I am trying to generate a blob version SAS to allow read access to one specific version of a blob. I had the SAS generation working for the root blob and tried to modify it for the blob versioning feature by adding the BlobVersionId, however the server returns 403.
Modified SAS Builder for a specific blob version: (not working)
public string GetBlobSasTokenAsync(string containerName, string blobName, string blobVersionId, string fileName)
{
var sasBuilder = new BlobSasBuilder()
{
BlobContainerName = containerName,
BlobName = blobName,
BlobVersionId = blobVersionId,
StartsOn = DateTime.UtcNow.Subtract(_clockSlew),
ExpiresOn = DateTime.UtcNow.AddMinutes(AccessDuration) + _clockSlew,
ContentDisposition = "inline; filename=" + fileName,
ContentType = GetContentType(fileName)
};
sasBuilder.SetPermissions("r");
var storageSharedKeyCredential = new StorageSharedKeyCredential(_accountName, _accountKey);
var sasQueryParameters = sasBuilder.ToSasQueryParameters(storageSharedKeyCredential);
return sasQueryParameters.ToString();
}
Error:
<?xml version="1.0" encoding="utf-8"?>
<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:63b83bb8-201e-00a8-55a1-544fe3000000
Time:2020-07-07T21:01:08.2149986Z</Message>
<AuthenticationErrorDetail>The specified signed resource is not allowed for the this resource level</AuthenticationErrorDetail>
</Error>
Using: Azure.Storage.Blobs 12.5.0-preview.5
I tried to generate SAS and access blobs in your way, but I found that it didn't work, you can use the officially recommended way: https://myaccount.blob.core.windows.net/mycontainer/myblob?versionid=<DateTime>, and concatenate the SAS at the back.
It should be noted that in this way you do not need to add the BlobVersionId attribute when generating SAS.
Finally, your URL must be like this:https://myaccount.blob.core.windows.net/mycontainer/myblob?versionid=<DateTime>&<SAS>.