none
$logs Container - Creating a SAS with Policy fails with (403) Forbidden

    Question

  • I just wanted to know if it is by design not possible to create a SAS with a policy on the $logs containter?

    I treied that yesterday and can successfully do this on my Containers, but get an "The remote server returned an error: (403) Forbidden." error if I try the same Action on the $logs Container?

    Is this by design, or do I do something wrong?

    I want to grant read Access to the logs to some Clients, but do not want to expose the Keys. I did work through a couple of examples which actually work, but not for the $logs Container..

    http://stackoverflow.com/questions/14152087/copying-one-azure-blob-to-another-blob-in-azure-storage-client-2-0
    https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/
    https://azure.microsoft.com/en-gb/documentation/articles/storage-dotnet-shared-access-signature-part-2/

    In the end I just want to collect all the logs in one place for later Analysis through azure Batch (Job Schedule) and not put the Storage Keys there (might be OK, but I thorught try it with SAS).

    The Code I use is

            static string CreateSharedAccessPolicy(CloudBlobContainer container, string policyName)
            {
                //Create a new shared access policy and define its constraints.
                SharedAccessBlobPolicy sharedPolicy = new SharedAccessBlobPolicy();
                sharedPolicy.SharedAccessStartTime = new DateTime(DateTime.UtcNow.Year, 1, 1);
                sharedPolicy.SharedAccessExpiryTime = new DateTime(DateTime.UtcNow.Year + 1, 12, 31);
                sharedPolicy.Permissions = SharedAccessBlobPermissions.List | SharedAccessBlobPermissions.Read;
    
                //Get the container's existing permissions.
                BlobContainerPermissions permissions = container.GetPermissions();
    
                //Remove Policy
                permissions.SharedAccessPolicies.Remove(policyName);
                container.SetPermissions(permissions);
    
                //Add the new policy to the container's permissions, and set the container's permissions.
                permissions.SharedAccessPolicies.Add(policyName, sharedPolicy);
                container.SetPermissions(permissions);
    
                return container.Uri + container.GetSharedAccessSignature(null, policyName);
            }

    which works on a regular Container, but not on the $logs containter.

    Any advise?


    http://www.hmayer.net/

    Sunday, November 22, 2015 1:05 PM

Answers

  • I believe the reason your code is failing is because you're trying to update a system defined blob container (by setting the access policies on that container) which is not allowed.

    What you could do is create a SAS without an access policy and distribute that SAS token to your clients. However please keep in mind that a SAS without an access policy can't be revoked. Thus it may be best for you to issue shorter duration SAS tokens on demand i.e. create SAS tokens for your clients when they need them.


    Hope this helps.
    • Edited by Gaurav Mantri Sunday, November 22, 2015 5:24 PM
    • Marked as answer by hmayer1980 Friday, November 27, 2015 3:07 PM
    Sunday, November 22, 2015 5:23 PM

All replies

  • I believe the reason your code is failing is because you're trying to update a system defined blob container (by setting the access policies on that container) which is not allowed.

    What you could do is create a SAS without an access policy and distribute that SAS token to your clients. However please keep in mind that a SAS without an access policy can't be revoked. Thus it may be best for you to issue shorter duration SAS tokens on demand i.e. create SAS tokens for your clients when they need them.


    Hope this helps.
    • Edited by Gaurav Mantri Sunday, November 22, 2015 5:24 PM
    • Marked as answer by hmayer1980 Friday, November 27, 2015 3:07 PM
    Sunday, November 22, 2015 5:23 PM
  • Must be the Reason...

    Is there a way with the use of a policy at all?

    Account Level Policy and SAS?


    http://www.hmayer.net/

    Wednesday, November 25, 2015 5:45 PM