I'm not sure I understand the purpose of Access Policies at the moment, or at least how you can use them programmatically. If I create a Storage Access policy with certain permissions, how can I then programmatically use that access policy? I can create it like this (taken from here):
var signedIdentifiers = new List<BlobSignedIdentifier>
{
new BlobSignedIdentifier
{
Id = "SomeIdentifier",
AccessPolicy = new BlobAccessPolicy
{
StartsOn = DateTime.UtcNow,
ExpiresOn = DateTime.UtcNow.AddMinutes(30),
Permissions = "w"
}
}
};
await containerClient.SetAccessPolicyAsync(permissions: signedIdentifiers);
So I've create the access policy, so how can I now create access to that container using that access policy? Do I need to generate a SAS somehow? If so, how will that SAS make sure it uses the permissions from that access policy? The fact it's a list suggests that more than one policy can be created.
CodePudding user response:
So I've create the access policy, so how can I now create access to that container using that access policy? Do I need to generate a SAS somehow?
That is correct. You will need to generate a SAS Token using this access policy. If you are generating a SAS Token on the blob container, you will use GenerateSasUri
method and specify the access policy id (signed identifier) as BlobSasBuilder.Identifier
.
If so, how will that SAS make sure it uses the permissions from that access policy?
When you create a SAS URL that makes use of an access policy, you will notice that access policy id in your SAS URL in si
query parameter (https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas#specifying-the-signed-identifier). That would tell Azure Storage to make use of the signed access policy for SAS Token verification.
The fact it's a list suggests that more than one policy can be created.
That is correct. A blob container can have a maximum of 5 access policies. You can read more about it here: https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy.