Skip to content
This repository has been archived by the owner on May 8, 2024. It is now read-only.

How to create a SAS using a Stored Access Policy #324

Open
georgeboot opened this issue Feb 24, 2022 · 1 comment
Open

How to create a SAS using a Stored Access Policy #324

georgeboot opened this issue Feb 24, 2022 · 1 comment

Comments

@georgeboot
Copy link

georgeboot commented Feb 24, 2022
edited
Loading

Which service(blob, file, queue, table) does this issue concern?

blob

Which version of the SDK was used?

1.5.3

What's the PHP/OS version?

8.1.0

What problem was encountered?

I can't create a SAS using just a Stored Access Policy. The helpers always want a list of permissions and the expiry date.

However, when using Microsoft Azure Storage Explorer, I can generate a SAS that has only the sv, si, sr and sig.

When trying to create a SAS using BlobSharedAccessSignatureHelper::generateBlobServiceSharedAccessSignatureToken and by supplying the permissions and dates from the SAP, I do get a SAS url but it doesn't work.

Steps to reproduce the issue?

$accountName = 'testaccount';
$accountKey = 'blaaa';
$container = 'my-test-container';
$storedAccessPolicy = 'randomname';
// policy is set up to have `rawdl` permissions, and is valid between 2022-02-24T09:29Z and 2022-05-29T08:29Z

$helper = new BlobSharedAccessSignatureHelper($accountName, $accountKey);

$sas = $helper->generateBlobServiceSharedAccessSignatureToken(
	BlobResources::RESOURCE_TYPE_CONTAINER,
  	$container,
  	'rawdl',
  	'2022-05-29T08:29Z',
  	'2022-02-24T09:29Z',
  	'',
  	'',
  	$storedAccessPolicy,
);

The helper outputs (SAS doesn't work):

sv=2017-11-09&sr=c&st=2022-02-24T09:29Z&se=2022-05-29T08:29Z&sp=rawdl&si=randomname&sig=hORQL7MeB0vDoqWQyS0CaNtH8bGELwo8iaX8i54WJPQ%3D

However, the Microsoft Azure Storage Explorer, generates the following through the UI (working SAS):

sv=2020-10-02&si=randomname&sr=c&sig=oI1XBqZHeGjRqEluyeMlb1tV%2Fy%2B0Vdm7wiJ0H43C5Lg%3D

I tried generating the SAS myself, but I can't figure out what to sign. The documentation is very vague about it.

I tried the following:

$stringToSign = implode("\n", [
    'rawdl',
    '2022-02-24T09:29Z',
    '2022-05-29T08:29Z',
    '/testaccount/my-test-container',
    'randomname',
    '2020-10-02',
]);

$stringToSign = implode("\n", [
    '/testaccount/my-test-container',
    'randomname',
    '2020-10-02',
]);

$stringToSign = implode("\n", [
    'rawdl',
    '2022-02-24T09:29Z',
    '2022-05-29T08:29Z',
    '/blob/testaccount/my-test-container',
    'randomname',
    '2020-10-02',
]);

$stringToSign = implode("\n", [
    '/blob/testaccount/my-test-container',
    'randomname',
    '2020-10-02',
]);

None of these work. They all produce incorrect signatures.
@georgeboot
Copy link
Author

georgeboot commented Feb 24, 2022
edited
Loading

Turns out, the correct string to sign should be like this (reverse enigineered from Python SDK for Azure Blob):

$stringToSign = implode("\n", [
    '',
    '',
    '',
    "/blob/{$accountName}/{$container}",
    $storedAccessPolicy,
    '',
    '',
    '2020-10-02',
    'c',
    '',
    '',
    '',
    '',
    '',
    '',
]);

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@georgeboot