1

I am using libraries Microsoft.Azure.Storage.Blob 11.2.3.0 and Microsoft.Azure.Storage.Common 11.2.3.0 to connect to an Azure BlobStorage from a .NET Core 3.1 application.

When I started working on this, I had been given connection strings that gave me full access to the BlobStorage (or rather, the entire cloud storage account). Based upon those, I chose to write my connection code "defensively", making use of Exists() and CreateIfNotExists() from the CloudBlobContainer class to ensure the application would not fail when a container was not yet existing.

Now, I'm connecting a BlobStorage container using a SAS. While I can freely retrieve and upload blobs within the container like this, unfortunately, it seems that I am not allowed to do anything on the container level. Not only CreateIfNotExists, but even the mere querying of existence by Exists() throws a StorageException saying

This request is not authorized to perform this operation.

The documentation does not mention the exception.

Is there any way to check preemptively whether I am allowed to check the container's existence?

I have tried looking into the container permissions retrieved from GetPermissions, but that will throw an exception, as well.

The only other alternative I can see is to check for container existence within a try-catch-block and assume existence if an exception is thrown ...

F-H
  • 663
  • 1
  • 10
  • 21

2 Answers2

3

There's a no definitive way to identify if an operation can be performed using a SAS token other than performing that operation and catching any exception that may be thrown by the operation. The exception that is of your interest is Unauthorized (403).

However you can try to predict if an operation can be performed by looking at the SAS token. If it is a Service SAS Token and not an Account SAS Token, that means all the account related operations are not not allowed. The way to distinguish between an Account SAS token and a Service SAS token is that the former will contain attributes like SignedServices (ss) and SignedResourceTypes (srt).

Next thing you would want to do is look for SignedPermissions (sp) attribute in your SAS token. This attribute will tell you what all operations are possible with the SAS token. For example, if your SAS token is a Service SAS token and if it includes Delete (d) permission, that would mean you can use this SAS token to delete a blob.

Please see these tables for the permissions/allowed operations combinations:

Please note that the operation might still fail for any number of reasons like SAS token has expired, account key has changed since the generation of SAS token, IP restrictions etc.

Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241
  • Very helpful, thanks. "SAS token has expired, account key has changed since the generation of SAS token, IP restrictions" - these should all be fine; if they apply, they will also prevent the execution of any of the crucial operations I perform on the blobs rather than just the existence checks I add for increased robustness. – F-H Nov 26 '21 at 11:03
0

I tried in in my system to check whether the container exist or not able check it and if container not exists created container and able to upload file.

You need to give proper permission for your SAS Token

enter image description here

const string sasToken = “SAS Token”

            const string accountName = "teststorage65";
            const string blobContainerName = "example";
            const string blobName = "test.txt";
            const string myFileLocation = @"Local Path ";

            var storageAccount = new CloudStorageAccount(storageCredentials, accountName, null, true);
            CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
            CloudBlobContainer blobContainer = blobClient.GetContainerReference(blobContainerName);
            var result=blobContainer.Exists();
            if (result == true)
            {
                Console.WriteLine("Container exists");
            }
            else
            {
               // blobContainer.CreateIfNotExists();
                Console.WriteLine("Conatiner not exists");

               Console.WriteLine("Creating Container   "+ blobContainerName);
                blobContainer.CreateIfNotExists();
            }

               // blobContainer.CreateIfNotExists();
            //Console.WriteLine("Creating Container   ");
            CloudBlockBlob cloudBlob = blobContainer.GetBlockBlobReference(blobName);
            cloudBlob.UploadFromFile(myFileLocation);

OUTPUT

enter image description here

enter image description here

ShrutiJoshi-MT
  • 1,622
  • 1
  • 4
  • 9
  • "You need to give proper permission for your SAS Token" - I am not in control of the SAS token, so nothing can be changed about that. – F-H Nov 26 '21 at 10:33
  • ya ,You need to give the permission to your SAS Token, How you getting the SAS Token? – ShrutiJoshi-MT Nov 26 '21 at 10:37
  • Currently, the SAS token is supplied by the technical architect to whom I deliver my code. In production use, it will be provided by customers. Do note that **all the required business functionality works** with the current SAS token. Therefore, I have no real basis to argue for adding any permissions to the SAS token. Currently, my goal is to make the code more robust (by doing some container/blob existence checks), but only in cases where this does not conflict with the restrictions my connection is subject to. – F-H Nov 26 '21 at 10:47
  • Can you please check with the Your technical architect , What are the allowed permission given for SAS Token ,See in Above answer I checked the existence of container using SAS token and able create it by giving permission as showed in above screenshot – ShrutiJoshi-MT Nov 26 '21 at 10:58
  • 1
    While I think my particular problem will be solved by [Gaurav's answer](https://stackoverflow.com/a/70123348/5206621), I am still going to find out about this; this may well be of use to future visitors and to get a more complete picture. – F-H Nov 26 '21 at 11:04
  • I have had an opportunity to check the settings in the meantime, and one notable difference to your screenshot is that the three checkmarks on *Allowed Object Type* (*Service*, *Container*, and *Object*) are *not* set. Curious. So, this setting allows me to work within a blob container (and thereby deduce that it does exist), but bars me from explicitly asking whether it does indeed exist. – F-H Dec 03 '21 at 21:47