Windows Azure Stored Access Policy Delete
I want to download blobs using shared signatures, SAS.
I also want to be able to remove the active SAS URI and if I understand it correctly, I have to use a stored access policy to do this.
What confuses me is how I can remove the policy. I also read that you can only have 5 saved access policies?
My goal here is to strip the active SAS URI. The only way I can think of this is to delete the policy that the SAS URI is associated with, right? If I have hundreds of files in my blob storage, how in the world can I make this work? Can't I have one policy for each blob? 5 - maximum policy?
This code demonstrates how I add a policy and how I create a SAS URI that uses this policy from which users can boot.
static void CreateSharedAccessPolicy(CloudBlobContainer container)
{
//Create a new stored access policy and define its constraints.
SharedAccessBlobPolicy sharedPolicy = new SharedAccessBlobPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.List
};
//Get the container existing permissions.
BlobContainerPermissions permissions = new BlobContainerPermissions();
//Add the new policy to the container permissions.
permissions.SharedAccessPolicies.Clear();
permissions.SharedAccessPolicies.Add("PolicyName", sharedPolicy);
container.SetPermissions(permissions);
}
static string GetBlobSasUriWithPolicy(CloudBlobContainer container, string policyName)
{
//Get a reference to a blob within the container.
CloudBlockBlob blob = container.GetBlockBlobReference("file_name");
//Generate the shared access signature on the blob.
string sasBlobToken = blob.GetSharedAccessSignature(null, "PolicyName");
//Return the URI string for the container, including the SAS token.
return blob.Uri + sasBlobToken;
}
The final question is how to delete a policy? It's simple:
permissions.SharedAccessPolicies.Remove("PolicyName");
source to share
My goal here is to strip the active SAS URI. The only way I can think of this is to remove the policy that the SAS URI is associated with, right?
Partly correct. Removing an access policy is one way to do this. Another would be to change the name of the policy (policy ID). For example, if the identifier is a policy mypolicy
, then changing it to mypolicy1
will have the same effect as deleting the policy.
If I have hundreds of files in my blob storage, how in the world can I make this work?
As you already know, access policy is defined at the blob container level, not at the blob level. Removing / invalidating the access policy will invalidate the SAS URL for all blocks in that container.
Can't I have one policy for each blob? 5 is the maximum policy?
It is right.
The final question is how to delete a policy? It's that simple: permissions.SharedAccessPolicies.Remove ("PolicyName");
It is right. However, keep this in mind. You can use something like:
var cloudStorageAccount = CloudStorageAccount.DevelopmentStorageAccount;
var blobClient = cloudStorageAccount.CreateCloudBlobClient();
var container = blobClient.GetContainerReference("container-name");
var containerPermissions = container.GetPermissions();
containerPermissions.SharedAccessPolicies.Remove("access-policy-id");
container.SetPermissions(containerPermissions);
source to share