1

I'm having difficulty in using a Blob SAS token to write a file to a Blob in Azure via Powershell.

The code I'm using to generate the SAS token is:

$storageContext = Get-AzureRmStorageAccount -ResourceGroupName $resourceGroup -Name $storageName

$token = New-AzureStorageBlobSASToken -Container $conName -Context $storageContext.Context -Blob $blobName -ExpiryTime $expiry -Permission rw -FullUri

This generates a token as expected: https://name.blob.core.windows.net/container/test.json?sv=2015-04-05&sr=b&sig=abc123&se=2017-03-07T12%3A58%3A52Z&sp=rw

If I use this in the browser it's working fine and downloading the file as expected. However, I can't use this to upload a file. Whenever I try I'm receiving a (403) Forbidden. The code I'm using to upload is:

$accountContext = New-AzureStorageContext -SasToken $sasToken

Get-AzureStorageContainer -Context $accountContext.Context | Set-AzureStorageBlobContent -File $blobFile

I've successfully been using a method similar to this to set Blob content after making a call to Add-AzureRmAccount to authenticate.

I've also tried to use a Container SAS token but I keep getting a 403 error with that.

The fact that the token works for a read leads me to believe that I'm missing something in my Powershell script - can anyone shed any light on what that is?

Fermin
  • 34,961
  • 21
  • 83
  • 129

1 Answers1

4

The fact that the token works for a read leads me to believe that I'm missing something in my Powershell script - can anyone shed any light on what that is?

I believe the problem is with the following line of code:

Get-AzureStorageContainer -Context $accountContext.Context

Two things here:

  1. This cmdlet tries to list the blob containers in your storage account. In order to list blob containers using SAS, you would need an Account SAS where as the SAS you're using is a Container SAS.
  2. Your SAS only has Read and Write permission. For listing containers, you would need List permission as well.

I would recommend simply using Set-AzureStorageBlobContent Cmdlet and provide necessary information to it instead of getting the container name through pipeline.

Set-AzureStorageBlobContent -File $blobFile -Container $conName -Context $accountContext.Context -Blob $blobName
Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241
  • I've confirmed that the call to `Get-AzureStorageContainer` is throwing a 403 when creating a `Blob SAS`. I changed my code to create a `Container SAS` with rwl and call `Set-AzureStorageBlobContent` directly but still getting a 403. – Fermin Mar 07 '17 at 11:46
  • Can you update your question with the latest code you're using? Thanks. – Gaurav Mantri Mar 07 '17 at 11:59
  • 1
    I've resolved the issue. What you have said is working, I was using the `-FullUri` flag when creating a SAS token. Removing this flag gave me the query string part of the token only which is now allowing me to upload the blob. Thanks. – Fermin Mar 07 '17 at 12:02