Examine Azure's Shared Access Signature validity/expiration

Question

Having a Shared Access Signature for Azure storage account, is it possible to examine it's validity period?

Can I go from ?sv=2018-03-28&si=mypolicy&tn=mytable&sig=ABC... to its Expiry Time?

Answer 1

If you have specified the SAS expiry value in the SAS token, then you can find out by parsing the token and looking at value of se parameter. This will give a date/time value in UTC when your SAS token will expire.

However if you don't have the SAS expiry value in the SAS token (you're using an access policy and the expiration is defined in the access policy itself), then the things would be tricky.

There are two things you could possibly do:

1. If you have access to account name and key, you can fetch the access policies for the blob container and look at the specific access policy and find the expiry date.
2. Kind of an anti-pattern, but you could perform the operation and catch the exception if any. If your SAS token has expired, you will get an AuthenticationFailed exception. You can check the AuthenticationErrorDetails to find out if the authentication failed because of expired token.

For example, I tried to list the blobs in a blob container using an expired SAS token and I got the following response back:

<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:11111111-1111-1111-1111-111111111111 Time:2021-03-08T04:53:44.1329974Z</Message>
<AuthenticationErrorDetail>Signed expiry time [Sun, 28 Feb 2021 18:30:00 GMT] must be after signed start time [Mon, 08 Mar 2021 04:53:44 GMT]</AuthenticationErrorDetail>
</Error>