri4c74356b41
I’m actually looking for the value of SAS token you are using to create storage context.Gaurav Mantri

1 Answers

1
votes

So there are two things here:

  1. You're getting 403 error: Assuming you're using the same SAS token as you have mentioned in the question along with Get-AzureStorageContainer Cmdlet, you will get this error. The reason for this is the purpose of this Cmdlet is to list blob containers in a storage account and for that you need to have Service permission in your SAS token (srt value in your SAS token should be sco instead of co). Because the required permission is not there in your SAS token, you are getting this 403 error. However if you use the same token along with Get-AzureStorageBlob, you should not get any error.

  2. Necessary permissions for get blob list, read metadata and delete old blobs: For this, you would need the following permissions:

    • Allowed Services: Blobs (b)
    • Allowed resource types: Container (c) and Object (o)
    • Allowed permissions: List (l), Read (r) and Delete (d)

With this combination you should be able to list blobs from a blob container using Get-AzureStorageBlob, read its metadata and delete the blobs.

UPDATE

So what I did was I followed your steps and tried to list the blob containers using Get-AzureStorageContainer Cmdlet. I also got the same error :).

Then I ran the Cmdlet with Debug and Verbose switches and found that for each blob container, this Cmdlet tries to get the ACL.

_https://account.blob.core.windows.net/my-container?sv=2017-07-29&ss=b&srt=sco&sp=dl&se=2018-03-31T23:28:27Z&st=2018-03-31T15:2 8:27Z&spr=https&sig=signature&api-version=2017-04-17&restype=container&comp=acl.

Confirm The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation. [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): y Get-AzureStorageContainer : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation. At line:1 char:1 + Get-AzureStorageContainer -Context $ctx -Debug -Verbose + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzureStorageContainer], StorageException + FullyQualifiedErrorId : StorageException,Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.GetAzureStorageCont ainerCommand

Now the problem is that you can't fetch ACL for a container using a shared access signature, you would need to use the account key (same thing goes for creating a shared access signature). This is the reason you're getting 403 error back from the service.

Not sure you would classify this as a bug in Get-AzureStorageContainer or would want to put in a feature request allowing you to list blob containers without getting its ACL but they way things are today, you can't list blob containers using this Cmdlet and a SAS token.