I'm not sure I understand the purpose of Access Policies at the moment, or at least how you can use them programmatically. If I create a Storage Access policy with certain permissions, how can I then programmatically use that access policy? I can create it like this (taken from here):
var signedIdentifiers = new List<BlobSignedIdentifier>
{
new BlobSignedIdentifier
{
Id = "SomeIdentifier",
AccessPolicy = new BlobAccessPolicy
{
StartsOn = DateTime.UtcNow,
ExpiresOn = DateTime.UtcNow.AddMinutes(30),
Permissions = "w"
}
}
};
await containerClient.SetAccessPolicyAsync(permissions: signedIdentifiers);
So I've create the access policy, so how can I now create access to that container using that access policy? Do I need to generate a SAS somehow? If so, how will that SAS make sure it uses the permissions from that access policy? The fact it's a list suggests that more than one policy can be created.
CodePudding user response:
So I've create the access policy, so how can I now create access to that container using that access policy? Do I need to generate a SAS somehow?
That is correct. You will need to generate a SAS Token using this access policy. If you are generating a SAS Token on the blob container, you will use GenerateSasUri method and specify the access policy id (signed identifier) as BlobSasBuilder.Identifier.
If so, how will that SAS make sure it uses the permissions from that access policy?
When you create a SAS URL that makes use of an access policy, you will notice that access policy id in your SAS URL in si query parameter (https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas#specifying-the-signed-identifier). That would tell Azure Storage to make use of the signed access policy for SAS Token verification.
The fact it's a list suggests that more than one policy can be created.
That is correct. A blob container can have a maximum of 5 access policies. You can read more about it here: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.