none
Is there a delay between Shared Access Signature (SAS) generation time and when the generated uri actually works?

    Question

  • Following scenario:

    I have a storage blob container with private access policy containing files. I generate SAS keys for single blob entries with read permittion to access the files with a webservice running on azure. Another local application then uses the generated uri to download the files.

    Most of the time, this works fine, however in sporadic cases i get a 403 (forbidden) error. It happens on roughly 5% of the number of blob downloads.

     

    The SAS is valid for an hour, if I try to access the blob directly via browser after an error, the uri works fine.

    The question is:

    Is there a delay between the time when a SAS key is generated for a blob and when it actually works?

    I have experimented with different wait times in a few seconds time range, but as the error occurs sporadically, it is difficult to tell if that would help at all and the approach with a set wait time also does not sound reliable to me.

    Any help is welcome, thanks ahead.

    Thursday, November 17, 2011 9:34 AM

Answers

  • Shared access signatures are valid for the times specified when created. I wonder if you are not hitting slight discrepancies in the time on various machines. Have you tried making the SAS signature valid from a minute before the current time. You might want to look at container-level access policies which give you greater control over the creation of shared access signatures. I did a post going into this in greater detail.
    Thursday, November 17, 2011 4:30 PM
    Answerer

All replies

  • Shared access signatures are valid for the times specified when created. I wonder if you are not hitting slight discrepancies in the time on various machines. Have you tried making the SAS signature valid from a minute before the current time. You might want to look at container-level access policies which give you greater control over the creation of shared access signatures. I did a post going into this in greater detail.
    Thursday, November 17, 2011 4:30 PM
    Answerer
  • Nothing actually happens when you create a SAS. It's just cryptographic stuff done locally. There's no interaction with the server until you actually use the SAS to pull down the blob. So no, there's no delay there. As Neil said, you might be experiencing clock drift, but I have a second guess, which is that the sporadic failures are when there's a plus sign (+) in the URL. Is there any chance of that? (Have you noticed any pattern in the URLs themselves?) I ask because i always run into encoding issues when I do this, and I wonder if pasting into the browser is working differently than calling from code and if there's a potential encoding issue for you. (Just a random guess, but something to look for.)

    Thursday, November 17, 2011 9:22 PM
  • Thank you both for the replies, I will look into the time drift issue and make SAS valid from a few minutes earlier before the current time.

    The URL encoding should be fine, I couldn't spot any patterns with the failed URLs and they don't contain any (+) signs.


    Friday, November 18, 2011 8:53 AM
  • Hi,

    Sometimes I also encounter this issue. But usually it works fine if I as Neil pointed out, configure the SAS's start time to a minute earlier than the current time. So you can also give it a try.

     

    Best Regards,

    Ming Xu.


    Please mark the replies as answers if they help or unmark if not.
    If you have any feedback about my replies, please contact msdnmg@microsoft.com.
    Microsoft One Code Framework
    Wednesday, November 23, 2011 2:53 PM
    Moderator
  • Hello again,

    just wanted to tell that it was probably the time discrepancy. I set the SAS generation from -5 to +55 minutes, from then on it worked 100% of the time.

    Thanks again for the help.

    Monday, November 28, 2011 2:41 PM