CloudBlobContainer.GetSharedAccessSignature Method (SharedAccessPolicy, String)

Storage Client Library NET API

[This topic is part of the Microsoft Azure Storage Client Library 1.7, which has been deprecated. See Storage Client Library for the latest version.]

Returns a shared access signature for the container which grants access to the content and metadata of any blob in the container, and to the list of blobs in the container.

Namespace: Microsoft.WindowsAzure.StorageClient
Assembly: Microsoft.WindowsAzure.StorageClient (in Microsoft.WindowsAzure.StorageClient.dll)

Usage

Visual Basic
Dim instance As CloudBlobContainer
Dim policy As SharedAccessPolicy
Dim groupPolicyIdentifier As String
Dim returnValue As String

returnValue = instance.GetSharedAccessSignature(policy, groupPolicyIdentifier)

Syntax

Visual Basic
Public Function GetSharedAccessSignature ( _
	policy As SharedAccessPolicy, _
	groupPolicyIdentifier As String _
) As String
C#
public string GetSharedAccessSignature (
	SharedAccessPolicy policy,
	string groupPolicyIdentifier
)
C++
public:
String^ GetSharedAccessSignature (
	SharedAccessPolicy^ policy, 
	String^ groupPolicyIdentifier
)
J#
JScript

Parameters

policy

Type: Microsoft.WindowsAzure.StorageClient.SharedAccessPolicy

The access policy for the shared access signature.

groupPolicyIdentifier

Type: System.String

A container-level access policy.

Return Value

Type: System.String

A shared access signature.

Example

The following code example creates a shared access signature for a container. Note that the access policy is defined on the container, rather than on the signature.

C# Copy Code
static void CreateSASUsingContainerAccessPolicy()
{
    //Retrieve storage account information from an app.config file.
    //This is one way to store and retrieve a connection string if you are writing an application 
    //that will run locally, rather than in Windows Azure.
    CloudStorageAccount storageAccount =
        CloudStorageAccount.Parse(
            ConfigurationManager.AppSettings["StorageAccountConnectionString"]);

    //Create the blob client object.
    CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

    //Get a reference to the container for which shared access signature will be created.
    CloudBlobContainer container = blobClient.GetContainerReference("mysascontainer");
    container.CreateIfNotExist();

    //Create a permission policy, consisting of a container-level access policy and 
    //a public access setting, and store it on the container. 
    BlobContainerPermissions containerPermissions = new BlobContainerPermissions();

    //The container-level access policy provides read/write access to the container for 10 hours.
    containerPermissions.SharedAccessPolicies.Add("mypolicy", new SharedAccessPolicy()
    {
        //If valid immediately, don’t set SharedAccessStartTime,
        //to avoid failures caused by small clock differences.
        // 
        // This policy goes live one hour from now.
        SharedAccessStartTime = DateTime.UtcNow.AddHours(1),
        SharedAccessExpiryTime = DateTime.UtcNow.AddHours(11),
        Permissions = SharedAccessPermissions.Write | SharedAccessPermissions.Read
    });

    //The public access setting explicitly specifies that the container is private, 
    //so that it can't be accessed anonymously.
    containerPermissions.PublicAccess = BlobContainerPublicAccessType.Off;

    //Set the permission policy on the container.
    container.SetPermissions(containerPermissions);

    //Get the shared access signature to share with clients.
    //Note that this call passes in an empty access policy, so that the shared access 
    //signature will use the 'mypolicy' access policy that's defined on the container.
    string sas = container.GetSharedAccessSignature(new SharedAccessPolicy(), "mypolicy");

    // Clients can use the signature to create a service client.
    StorageCredentialsSharedAccessSignature sasCreds = 
        new StorageCredentialsSharedAccessSignature(sas);
    CloudBlobClient sasBlobClient = new CloudBlobClient(storageAccount.BlobEndpoint,
        new StorageCredentialsSharedAccessSignature(sas));

    //Return a reference to a blob.
    CloudBlob blob = sasBlobClient.GetBlobReference("mysascontainer/myblob.txt");

    //Upload text to the blob. If the blob does not yet exist, it will be created. 
    //If the blob does exist, its existing content will be overwritten.
    blob.UploadText("Hello SAS World");
}

Remarks

A shared access signature is a token that provides delegated access to blob resources. You can provide this token to clients in order to grant them specific permissions to resources for a controlled period of time. A shared access signature created for a blob grants access just to the content and metadata of that blob. A shared access signature created for a container grants access to the content and metadata of any blob in the container, and to the list of blobs in the container.

The parameters of the shared access signature that govern access are:

  • The start time at which the signature becomes valid.

  • The time at which it expires.

  • The permissions that it grants.

These parameters are specified in an access policy, represented by the SharedAccessPolicy class. There are two ways to specify an access policy:

  • You can specify it on a single shared access signature. In this case, the interval over which the signature may be valid is limited to one hour.

  • You can specify it by creating a container-level access policy, which can be associated with one or more shared access signatures. This approach has the advantage of making it possible to revoke a shared access signature, if it should be compromised. To specify that the access policy should be used by the signature, call the overload that includes the groupPolicyIdentifier parameter.

You can also specify some parameters of the access policy on the signature and some on a container-level access policy. However, if you specify a parameter in both places, the parameter specified for the signature overrides that provided by the container-level access policy.

For more information on shared access signatures, see Creating a Shared Access Signature. For details on container-level access policies, see Specifying a Container-Level Access Policy.


Thread Safety

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Platforms

Development Platforms

Windows Vista, Windows 7, Windows Server 2008, Windows 8.1, Windows Server 2012 R2, Windows 8 and Windows Server 2012

Change History

See Also