Azure Storage container In addition to setting the public Access level:
You can also define some stored Access Policy:
Stored access Policy is a single container, and Stored access policy between different containers is independent of each other.
Stored access policy can be used to generate SAS Token (Shared Access Signature), which provide temporary permissions for accessing resources such as containers and blob/table/queue.
To create an access policy:
The policy created contains names, permissions (read/write/delete/list), and valid start and end times.
We use Azure PowerShell to generate the SAS Token with the policy created, the SAS Token are created at two levels and can be created for blobs and container two levels, respectively:
$storage = get-azurermstorageaccount-resourcegroupname <resource Group name>-name <storage account name>;
$containerSAS = new-azurestoragecontainersastoken-name <container name>-policy <stored access Policy name> -context $storage. context;
$blobSAS = New-azurestorageblobsastoken-container <container name>-blob <blob file name>-Policy <stored Access Policy name>-context $storage. context;
The test found that the permissions on the SAS generated by the container could be passed to the container (that is, it would be possible to read the container blob file with container read-only permission).
We do a test with a container and blob, and first create 3 tested Access Policy under container:
Generate 3 Container SAS token respectively:
$storage = Get-azurermstorageaccount-resourcegroupname Dannorthresourcegroup1-name dannorthstorage;
$listContainerSAS = New-azurestoragecontainersastoken-name "VHDs"-policy "listonly"-context $storage. context;
$writeContainerSAS = New-azurestoragecontainersastoken-name "VHDs"-policy "WriteOnly"-context $storage. context;
$readContainerSAS = New-azurestoragecontainersastoken-name "VHDs"-policy "ReadOnly"-context $storage. context;
When the creation is complete, the corresponding SAS token parameters are read directly from the variable:
Then we find a VHD file under this container to do a test, respectively, with the above three SAS token to the VHD URL plus suffix access:
https://dannorthstorage.blob.core.chinacloudapi.cn/vhds/dan08r220171205141559.vhd?sv=2015-04-05&sr=c& Si=listonly&sig=01%2fbnnqs24rd6giqtltpao9f%2fbwbweajaiuizbp6cvo%3d
https://dannorthstorage.blob.core.chinacloudapi.cn/vhds/dan08r220171205141559.vhd?sv=2015-04-05&sr=c& Si=writeonly&sig=ukbepmxiircof9eumqjhivbsb%2fbs6nvjc8eyupm0vlo%3d
https://dannorthstorage.blob.core.chinacloudapi.cn/vhds/dan08r220171205141559.vhd?sv=2015-04-05&sr=c& Si=readonly&sig=skc%2bsfawr4saw2fmgywz8s2hcqxltzock7xueg55pnk%3d
Each will get the following 3 results:
1:this the request isn't authorized to perform this operation the using this permission. requestid:ea55a2dc-701e-0021-0e30-b5894b000000 time:2018-03-06t09:50:18.5016341z
2:this the request isn't authorized to perform this operation the using this permission. requestid:ea55f29b-701e-0021-4630-b5894b000000 time:2018-03-06t09:51:17.9756099z
3: Successfully downloading the VHD file
We'll test a scenario where we generate a blob-level SAS token for this VHD file:
$blobSAS = New-azurestorageblobsastoken-container Vhds-blob dan08r220171205141559.vhd-policy readonly-context $ Storage. context;
Then, use this SAS token to access the same BLOB file with the same name below another container (make sure you can find the VHD file, or 404), and the error is as follows: