Pre-signed url with expiry for Azure blob

0
votes

We are using Azure blob storage for storing unstructured content.

Our setup is as follows

Our Browser client(accessing files) -> Our Backend (our cloud platform) -> Proxy managing Azure account (our cloud platform)-> Azure blob storage.

The proxy managing the Azure account has the account credentials. It generates a SAS token and gives to the consumers like our backend. This SAS token has infinite expiry time.

Now we from our backend want to generate a pre-signed url (similar concept of S3) with an expiration time and give to the browser client. This is required since we want to download the content directly from the browser bypassing our backend for large files.

It seems the generated signed url will always have unlimited expiry time as our SAS token. Please note we (our backend ) does not have access to the Azure storage so we cannot generate an access token.

Is there any way our problem could be solved ?

Best Regards,

Saurav

1
azureazure-blob-storage
It seems the generated signed url will always have unlimited expiry time as our SAS token. - Can you elaborate what you mean by this?Gaurav Mantri
@GauravMantri thanks for the reply...as i mentioned we only have the SAS token with us not the actual Azure account credentials which is owned by Proxy Service. Proxy Service generates the SAS token with unlimited expiry and gives to us.saurav
Thanks for explaining. I have provided an answer.Gaurav Mantri

1 Answers

0
votes

If I understand correctly, you get a SAS Token that never expires. However you would want to specify an expiry date when you use this token in your SAS URL. This is not possible.

Essentially a SAS URL for a blob is base blob URL (https://account.blob.core.windows.net/container/blob) + SAS Token.

You cannot change any of the parameters of the SAS Token when using it in SAS URL because the sig portion of SAS URL is computed based on the other parameters in your SAS Token like se, st etc. Doing so will invalidate the SAS Token.

Furthermore, you can't create a new SAS Token using another SAS Token.

Only solution to your problem is to have your proxy service create a SAS Token with predefined expiry time.