Blob storage temporary URL

Question

I am trying to create the temporary url for an azure storage blob. I created the url with the help of these below commands.

 const sasToken = generateBlobSASQueryParameters(sasOptions, sharedKeyCredential).toString();
                  
 sasUrls[serialNo] = `${containerClient.getBlockBlobClient(blobName).url}?${sasToken}`;

from the 2nd line of code, The sas url has formed with the permanent uri. so even if i share the temporary url having some expiry time with someone, then they can see/take blob's permanent uri and can use that after the expiry time also. So then what is the use of temporary link ? Is there any way/ any method to hide my permanent uri in the temporary link ?

Please guide me if i am wrong.

FY: i am using typescript.

They can see the url but they shouldn't be able to use it unless you allow public access to the container/blob. You could have custom domain for your blob storage endpoint, but I am not sure whether that's the right solution for your problem. https://learn.microsoft.com/en-us/azure/storage/blobs/storage-custom-domain-name?tabs=azure-portal — Jeremy Meng, Sep 27 '21 at 18:34
Jeremy's comment is spot-on: SAS is specific to helping make a private URL public for a short period of time. Past that time, the SAS is invalid. Having the raw link doesn't help anyone at that point. You effectively don't have an issue here - all good. — David Makogon, Sep 29 '21 at 12:05
Thank you Jeremy! by setting the container as private, will be unable to access the original URI by anyone. So to get the blob either we can use temporary link(for third party) or local download option or any other (for the owner or the one who uploaded the data). — kira, Oct 18 '21 at 06:24

score -1 · Answer 1 · answered Sep 29 '21 at 11:59

Please check if below referred cases narrows down your requirement partially.

See if sas token can be replaced with Display name and sent in the request header (see reference i.)
You can make use of cache control using cdn (as in comment) Manage expiration -cdn.
With cache control header with public accessible and max age set to expiration time equal to that of sas expiry .

Ex:

 blockBlob.Properties.CacheControl = "max-age=300, must-revalidate"; 
      
blockBlob.SetProperties(); //(300seconds)

Or

var headers = new SharedAccessBlobHeaders() { CacheControl = "max-age=" +  };

If private is set,you can set max-age=0, no-cache, no-store

Note: With this If the client requests the blob, it will not use the cached-blob in cdn(which is already expired). Instead, it will directly request the blob stored in blob storage.

You can use a stored access policy to change the expiry time, or to revoke it after it has been issued.

References:

i. Securing SAS Token from Azure Logic Apps

ii. Manage stored access policies

iii. SO reference-cache control

This answer has nothing to do with the OP's question. And the OP's question is about misunderstanding public vs private blobs. They didn't post any trouble with caching or SAS. — David Makogon, Sep 29 '21 at 12:04

Blob storage temporary URL

1 Answers1