Why can't my app access by blob storage using this SAS token?

Question

I am attempting to access a blob storage account and simply list the contents of a container using a SAS token. I am generating an access policy (according to this doc) and referencing that access policy within my access token as well.

Unfortunately, when my code attempts to run the ListBlobsSegmented function, I receive a 403 (Forbidden) error.

This is the code that attempts to get the listing of blobs:

string storageAccountName = "ringclone";
string containerName = "ringcentral-archives";
string authenticationKey = "?sv=2018-03-28&si=ringclone-access-policy&sr=c&sig=************************";
StorageCredentials creds;
CloudStorageAccount account;
CloudBlobClient blobClient;
CloudBlobContainer cloudBlobContainer;
creds = new StorageCredentials(authenticationKey);
account = new CloudStorageAccount(creds, storageAccountName, endpointSuffix: null, useHttps: true);
blobClient = account.CreateCloudBlobClient();
cloudBlobContainer = blobClient.GetContainerReference(containerName);
BlobContinuationToken blobContinuationToken = null;
var containerSegment = blobClient.ListBlobsSegmented("", blobContinuationToken); // 403 error;

And these are the steps I am using to generate an access policy and generate a SAS token that references that access policy:

In the Azure Storage Explorer, I browse to blob storage and find the specific container I want to grant access to. I right-click and select "Manage Access Policies".

I then provide all permissions to this policy, and provide an end date that is 20 years from now.

After clicking "Save", I go back to my container list and right-click on that container once more and select "Get Shared Access Signature".

Within the Shared Access Signature Dialog, I reference my access policy.

Upon clicking "Create", I have my Shared Access Signature with an attached policy.

I then simply copy/paste my storage account name, container name, and auth key into the code shown above. For the auth key, I use the "Query String" field shown in my SAS Signature dialog. For example:

Query String field is used as auth key, according to the docs

string storageAccountName = "ringclone";
string containerName = "ringcentral-archives";
string authenticationKey = "?sv=2018-03-28&si=ringclone-access-policy&sr=c&sig=************************"; // retrieved from the "Query String" field in storage explorer.

However, I am getting a 403 error when trying to list the blobs in my container. What am I doing wrong?

Stanley Gong Stanley Gong · Accepted Answer · 2020-01-27T02:19:59

Try this code below in a console app:

using Microsoft.Azure.Storage.Auth;
using Microsoft.Azure.Storage.Blob;
using System;

namespace AzureStorageTest
{
    class Program
    {
        static void Main(string[] args)
        {

            string storageAccountName = "<storage account name>";
            string containerName = "<container name>";
            string sasToken = "<sas token>";
            StorageCredentials creds;
            CloudBlobContainer cloudBlobContainer;
            creds = new StorageCredentials(sasToken);

            cloudBlobContainer = new CloudBlobContainer(new Uri("https://"+ storageAccountName + ".blob.core.windows.net/"+ containerName), creds);
            BlobContinuationToken blobContinuationToken = null;
            var blobs = cloudBlobContainer.ListBlobsSegmented("", blobContinuationToken);
            foreach (var blob in blobs.Results) {
                Console.WriteLine(blob.Uri);
            }

            Console.ReadKey();
        }
    }
}

Result :

Hope it helps

Why can't my app access by blob storage using this SAS token?

1 Answers