Geek Answers Handbook

Azure blob closed container access subscription expires

I am having problems with Azure Blobs and sharing signatures when they expire. I need to provide access to the blob for more than 1 hour (7 days), so I use the named container policy, but, unfortunately, I can not generate new URLs as soon as these 7 days.

I have the following code to create a default policy. Note that in this code I set the expiration time to 1 minute to make it easier to test:

CloudStorageAccount account = new CloudStorageAccount(credentials, true); CloudBlobClient client = new CloudBlobClient(account.BlobEndpoint, credentials); CloudBlobContainer container = client.GetContainerReference("files"); SharedAccessPolicy sharedAccessPolicy = new SharedAccessPolicy(); sharedAccessPolicy.Permissions = SharedAccessPermissions.Read; sharedAccessPolicy.SharedAccessStartTime = DateTime.UtcNow; sharedAccessPolicy.SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(1); BlobContainerPermissions blobContainerPermissions = new BlobContainerPermissions(); blobContainerPermissions.SharedAccessPolicies.Add("default", sharedAccessPolicy); container.SetPermissions(blobContainerPermissions);

Then I create a SharedAccessSignature URL with the following:

 CloudStorageAccount account = new CloudStorageAccount(credentials, true); CloudBlobClient client = new CloudBlobClient(account.BlobEndpoint, credentials); CloudBlobContainer container = client.GetContainerReference("files"); CloudBlob blob = container.GetBlobReference(path); string sas = blob.GetSharedAccessSignature(new SharedAccessPolicy(), "default"); Console.WriteLine(blob.Uri.AbsoluteUri + sas);

This creates the url and the url works correctly for the next minute (or 7 days in real code). After one minute, the URL is invalid and no longer works as expected.

But as soon as this expiration passed, I ran the code again to create a new URL. Unfortunately, it generates the same URL, which is still invalid.

Are the start and end times for container policies absolute, that is, when I install this policy right now:

 sharedAccessPolicy.SharedAccessStartTime = DateTime.UtcNow; sharedAccessPolicy.SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(1);

Is anything using this policy valid only from 10:10 AM (EDT) to 10:11 AM (EDT) today?

+7
source share
3 answers

One thing you can do is create an access policy without an expiration date. You specify the expiration date when creating the signed URL.

So your code will look something like this:

  SharedAccessPolicy sharedAccessPolicy = new SharedAccessPolicy(); sharedAccessPolicy.Permissions = SharedAccessPermissions.Read; sharedAccessPolicy.SharedAccessStartTime = DateTime.UtcNow; //sharedAccessPolicy.SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(1); No need to define expiry time here. BlobContainerPermissions blobContainerPermissions = new BlobContainerPermissions(); blobContainerPermissions.SharedAccessPolicies.Add("default", sharedAccessPolicy); container.SetPermissions(blobContainerPermissions); Console.WriteLine("Press any key to continue...."); Console.ReadLine(); CloudBlob blob = container.GetBlobReference(path); string sas = blob.GetSharedAccessSignature(new SharedAccessPolicy() { SharedAccessExpiryTime = DateTime.UtcNow.AddDays(7),//add expiry date only when you're creating the signed URL } , "default"); Console.WriteLine(blob.Uri.AbsoluteUri + sas); Process.Start(new ProcessStartInfo(blob.Uri.AbsoluteUri + sas)); Console.WriteLine("Press any key to continue...."); Console.ReadLine();

Will this work for you? Obviously, you will need to restore the URL after 7 days, but you do not need to make any changes to your access policy.

Hope this helps.

+9
source

After 1 minute, you may encounter clock distortions between the SAS generation field and the Windows Azure storage. You must use a longer interval. I made a message that goes into the deepest depths of shared signatures that may be useful.

0
source

You can use the maximum values ​​for access policies at the container level.

The persistent access policy includes a name up to 64 characters long, unique in the container. This name appears in the signedidentifier field with shared signatures that reference the stored access policy. A container can include up to 5 saved access policies. Each policy can be used by any number of shared signatures.

Using a saved access policy

0
source

More articles:


All Articles