Azure Storage Account - temporary download link using container SAS

Question

I'm working with Python Azure SDK and I run into the following problem.

What I'm trying to do is generate container SAS token to be used only on a given container, to do so I'm using Azure SDK generate_container_sas

def get_temporary_access_token(self):
    sas_token = generate_container_sas(
        self.account_name,
        self.container_name,
        self.storage_token,
        permission=ContainerSasPermissions(read=True, write=True, delete=True, list=True),
        expiry=datetime.utcnow() + self.sas_token_expiry_time
    )
    return sas_token

This returns a string looking something like se=<end_datetime>&sp=<Permission>&sv=2019-07-07&sr=c&sig=<token>

Now using this token I'm able to do all sort of things, but what I'm having trouble to do is using this link for temporary download link for a certain blob.

I was trying to do it using this method:

def get_temporary_download_link(self, blob_full_path, expires_time):
    base_temp_url = f'{self._get_base_resource_url()}/{self.container_name}/{blob_full_path}'
    token = generate_blob_sas(
        account_name=self.account_name,
        account_key=self.sas_token,
        container_name=self.container_name,
        blob_name=blob_full_path,
        permission=BlobSasPermissions(read=True),
        expiry=datetime.utcnow() + timedelta(seconds=expires_time)
    )
    return f'{base_temp_url}?{token}'

Now when I try to use the link I've built in the method above I'm failing in the following method b64decode.

From that I can understand that I'm not suppose to use SAS token for temporary download link and I can do this only by using the resource token or user delegation object? I also tried to "fool" the method by encoding the SAS token but the URL resulting with an error Signature did not match

I didn't manage to find any documentation on what I can or cannot do with the resource SAS token vs the UserDelegationKey, anyone knows if it possible to use the resource SAS token for temporary download?

Thanks in advance

Answer 1

Basically the issue is that you're using a SAS token (in your case created for a blob container) to create a new SAS token. This is not allowed. You will need to use either the account key or user delegation key to generate a SAS token.

Also, you can use the SAS token generated for a blob container as a SAS token for blobs inside that container. If you create a SAS token for a blob container with at least read permission, you can use the same SAS token to download any blob in that blob container.