Service SAS support (for individual blob access longer then 7 days)

Question

Service SAS support (for individual blob access longer then 7 days)

Closed this issue 3 years ago · 2 comments

The user_delegated_sas can not be longer then 7 days. And I need a sas to access a single blob(file) for longer then 7 days.
This is possible creating a 'service sas'. But it's not supported.

Could you add the service_sas as a third option?

Answer 1 · 2021-04-30T00:21:24.000Z

I can do that, but have you tried using an account SAS? That should work for longer than 7 days.

Answer 2 · 2021-04-30T06:09:42.000Z

Thank you for your swift response. The problem with the account sas is that the sas-token gives access to potentially every blob-file in the container, and even the whole (blob) storage account.

That is a security threat for my use case (where I share individual files using URI's). I want to have a different sas for each individual blob-file in the container. And a service SAS can be created for an individual blobfile (and longer then 7 days, which is the big limitation for the user delegated sas).

From the documentation:

An account SAS delegates access to resources in one or more of the storage services.
A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

Please read this documentation on the service sas
https://docs.microsoft.com/en-us/azure/storage/blobs/sas-service-create?tabs=dotnet

Please feel free to ask any questions.

.