...
The Signature in the SAS token uses different parameters for different operation. The SAS token requires a signature string that has to be encoded and that is passed as a signature parameter to the to the toentoken.
The format of the signature string is:
...
The StringToSIgn is then encoded using the HMAC-SHA256 algorithm for the UTF-8-encoded signature string which is then passed to the request URI as a sig parameter to SAS Token:
Code Block | ||||
---|---|---|---|---|
| ||||
sig=$signature |
where $signature encoded StringToSign.
Encoding Signature String
After creating the Signature String it is required to encode the string to create a Shared Key which can then be passed to the Authorization headerSAS Token. The algorithm used for encoding is HMAC-SHA256 over the UTF-8-encoded signature string. The PowerShell instructions to encode the StringToSign are:
...
The SAS token is a query string that includes all of the required information about authorization, resources, permissions and time intervals. The SAS token has the following syntax:
Code Block | ||||
---|---|---|---|---|
| ||||
$sasToken = "sv=$Version" ` + "&ss=$Services" ` + "&srt=$ResourceTypes" ` + "&sp=$Permissions" ` + "&se=" + [System.Web.HttpUtility]::UrlEncode( $expiresIso ) ` + "&st=" + [System.Web.HttpUtility]::UrlEncode( $nowIso ) ` + "&spr=https" ` + "&sig=" + [System.Web.HttpUtility]::UrlEncode( $signature ) |
where $expiresIso and $nowIso is the are parameter with expiry date and the current date respectively. And $signature is the encoded signature. The parameter description are as follows:
...
LIST BLOB:
The LIST BLOB operation lists the blobs from the container. The signature and SAS token for LIST BLOB should have permission to access the list of the resource on services.Code Block title StringToSign for LIST BLOB operation collapse true $stringToSign = $Account + "`n" ` + $Permissions + "`n" ` + $Services + "`n" ` + $ResourceTypes + "`n" ` + $nowIso + "`n" ` + $expiresIso + "`n" ` + "`n" ` + "https" + "`n" ` + $Version + "`n"
Code Block title SAS Token for LIST BLOB collapse true $sasToken = "sv=$Version" ` + "&ss=$Services" ` + "&srt=$ResourceTypes" ` + "&sp=$Permissions" ` + "&se=" + [System.Web.HttpUtility]::UrlEncode( $expiresIso ) ` + "&st=" + [System.Web.HttpUtility]::UrlEncode( $nowIso ) ` + "&spr=https" ` + "&sig=" + [System.Web.HttpUtility]::UrlEncode( $signature )
where$Account is the storage account for which the HTTPS request is generated.
$Permission will be 'l' to grant permission for listing
$Services will be 'b' to provide the blob service
$ResourceType will be 'c' to use resource type as container
$nowIso is the URL-Decoded current time in UTC
- $expires is the URL_Decoded expiry time in UTC
GET BLOB:
The GTE BLOB operation retrieves the content of the blob. So, for the get operation it is required to have a read permission on the object to the blob serviceCode Block title StringToSign for GET BLOB operation collapse true $stringToSign = $Account + "`n" ` + $Permissions + "`n" ` + $Services + "`n" ` + $ResourceTypes + "`n" ` + $nowIso + "`n" ` + $expiresIso + "`n" ` + "`n" ` + "https" + "`n" ` + $Version + "`n"
Code Block title SAS Token for GET BLOB collapse true $sasToken = "sv=$Version" ` + "&ss=$Services" ` + "&srt=$ResourceTypes" ` + "&sp=$Permissions" ` + "&se=" + [System.Web.HttpUtility]::UrlEncode( $expiresIso ) ` + "&st=" + [System.Web.HttpUtility]::UrlEncode( $nowIso ) ` + "&spr=https" ` + "&sig=" + [System.Web.HttpUtility]::UrlEncode( $signature )
where$Account is the storage account for which the HTTPS request is generated.
$Permission will be 'r' to grant permission for listing
$Services will be 'b' to provide the blob service
$ResourceType will be 'o' to use resource type as container
$nowIso is the URL-Decoded current time in UTC
- $expires is the URL_Decoded expiry time in UTC
PUT BLOB
The PUT BLOB operation creates a new block blob or updates an existing block blob. The PUT BLOB operation creates a BLOB from the content of a file, therefore it is required to have requires write permission to the resource object in the blob seviceservice.Code Block title StringToSign for PUT BLOB operation collapse true $stringToSign = $Account + "`n" ` + $Permissions + "`n" ` + $Services + "`n" ` + $ResourceTypes + "`n" ` + $nowIso + "`n" ` + $expiresIso + "`n" ` + "`n" ` + "https" + "`n" ` + $Version + "`n"
Code Block where
title SAS Token for PUT BLOB collapse true $sasToken = "sv=$Version" ` + "&ss=$Services" ` + "&srt=$ResourceTypes" ` + "&sp=$Permissions" ` + "&se=" + [System.Web.HttpUtility]::UrlEncode( $expiresIso ) ` + "&st=" + [System.Web.HttpUtility]::UrlEncode( $nowIso ) ` + "&spr=https" ` + "&sig=" + [System.Web.HttpUtility]::UrlEncode( $signature )
where$Account is the storage account for which the HTTPS request is generated.
$Account is the storage account for which the HTTPS request is generated.
$Permission will be 'w' to grant permission for listing
$Services will be 'b' to provide the blob service
$ResourceType will be 'o' to use resource type as container
$nowIso is the URL-Decoded current time in UTC
- $expires is the URL_Decoded expiry time in UTC
...
LIST BLOB
The HTTPS request URI for the LIST BLOB operation just includes the container name. As the LIST operations lists all the blobs in the container. So the HTTPS request URI will be https://$($ownerAccount).blob.core.windows.net/$($container)?restype=container&comp=list&$($sasToekn) where $ownerAccount is the name of the storage account, $container is the name of the container and $sasToken is the the above generated Shared Access Signature Token.The HTTPS request and header syntax for LIST BLOB will be:
Code Block title Syntax for LIST BLOB collapse true Request Syntax GET https://$($ownerAccount).blob.core.windows.net/$($container)?restype=container&comp=list&$($sasToken) Request Headers x-ms-blob-type: BlockBlob x-ms-date: <date> x-ms-version: $Version
GET BLOB
The GET BLOB operation is used to read the blob content so it is required to pass the blob name with the URI. So the request URI for the GET BLOB will be https://$($ownerAccount).blob.core.windows.net/$($container)/$($blob)?$($sasToken) where $ownerAccount is the name of the storage account, $container is the name of the container, $blob is the name of the blob which is to be read and $sasToken is the the above generated Shared Access Signature Token. The HTTPS request and Header syntax for GET BLOB will be:Code Block title Syntax for GET BLOB collapse true Request Syntax GET https://$($ownerAccount).blob.core.windows.net/$($container)/$($blob)?$($sasToken) Request Headers x-ms-blob-type: BlockBlob x-ms-date: <date> x-ms-version: $Version
- PUT BLOB
The PUT BLOB operation is used to create a blob. So the URI for the PUT BLOB operation includes the name of the blob to be created and the content of the blob is to be passed with the HTTPS request body. The URI will be https://$($ownerAccount).blob.core.windows.net/$($container)/$($blob)?$($sasToken) where $ownerAccount is the name of the storage account, $container is the name of the container, $blob is the name of the blob which is to be created in the container and $sasToken is the the above generated Shared Access Signature Token.
Code Block title Syntax for PUT BLOB collapse true Request Syntax PUT https://$($ownerAccount).blob.core.windows.net/$($container)/$($blob)?$($sasToken) Request Headers x-ms-blob-type: BlockBlob x-ms-date: <date> x-ms-version: $Version Request Body: <Content of the File>
...