Azure SAS Token not working with Azure.Storage.Blobs BlobServiceClient

Question

I am using Azure.Storage.Blobs v12.1.0 library. I am generating a Blob Level SAS token using user delegation with Azure Service Principal Credentials, and trying to upload a blob using SAS Token generated. I have followed exactly this code sample from Azure to generate the SAS Token.

Here is the code I am using to create SAS Token :

string blobEndpoint = string.Format("https://{0}.blob.core.windows.net", storageProviderSettings.AccountName);

        TokenCredential credential =
            new ClientSecretCredential(
                storageProviderSettings.TenantId,
                storageProviderSettings.ClientId,
                storageProviderSettings.ClientSecret,
                new TokenCredentialOptions());

        BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri(blobEndpoint),
                                                            credential);

        BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(containerName);
        BlobClient blobClient = containerClient.GetBlobClient(blobName);

        var delegationKey = await blobServiceClient.GetUserDelegationKeyAsync(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddDays(7));
        BlobSasBuilder sasBuilder = new BlobSasBuilder()
        {
            BlobContainerName = containerName,
            BlobName = blobName,
            Resource = "b",
            StartsOn = DateTimeOffset.UtcNow,
            ExpiresOn = DateTimeOffset.UtcNow.AddSeconds(expirySeconds)
        };
        sasBuilder.SetPermissions(BlobSasPermissions.All);
        // if (withDownloadAccess) {
        //     sasBuilder.SetPermissions(BlobSasPermissions.Read);
        // }
        // if (withDeleteAccess) {
        //     sasBuilder.SetPermissions(BlobSasPermissions.Delete);
        // }
        Console.WriteLine(sasBuilder.Permissions);
        var sasQueryParams = sasBuilder.ToSasQueryParameters(delegationKey, storageProviderSettings.AccountName).ToString();
        UriBuilder sasUri = new UriBuilder()
        {
            Scheme = "https",
            Host = string.Format("{0}.blob.core.windows.net", storageProviderSettings.AccountName),
            Path = string.Format("{0}/{1}", containerName, blobName),
            Query = sasQueryParams
        };

        BlobServiceClient service = new BlobServiceClient(sasUri.Uri);

        await service.GetPropertiesAsync();

        Settings tmpUploadCredentials = CreateTemporaryAzureStorageProviderSettings(sasUri, storageProviderSettings);

        Console.WriteLine(tmpUploadCredentials.ConnectionString);
        return tmpUploadCredentials;

The SAS Token is created and the Get Blob is working perfectly fine if i keep it in browser but using the BlobServiceClient if i am trying to upload the file or perform any action it is now working. To check if it is authenticated or not i have written this line await service.GetPropertiesAsync(); which is throwing the following error:

Any Help would be greatly appreciated.

Answer 1

According to my test, service.GetPropertiesAsync(); is an action on account. It means that it will call the Get Blob Service Properties rest api to get the properties of the account's blob service. However, when you create BlobServiceClient, you provide the blob url. The blob do not support the action. So you will get the error. It will want to to get the properties of a blob, please call the api. So, please update your code as following code

 BlobClient blobClient = new BlobClient(sasUri, null);
blobClient.GetPropertiesAsync();

For more details, please refer to https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet#get-the-user-delegation-key