locked
shared access policy for Blob RRS feed

  • Question

  • Hi,

    In development environment, I have private container and having one blob with some text in it. I applied shared access policy for read operation with time span using following code -

    // Get a reference to the container for which shared access signature will be created.
                CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");            

                // Create a permission policy, consisting of a shared access policy
                // and a public access setting, and store it on the container.
                BlobContainerPermissions blobPermissions = new BlobContainerPermissions();


                blobPermissions.SharedAccessPolicies.Add("mypolicy", new SharedAccessPolicy()
                {

                    SharedAccessStartTime = DateTime.UtcNow.AddMinutes(1),
                    SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(5),
                    Permissions = SharedAccessPermissions.Read
                });

                // The public access setting off explicitly specifies that the container is private,
                // so that it can't be accessed anonymously.
                blobPermissions.PublicAccess = BlobContainerPublicAccessType.Off;

                // Set the permission policy on the container.
                container.SetPermissions(blobPermissions);

    However, when I try to access it with URL http://127.0.0.1:10000/devstoreaccount1/mycontainer/myblob I get error as Resource not found exception. What I am doing wrong in this? Also even though I specify Datetime.Now for setting start and expiry time, the time set is very different from my computers time. For example, I run at 9.05AM and expiry as 9.10AM then time is something 4.05AM to 4.10AM.

    Any input?

    Thanks in advance!!


    Mark As Answer if it helps you | My Blog


    Friday, May 18, 2012 4:43 AM

Answers

  • I think you're misunderstanding shared access signatures. You've created a container-level access policy (good!), but now you need to use it to generate a signature, which will go at the end of the blob URL.

    See the second example from my blog post: http://blog.smarx.com/posts/shared-access-signatures-are-easy-these-days. I believe that does almost exactly what you're trying to do. Specifically, you're missing the part that calls GetSharedAccessSignature using the policy you've created.

    Friday, May 18, 2012 5:18 AM
  • The trick about access policies is that they come into action when you generate signed URLs using them. Just creating the access policy will not do anything. So you would need to create a signed URL for the blob and use that URL to access the blob.

    Your URL would be something like: http://127.0.0.1:10000/devstoreaccount1/mycontainer/myblob?sr=b&si=<your policy identifier>&sig=<base 64 encoded signature>

    To learn more about how to generate signed URL for your blob, you may find this link useful: http://msdn.microsoft.com/en-us/library/windowsazure/ee395415.aspx

    Hope this helps. 

    Thanks

    Gaurav

    Friday, May 18, 2012 5:18 AM
  • Looks like an issue with setting the access policy's start and expiry time. Can you share the code for that?

    Please remember that these values must be in UTC and not in local.

    Friday, May 18, 2012 5:26 AM

All replies

  • The trick about access policies is that they come into action when you generate signed URLs using them. Just creating the access policy will not do anything. So you would need to create a signed URL for the blob and use that URL to access the blob.

    Your URL would be something like: http://127.0.0.1:10000/devstoreaccount1/mycontainer/myblob?sr=b&si=<your policy identifier>&sig=<base 64 encoded signature>

    To learn more about how to generate signed URL for your blob, you may find this link useful: http://msdn.microsoft.com/en-us/library/windowsazure/ee395415.aspx

    Hope this helps. 

    Thanks

    Gaurav

    Friday, May 18, 2012 5:18 AM
  • I think you're misunderstanding shared access signatures. You've created a container-level access policy (good!), but now you need to use it to generate a signature, which will go at the end of the blob URL.

    See the second example from my blog post: http://blog.smarx.com/posts/shared-access-signatures-are-easy-these-days. I believe that does almost exactly what you're trying to do. Specifically, you're missing the part that calls GetSharedAccessSignature using the policy you've created.

    Friday, May 18, 2012 5:18 AM
  • Steve/ Gaurav

    Thanks for your quick reply.

    I retrieved shared signature and used it for accessing the blob in following way -

    http://127.0.0.1:10000/devstoreaccount1/mycontainer?sr=c&si=mypolicy&sig=8S0lkDMOwpoE84c%2B0To8WkoAWVhF%2FRl8oikE84LU5Do%3D

    Still I received error as  - Signature not valid in the specified time frame.


    Mark As Answer if it helps you | My Blog

    Friday, May 18, 2012 5:21 AM
  • Looks like an issue with setting the access policy's start and expiry time. Can you share the code for that?

    Please remember that these values must be in UTC and not in local.

    Friday, May 18, 2012 5:26 AM
  • Gaurav,

    I used UTCNow only...here is the complete code -

    // Retrieve storage account information from cloud configuration.            
                CloudStorageAccount storageAccount = CloudStorageAccount.Parse(RoleEnvironment.GetConfigurationSettingValue("Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString"));

                // Create the blob client object.
                CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

                // Get a reference to the container for which shared access signature will be created.
                CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");            

                // Create a permission policy, consisting of a shared access policy
                // and a public access setting, and store it on the container.
                BlobContainerPermissions blobPermissions = new BlobContainerPermissions();

                //The shared access policy provides read/write access to the container
                blobPermissions.SharedAccessPolicies.Add("mypolicy", new SharedAccessPolicy()
                {

                    SharedAccessStartTime = DateTime.UtcNow.AddMinutes(1),
                    SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(5),
                    Permissions = SharedAccessPermissions.Read
                });

                // The public access setting off explicitly specifies that the container is private,
                // so that it can't be accessed anonymously.
                blobPermissions.PublicAccess = BlobContainerPublicAccessType.Off;

                // Set the permission policy on the container.
                container.SetPermissions(blobPermissions);

                lblAccessPolicyString.Text = container.GetSharedAccessSignature(new SharedAccessPolicy(), "mypolicy");


    Mark As Answer if it helps you | My Blog

    Friday, May 18, 2012 5:28 AM
  • HI Gaurav and Steve,

    It worked fine. I just created new shared access policy and ran the blob url in browser again with SAS signature and worked fine.

    Thank you!!!


    Mark As Answer if it helps you | My Blog

    Friday, May 18, 2012 5:38 AM