azureasp.net-web-apiazure-blob-storageazure-managed-identitysas-token
Generate Sas token for storage account with managed identity
I use the following to get a sas token, it works perfectly targeting the specific container and blob:
[HttpGet]
public IActionResult GetBlobSasToken()
{
var storageAccountName = "storage-Name";
var saUri = $"https://{storageAccountName}.blob.core.windows.net";
// Create a new Blob service client with Azure AD credentials.
var blobServiceClient = new BlobServiceClient(new Uri(saUri), new DefaultAzureCredential());
var blobContainerClient = blobServiceClient.GetBlobContainerClient("container-Name");
var blobClient = blobContainerClient.GetBlobClient("Blob-Name"); // Blob name
// Get a user delegation key for the Blob service that's valid for 2 hours.
var userDelegationKey = blobServiceClient.GetUserDelegationKey(DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow.AddHours(2));
var sasBuilder = new BlobSasBuilder()
{
BlobContainerName = blobContainerClient.Name,
BlobName = blobClient.Name,
Resource = "b",
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(2),
};
sasBuilder.SetPermissions(BlobSasPermissions.Read); // Read permissions
// Build the blob URL with the SAS token
var blobUriBuilder = new BlobUriBuilder(blobClient.Uri)
{
Sas = sasBuilder.ToSasQueryParameters(userDelegationKey, blobServiceClient.AccountName)
};
var blobUrlWithSas = blobUriBuilder.ToUri().ToString();
return Ok(new { BlobUrlWithSas = blobUrlWithSas });
}
and verify the sas token by adding the path https://{StorageAccountName}.blob.core.windows.net/{containerName}/{BlobName}?{SasToken}
and verify the sas token by adding the path https://{StorageAccountName}.blob.core.windows.net/{containerName}/{BlobName}?{SasToken}. It runs smoothly.
What I want to figure out is to generate the sas token but at the storage account level.
I tried to modify:
// Create the blob URL with the SAS token
var blobUriBuilder = new BlobUriBuilder(blobServiceClient.Uri)
And while generating the sas token I get the 403 error:
<?xmlversion="1.0" encoding="utf-8"?>
<Error>
<Code>Authentication failed</Code>
<Message> The server could not authenticate the request. Make sure the authorization header value is correctly formed, including the signature.
Request ID: f100b2a0-501e-0038-06dd-cb612f000000
Time:2023-08-10T22:53:59.3204012Z</Message>
Solution
Generate Sas token for storage account with managed identity
You cannot create an account-level SAS with a user delegation key.
A user delegation SAS only applies to Blob storage and is secured with Azure AD credentials, while an account-level SAS is connected with the storage account key and may assign access to resources in multiple storage services.
For account-level SAS creation, you need to use your storage account key.
Code:
var storageAccountName = "venkat123";
var storageaccountKey = "xx";
var storageAccountUri = $"https://{storageAccountName}.blob.core.windows.net";
var blobServiceClient = new BlobServiceClient(new Uri(storageAccountUri), new StorageSharedKeyCredential(storageAccountName, storageaccountKey));
var sasBuilder = new AccountSasBuilder()
{
Services = AccountSasServices.Blobs,
ResourceTypes = AccountSasResourceTypes.Container | AccountSasResourceTypes.Object,
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(2),
};
sasBuilder.SetPermissions(AccountSasPermissions.Read | AccountSasPermissions.Write); // read write permissions
string sasToken = sasBuilder.ToSasQueryParameters(new StorageSharedKeyCredential(storageAccountName, storageaccountKey)).ToString();
// Append the SAS token to the URL
string accountlevelurl = $"{storageAccountUri}?{sasToken}";
Console.WriteLine(accountlevelurl);
Output:
https://xxxxx.blob.core.windows.net?sv=2023-08-03&ss=b&srt=co&st=2023-08-11T06%3A26%3A16Z&se=2023-08-11T08%3A26%3A16Z&sp=rw&sig=xxxxxxx
Now, you can use the above URL with your container and blob to fetch the files from the blob service.
Portal:
Reference:
Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Learn
- Azure Service Plan - Convert Consumption App to Premium App
- No PK or FK when exporting SQL Server database
- Assigning a Token Lifetime Policy to an application in Microsoft EntraID seems to have no effect
- How to create a dataset for Azure custom speech using spx (speechCLI)
- Azure App Service Autoscale Fails to Scale In
- Azure Scale Out on Memory keeps flapping (not scaling in)
- Setting a server minimum for Azure Web App when using automatic scaling, from Bicep
- A keyvault created with access policy using BICEP creates compound identity
- Azure Loadbalancer with public IP forward traffic to Container Apps
- How to grant a Managed Identity permissions to an Azure SQL Database using IaC?
- What means skipNegotiation in SignalR HubConnection?
- Azure ClientCertificateCredential - Using SNI
- Azure AI Search MultiIndex / Conditional Semantic search
- MSAL Node service & The Partner Center API
- Load Registered Component in Azure ML for Pipeline using Python sdk v2
- Azure Blob:- How to automate Azure Archive Storage to Cool/Hot tier conversion, send download link once it's avaible , and re-archive after 72 hours?
- Azure App Service Custom Backup to Firewall Enabled Storage Account not working as expected
- How to take max value and replace it in drived column in data factory
- Synapse/ ADF - How to Truncate table if dynamic config column is True in pre-copy script
- Azure Cost Management - track costs associated with Databricks job
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday