0

I tried creating SAS like this (ADDING "Read" permission changes nothing):

enter image description here

But it didnt work for me. I only want my script to get blob list, read metadata and delete old blobs.

Get-AzureStorageContainer : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation.

Also, I'd like to know whats the minimum possible permissions to achieve my goal.

$ctx = New-AzureStorageContext -StorageAccountName xxx -SasToken zzz
$Containers = Get-AzureStorageContainer -Context $ctx

sample sas token:

?sv=2017-07-29&ss=b&srt=co&sp=dl&se=2018-03-31T21:24:06Z&st=2018-03-31T09:24:06Z&spr=https&sig=bWsg5sSPZF%2FaBXxfW6RoCH%2BlcFKBT6MFyMKTRM3I2jI%3D
Improve this question
6
  • This Cmdlet lists the containers in an account. For listing blobs, the cmdlet is Get-AzureStorageBlob. But nonetheless you shouldn’t get 403 error. Can you edit your question and include how are you calling this Cmdlet and how are you creating the storage context? Commented Mar 31, 2018 at 13:06
  • well, i'm not asking for that :) i'm asking: "how to create a proper sas token" @GauravMantri Commented Mar 31, 2018 at 13:10
  • Based on the screenshot (partial though), I believe you’ve selected the right permissions so your SAS token should be right. Please share your SAS token so that it can be checked for correctness. Commented Mar 31, 2018 at 13:13
  • is that documented anywhere? @GauravMantri Commented Mar 31, 2018 at 13:55
  • I’m actually looking for the value of SAS token you are using to create storage context. Commented Mar 31, 2018 at 13:57

1 Answer 1

Reset to default
1

So there are two things here:

  1. You're getting 403 error: Assuming you're using the same SAS token as you have mentioned in the question along with Get-AzureStorageContainer Cmdlet, you will get this error. The reason for this is the purpose of this Cmdlet is to list blob containers in a storage account and for that you need to have Service permission in your SAS token (srt value in your SAS token should be sco instead of co). Because the required permission is not there in your SAS token, you are getting this 403 error. However if you use the same token along with Get-AzureStorageBlob, you should not get any error.

  2. Necessary permissions for get blob list, read metadata and delete old blobs: For this, you would need the following permissions:

    • Allowed Services: Blobs (b)
    • Allowed resource types: Container (c) and Object (o)
    • Allowed permissions: List (l), Read (r) and Delete (d)

With this combination you should be able to list blobs from a blob container using Get-AzureStorageBlob, read its metadata and delete the blobs.

UPDATE

So what I did was I followed your steps and tried to list the blob containers using Get-AzureStorageContainer Cmdlet. I also got the same error :).

Then I ran the Cmdlet with Debug and Verbose switches and found that for each blob container, this Cmdlet tries to get the ACL.

_https://account.blob.core.windows.net/my-container?sv=2017-07-29&ss=b&srt=sco&sp=dl&se=2018-03-31T23:28:27Z&st=2018-03-31T15:2 8:27Z&spr=https&sig=signature&api-version=2017-04-17&restype=container&comp=acl.

Confirm The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation. [Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"): y Get-AzureStorageContainer : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation. At line:1 char:1 + Get-AzureStorageContainer -Context $ctx -Debug -Verbose + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzureStorageContainer], StorageException + FullyQualifiedErrorId : StorageException,Microsoft.WindowsAzure.Commands.Storage.Blob.Cmdlet.GetAzureStorageCont ainerCommand

Now the problem is that you can't fetch ACL for a container using a shared access signature, you would need to use the account key (same thing goes for creating a shared access signature). This is the reason you're getting 403 error back from the service.

Not sure you would classify this as a bug in Get-AzureStorageContainer or would want to put in a feature request allowing you to list blob containers without getting its ACL but they way things are today, you can't list blob containers using this Cmdlet and a SAS token.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

but the service thing is checked? I've created another SAS with sco and still getting the same error
why am I so freaking lucky
:D. But if you know the blob container, then you can use the other cmdlet to list and delete the blobs.
Other way would be to invoke list blob containers REST API using Invoke-WebRequest.
yeah, thats pretty obvious, but i was unable to find examples online and when I saw an article on msdn to create required parameters I kinda went sad panda. I'd rather use connection string, tbh. much easier. thanks though!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.