If you want blob to be available to individual users for more than an hour, you must use the SAS policy attached to the container. However, since you can have a maximum of 5 units in a container, it will not scale well for many users. SAS policy may expire in years.
A more typical solution for the user is to hit your site or service, and you authenticate them in any way. When they really want to download the file, you must create a one-time, short-term SAS signature (not a policy). It scales well and prevents reuse of unauthorized users later. You also get the benefit of service from storage rather than your web role.
Things get more complicated when using CDN. Thus, although you can use the SAS signature on the CDN resource, they are not commendable. That is, a unique URL is the key to the underlying resource. Thus, when you request a blab protected SAS file, it simply inserts it into the CDN and serves it using this URI as a key. He will then use the CDN caching policy (rather than SAS expiration) to continue. This can lead to a scenario where the blob URI expires after 10 minutes, but the CDN will cache this blob using the same SAS signature for several days, depending on the expiration policy. CDN will never contact the repository for verification. Therefore, this is probably not a good idea. In addition, since each CDN resource is associated with a URI, this also means that each time the SAS signature is changed, you will cache many copies of the same file (by starting a transaction and bandwidth fee). In short, CDN and SAS do not mix well.
dunnry
source share