none
Shared Access Signature for Azure Storage Tables service version expiration?

    Question

  • Several weeks back I created shared access policies for an Azure Storage Table on three different Storage Accounts. I set the policies with Permissions = SharedAccessTablePermissons.Query only and set no start or expiration dates. I then tested access on all three accounts successfully and moved on. This week I went to utilize these policies in a production app and found to my great surprise that two of the three had stopped working. All attempts to access the tables with the SAS token returned 403 on two of the three tables. I then attempted to re-generate keys by clearing the current and creating new but all attempts continued to fail with 403.

    As a last ditch effort to get the SAS working again I updated my WindowsAzure.Storage NuGet package to the latest version, 7.2.0 (I'm not 100% sure what version it was at but I think it may have been 7.0.0). I then cleared the SAS policies and regenerated new tokens. Suddenly access started working again for new tokens.

    I noticed that the service version piece of the tokens changed once I updated the NuGet package from "sv=2015-07-08" (I think) to "sv=2015-12-11" and this has made me start to wonder if SAS is somehow expiring tokens on older versions. If so this is tremendously troublesome.

    Here is a sample solution with the code used. It's all fairly typical of the code you'll find in documentation and examples for Azure Storage Tables.

    https://1drv.ms/u/s!AL0CqfehX7A6hd12

    Sunday, September 4, 2016 6:55 PM

Answers

  • The existing policies and tokens will continue to work as long as the policy still exists, the time specified as the expiry time has not elapsed, and the storage account key used to create the SAS is still valid. When you get a 403 response, please print out the storage exception (using ToString) to get more detailed information on what the failure was. This will help track down the source of the problem.

    Thanks,
    Michael

    Tuesday, September 6, 2016 4:35 AM

All replies

  • Hello,

    We are checking on the query and would get back to you soon on this.
    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,
    Sumanth BM

    Monday, September 5, 2016 10:07 AM
    Moderator
  • The existing policies and tokens will continue to work as long as the policy still exists, the time specified as the expiry time has not elapsed, and the storage account key used to create the SAS is still valid. When you get a 403 response, please print out the storage exception (using ToString) to get more detailed information on what the failure was. This will help track down the source of the problem.

    Thanks,
    Michael

    Tuesday, September 6, 2016 4:35 AM
  • Well it's good to know that policies are not supposed to expire based on service version but I can tell you that appears to be exactly what happened. SAS tokens that had no expiration suddenly quit working and the code that generated them would not generate working tokens again until i upgraded the NuGet package at which point the exact same code started generating working tokens again. It is more than a little disconcerting considering we were about to go live with a system that makes use of said SAS tokens to provide read-only access to table data. I wish I could go back and recreate the issue but since updating the package I have been unable to reproduce it.
    Tuesday, September 6, 2016 3:28 PM