1

I'm having difficulty in using a Blob SAS token to write a file to a Blob in Azure via Powershell.

The code I'm using to generate the SAS token is:

$storageContext = Get-AzureRmStorageAccount -ResourceGroupName $resourceGroup -Name $storageName

$token = New-AzureStorageBlobSASToken -Container $conName -Context $storageContext.Context -Blob $blobName -ExpiryTime $expiry -Permission rw -FullUri

This generates a token as expected: https://name.blob.core.windows.net/container/test.json?sv=2015-04-05&sr=b&sig=abc123&se=2017-03-07T12%3A58%3A52Z&sp=rw

If I use this in the browser it's working fine and downloading the file as expected. However, I can't use this to upload a file. Whenever I try I'm receiving a (403) Forbidden. The code I'm using to upload is:

$accountContext = New-AzureStorageContext -SasToken $sasToken

Get-AzureStorageContainer -Context $accountContext.Context | Set-AzureStorageBlobContent -File $blobFile

I've successfully been using a method similar to this to set Blob content after making a call to Add-AzureRmAccount to authenticate.

I've also tried to use a Container SAS token but I keep getting a 403 error with that.

The fact that the token works for a read leads me to believe that I'm missing something in my Powershell script - can anyone shed any light on what that is?

Improve this question

1 Answer 1

Reset to default
4

The fact that the token works for a read leads me to believe that I'm missing something in my Powershell script - can anyone shed any light on what that is?

I believe the problem is with the following line of code:

Get-AzureStorageContainer -Context $accountContext.Context

Two things here:

  1. This cmdlet tries to list the blob containers in your storage account. In order to list blob containers using SAS, you would need an Account SAS where as the SAS you're using is a Container SAS.
  2. Your SAS only has Read and Write permission. For listing containers, you would need List permission as well.

I would recommend simply using Set-AzureStorageBlobContent Cmdlet and provide necessary information to it instead of getting the container name through pipeline.

Set-AzureStorageBlobContent -File $blobFile -Container $conName -Context $accountContext.Context -Blob $blobName
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I've confirmed that the call to Get-AzureStorageContainer is throwing a 403 when creating a Blob SAS. I changed my code to create a Container SAS with rwl and call Set-AzureStorageBlobContent directly but still getting a 403.
Can you update your question with the latest code you're using? Thanks.
I've resolved the issue. What you have said is working, I was using the -FullUri flag when creating a SAS token. Removing this flag gave me the query string part of the token only which is now allowing me to upload the blob. Thanks.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.