Azure Blob Storage authentication error creating SAS for blob in sub-folder

0
votes

I am using the following code to give users access to a single file in my blob storage via a Shared Access Signature (SAS):

            var container = _blobClient.GetContainerReference(containerPath[0]);
            var blob = container.GetBlockBlobReference(blobName);

            var policy = new SharedAccessBlobPolicy()
            {
                SharedAccessStartTime = DateTimeOffset.UtcNow,
                SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
                Permissions = SharedAccessBlobPermissions.Read
            };

            var blobHeaders = new SharedAccessBlobHeaders();
            var sasToken = blob.GetSharedAccessSignature(policy, blobHeaders);

            return blob.Uri.AbsoluteUri + sasToken;

The token I am creating is created but it doesn't work, I get the following error:

Signature did not match. String to sign used was r 2019-06-07T09:19:05Z 2019-06-08T09:19:05Z /blob/X/filestore/images/company/X.jpeg 2018-11-09 b

Where filestore/images/company/ is the directory and X.jpeg is my file name. My blob container is private.

I've tried most of the options that have been provided to questions on a similar theme but not sure where I am going wrong. I created a Shared Access Signature via the Azure portal for this blob and it worked just fine. Any ideas?

1
c#azureazure-storageazure-storage-blobs

1 Answers

0
votes

I've since discovered, by trying to get the container object above's properties, that my container and file were not found in Azure Storage. This was strange as the file path was correct. Whilst browsing I found this answer:

There is actually only a single layer of containers. You can virtually create a "file-system" like layered storage, but in reality everything will be in 1 layer, the container in which it is.

For creating a virtual "file-system" like storage, you can have blob names that contain a '/' so that you can do whatever you like with the way you store. Also, the great thing is that you can search for a blob at a virtual level, by giving a partial string, up to a '/'.

This means in the case of my blob (filestore/images/company/x.jpg) the container is just filestore and the blob name is images/company/x.jpg even though the Azure Portal shows subfolders, the actual structure is flat.

Once I'd learnt this I was able to create my Shared Access Signature in the exact same way but this time it worked.