Book a Demo Free Trial

Introducing Signed Access Signature

Gaurav Mantri

Sep 2, 2009

Category: Azure Storage

In this blob we are going to discuss about Signed Access Signature, which is a new feature of “Window Azure” to provide access rights to containers and blobs at a more granular level than by simply setting a container’s ACL for public access.

What is the need of Signed Access Signature?

Windows Azure storage operates with “shared key authentication.” In other words, there’s a password for your entire storage account, and anyone who has that password essentially owns the account. It’s an all-or-nothing permission model. That means you can never give out your shared key. The only exception to the all-or-nothing rule is that blob containers can be marked public, in which case anyone may read what’s inside the container (but not write to it).

What is Signed Access Signature?

With Signed/Shared Access Signature, you can grant users access to a specific blob or to the blobs within a container for a specified period of time. You can also specify what operations a user may perform on a blob that’s accessible via a Shared Access Signature.

Supported operations include:

  • Reading and writing blob content, block lists, properties, and metadata
  • Deleting a blob
  • Listing the blobs within a container

A Shared Access Signature is a set of URL query parameters that incorporates all of the information necessary to grant controlled access to a blob or container resource. The URL specifies the time interval over which the Shared Access Signature is valid, the permissions that it grants, the resource that is to be made available, and the signature that the Blob service should use to authenticate the request.

Additionally, the URL for the Shared Access Signature may reference a container-level access policy that provides an additional level of control over a set of signatures, including the ability to modify or revoke access to the resource if necessary.

Constructing the Shared Access Signature URL

http://myaccount.blob.core.windows.net/myContainer/MyBlob?st=2009-02-09&se=2009-02-10&sr=c&sp=r&si=YWJjZGVmZw%3d%3d&sig= dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d

Here: st(signedstart) = Optional. The time at which the Shared Access Signature becomes valid. The time must be specified in a valid ISO 8061 format. If you omit the start time, the interval begins immediately.

se(signedend) = Required. The time at which the Shared Access Signature becomes invalid. The time must be specified in a valid ISO 8061 format. This field may be omitted if it has been specified as part of a container-level access policy (or in other way we can say that, se(signedend) may be omitted if (si)signedidentifier is assigned in the URL).

sp(signedpermission) = Required. The permissions associated with the Shared Access Signature. The user is restricted to operations allowed by the permissions. Valid permissions values are read (r), write (w), delete (d) and list (l). This field may also be omitted if it has been specified as part of a container-level access policy (or in other way we can say that, sp(signedpermission) may be omitted if (si)signedidentifier is assigned in the URL).

Note: r, w, l, d always comes in “rwld” sequence. These are some invalid permission like, wr, lr…etc.

sr(signedresource) = 1. Specify b to designate access scope to the content and metadata of a specific blob in the container. 2. Specify c to designate access scope to the content and metadata of any blob in the container, and to the list of blobs in the container.

si(signedidentifire) = Optional. A unique value that correlates to an access policy specified at the container level. The signed identifier may have a maximum size of 64 bytes.

If a signed identifier is not specified as part of the Shared Access Signature, the maximum interval over which the signature is valid is one hour, and you have to specify signedend and signedpermission in the URL as well as in the string-to-sign.

If a signed identifier is specified as part of the Shared Access Signature, the maximum interval over which the signature is valid is depend on the start and expiry parameter of the container access policy.

If you defined all parameters in container access policy then you have no need to define again in the URL as well as in string-to-sign. But those parameters which u doesn’t define in container access policy are required to define in the URL as well as in the string-to-sign.<

Example: – Suppose in container access policy you define ExpiryTime and Permission parameters. Then in the URL you are required to define only starttime parameter.

sig(signature) = The string-to-sign is a unique string constructed from the fields that must be verified in order to authenticate the request. The signature is an HMAC computed over the string-to-sign and key by using the SHA256 algorithm, and then encoded by using Base64 encoding.

Constructing the Signature String

To construct the signature string, first construct the string-to-sign from the fields comprising the request, then encode the string as UTF-8 and compute the signature using the HMAC-SHA256 algorithm.

Note that fields included in the string-to-sign must be URL-decoded.

To construct the string-to-sign, use the following format:

1
2
3
4
5
StringToSign = signedpermissions + "\n"
               signedstart + "\n"
               signedexpiry + "\n"
               canonicalizedresource + "\n"
               signedidentifier

Note:

  1. If a field is optional and not provided as part of the request, specify an empty string for that field. Be sure to include the newline character (\n) after the empty string.
  2. If the signed resource is a container: URL = http://myaccount.blob.core.windows.net/music canonicalizedresource = “/myaccount/music”
  3. If the signed resource is a blob: URL = http://myaccount.blob.core.windows.net/music/intro.mp3 canonicalizedresource = “/myaccount/music/intro.mp3”
  4. signedidentifier is optinal, If you are omitting si(signedidentifire) from the URL then you have no need to define signedidentifier in the string-to-sign string.

Some Examples of how to create Signed Access Signature(SAS) and StringToSign:

Example without Signed Identifer:

1.If you want to define all parameters in string-to-sign then your SAS and StringToSign is like this:

1
2
3
4
5
StringToSign = signedpermissions + "\n"
               signedstart + "\n"
               signedexpiry + "\n"
               "/myaccount/mycontainer/myblob" + "\n"
               ""

URL = http://myaccount.blob.core.windows.net/myContainer/MyBlob?st=2009-02-10&se=2009-02-10&sr=b&sp=r&sig= dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d

2.If you don’t want to give Start Time and then your SAS and StringToSign is like this:

1
2
3
4
5
StringToSign = signedpermissions + "\n"
                "" + "\n"
                signedexpiry + "\n"
                "/myaccount/mycontainer/myblob" + "\n"
                ""

URL = http://myaccount.blob.core.windows.net/myContainer/MyBlob?se=2009-02-10&sr=b&sp=r&sig= dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d

Example with Signed Identifer:

1.If you give si(signedidentifire) and others parameters are define in container access policy then your SAS and StringToSign is like this:

1
2
3
4
5
StringToSign = "" + "\n"
               "" + "\n"
               "" + "\n"
               "/myaccount/mycontainer/myblob" + "\n"
               "signedidentifire"

URL = http://myaccount.blob.core.windows.net/myContainer/MyBlob?sr=b&si=YWJjZGVmZw==&sig= dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d

2.If you give si(signedidentifire) and only permission parameter is define in container access policy then your SAS and StringToSign is like this:

1
2
3
4
5
StringToSign = "" + "\n"
               "signedstart" + "\n"
               "signedend" + "\n"
               "/myaccount/mycontainer/myblob" + "\n"
               "signedidentifire"

URL = http://myaccount.blob.core.windows.net/myContainer/MyBlob?st=2009-02-10&se=2009-02-10&sr=b&si=YWJjZGVmZw==&sig= dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d