Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure blob container shared access signature expiring

I'm having trouble with Azure Blobs and Shared Access Signatures when they expire. I need to grant access to a blob for longer than 1 hour (7 days), so I'm using a named container policy, but unfortunately I can't seem to generate new urls once those 7 days are up.

I have the following code to create the "default" policy. Note in this code, I'm setting the expiration to be 1 minute from now, to make it easier to test:

CloudStorageAccount account = new CloudStorageAccount(credentials, true);

CloudBlobClient client = new CloudBlobClient(account.BlobEndpoint, credentials);

CloudBlobContainer container = client.GetContainerReference("files");

SharedAccessPolicy sharedAccessPolicy = new SharedAccessPolicy();
sharedAccessPolicy.Permissions = SharedAccessPermissions.Read;
sharedAccessPolicy.SharedAccessStartTime = DateTime.UtcNow;
sharedAccessPolicy.SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(1);

BlobContainerPermissions blobContainerPermissions = new BlobContainerPermissions();
blobContainerPermissions.SharedAccessPolicies.Add("default", sharedAccessPolicy);

container.SetPermissions(blobContainerPermissions);

I then create a SharedAccessSignature url with the following:

CloudStorageAccount account = new CloudStorageAccount(credentials, true);

CloudBlobClient client = new CloudBlobClient(account.BlobEndpoint, credentials);

CloudBlobContainer container = client.GetContainerReference("files");

CloudBlob blob = container.GetBlobReference(path);

string sas = blob.GetSharedAccessSignature(new SharedAccessPolicy(), "default");

Console.WriteLine(blob.Uri.AbsoluteUri + sas);

This generates a url, and the url works properly for the next minute (or 7 days in the real code). Once the one minute is over, the url is invalid and no longer works, as expected.

But once that expiration is past, I run the code again to generate a new url. Unfortunately, it generates the same url, which is still invalid.

Are the start/end times for container policies absolute, meaning when I set that policy right now:

sharedAccessPolicy.SharedAccessStartTime = DateTime.UtcNow;
sharedAccessPolicy.SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(1);

anything using that policy is only valid from 10:10am (EDT) to 10:11am (EDT) today?

like image 224
mfanto Avatar asked Jul 18 '12 14:07

mfanto


1 Answers

One thing you could do is create your access policy without expiry date. You specify the expiry date when you're creating the signed URL.

So your code would look something like:

        SharedAccessPolicy sharedAccessPolicy = new SharedAccessPolicy();
        sharedAccessPolicy.Permissions = SharedAccessPermissions.Read;
        sharedAccessPolicy.SharedAccessStartTime = DateTime.UtcNow;
        //sharedAccessPolicy.SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(1); No need to define expiry time here.

        BlobContainerPermissions blobContainerPermissions = new BlobContainerPermissions();
        blobContainerPermissions.SharedAccessPolicies.Add("default", sharedAccessPolicy);

        container.SetPermissions(blobContainerPermissions);

        Console.WriteLine("Press any key to continue....");
        Console.ReadLine();
        CloudBlob blob = container.GetBlobReference(path);

        string sas = blob.GetSharedAccessSignature(new SharedAccessPolicy()
        {
            SharedAccessExpiryTime = DateTime.UtcNow.AddDays(7),//add expiry date only when you're creating the signed URL
        }
            , "default");

        Console.WriteLine(blob.Uri.AbsoluteUri + sas);

        Process.Start(new ProcessStartInfo(blob.Uri.AbsoluteUri + sas));

        Console.WriteLine("Press any key to continue....");
        Console.ReadLine();

Will this work for you? Obviously you would need to regenerate the URL after 7 days but you don't have to make any changes to your access policy.

Hope this helps.

like image 137
Gaurav Mantri Avatar answered Nov 20 '22 05:11

Gaurav Mantri