Page History

...

where SharedKey is the authorization scheme, Account name is the name of account by which request is generated, Signature is the encoded StringToSign

Signature String

The StringToSign parameters differ according to the operations:

1. LIST BLOB:
   
   In the LIST BLOB operation lists the blobs in the container. The StringToSign for LIST BLOB will be:
    

   Code Block
   title StringToSign for LIST BLOB operation
   $stringToSign = "GET" ` + "`n" ` + "`n" ` + "`n" ` + (($ContentLength -gt -1) ? $ContentLength : '') + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "x-ms-blob-type:BlockBlob" + "`n" ` + "x-ms-date:$(Get-Date (Get-Date $Now).ToUniversalTime() -Format 'R')" + "`n" ` + "x-ms-version:$Version" + "`n" ` + "/$Account/$Container" + "`n" ` + "comp:list" + "`n" ` + "restype:container"

   where $Account is the account by which request is generated. $Container is the name of the container.
   
   

2. GET BLOB:
   
   The GTE BLOB operation displays the content of the blob. So, for the get operation it is required to pass the blob name whose content is to be read/get. So, the StringToSign for GET BLOB will be:

   Code Block
   title StringToSign for GET BLOB operation
   $stringToSign = 'GET' ` + "`n" ` + "`n" ` + "`n" ` + (($ContentLength -gt -1) ? $ContentLength : '') + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "x-ms-blob-type:BlockBlob" + "`n" ` + "x-ms-date:$(Get-Date (Get-Date $Now).ToUniversalTime() -Format 'R')" + "`n" ` + "x-ms-version:$Version" + "`n" ` + "/$Account/$Container/$Blob"

   where $Account is the account by which request is generated. $Container is the name of the container. $Blob is the name of the blob whose content is to be Get.
   
   

3. PUT BLOB
   
   The PUT BLOB operation creates a new block or updates an existing block blob. The PUT BLOB creates a BLOB of a length of content in a file so it is required to pass the length of the blob so that it can allocate a that much memory in the Container and can write the file content to the blob. The StringToSign for the PUT BLOB will be:

   Code Block
   title StringToSign for PUT BLOB operation
   $stringToSign = 'PUT' ` + "`n" ` + "`n" ` + "`n" ` + (($ContentLength -gt -1) ? $ContentLength : '') + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "`n" ` + "x-ms-blob-type:BlockBlob" + "`n" ` + "x-ms-date:$(Get-Date (Get-Date $Now).ToUniversalTime() -Format 'R')" + "`n" ` + "x-ms-version:$Version" + "`n" ` + "/$Account/$Container/$Blob"

   where $Account is the account by which request is generated. $Container is the name of the container. $Blob is the name of the blob which is to be created. The $ContentLength for the LIST BLOB and GET BLOB operation will be empty but for the PUT BLOB it required to pass the Content Length for the file to be created.

Encoding Signature String

After creating Signature string it is required to encode the string to create a Shared Key which can then be passed to the Authorization header. The algorithm used for encoding is HMAC-SHA256 over the UTF-8-encoded signature string. The script used in PowerShell to encode the StringToSign is:

$hmac = New-Object System.Security.Cryptography.HMACSHA256
$hmac.key = [Convert]::FromBase64String( $AccessKey )
 
$signature = $hmac.ComputeHash( [Text.Encoding]::UTF8.GetBytes( $stringToSign ) )
$signature = [Convert]::ToBase64String( $signature )

where $AccessKey is the access key for the Azure blob container. $stringToSign is the signature string which depends on the type of operation.