0

How to create SAS url for azure blob storage using java How to generate azure blob storage SAS url using java?

do we have any api where i can expire any existing sas url?

Requirement: Generate any sas url with expiry time as 7 days and i want some api where i can reset this sas url at any point of time within expiry time limit.

but looks like we don't have this i guess and every time it will create new sas url but we can expire any existing sas url at any point of time.

Mohit Singh
  • 401
  • 1
  • 10
  • 30
  • `BlobServiceSasSignatureValues.setExpiryTime(OffsetDateTime expiryTime)` Method is used to set the time after which the SAS will no longer work. It may help. – unknown Nov 12 '20 at 08:38
  • @Pamela Peng my question is if i already has a sas url with expiry day as 7 days. and i want to expire it before 7 days can it be possbile? – Mohit Singh Nov 12 '20 at 08:45
  • If I don't misunderstand, you would like to expire the SAS token much earlier than expected. It seems impossible. Because you can not edit an existing SAS token once generated, and the SAS token will not change even though you generate a new one. – unknown Nov 12 '20 at 09:55

1 Answers1

0

You can create an access policy on the container with set start and end date. Then create a SAS token on the container or an individual blob using that policy. Once the policy is deleted it will also invalidate all SAS tokens that were generated with it.

public BlobServiceSasSignatureValues(String identifier)
//Where identifier is the name of the access policy

It's limited to 5 access policies on a table, but if you are a bit flexible on the expiration date you could make one each week, so every blob would be available for at least a week and up to two at most. It also implies that once you remove the policy all url's for that week no longer work.

I don't think there's any other way you are able to invalidate the generated url's apart from generating new accesss keys.

NotFound
  • 5,005
  • 2
  • 13
  • 33
  • looks like once sas url is generated we can't expire it before it expire itself when expiry time reach.. so there is no way we can achieve this right? and how azure is handling all this sas url is there any internal database they are using? or there is any other way where i can restrict the sas url so that it won't work? – Mohit Singh Nov 12 '20 at 08:35
  • @MohitSingh how it works internally is that they take it takes the querystring and uses a hashing algorithm (I think SHA-256) to create the signature, where your access key is used as hashing key. So there's no database that keeps track of SAS tokens. All it does is do a check whether the signature matches the hashed querystring. Therefore you also can't expire them unless you regenerate your access keys. – NotFound Nov 12 '20 at 09:00
  • what do you mean by regenerate your access keys? is that mean creating sas url again? creating new sas url won't expire the existing created sas url. if there is a way where i can create a new sas url that expire the old will also work for me – Mohit Singh Nov 12 '20 at 09:11
  • No. Your Azure Storage has two keys used for authentication. There are under the blade called 'Access Keys'. It's also part of the connectionstring. They are used as the key for hashing the querystring and that hash is placed as signature in the querystring to generate the full SAS token. – NotFound Nov 12 '20 at 10:40
  • got it .. as far i get to know is there is no way we can reset sas url – Mohit Singh Nov 12 '20 at 11:01
  • Yes you can't. You can only reset the access key it's based on or the access policy if you use one. – NotFound Nov 12 '20 at 11:04
  • is there any api for creating or deleting access policy using java – Mohit Singh Nov 12 '20 at 17:04