Reputation: 30335
Verify Azure Table SAS-based credentials
I'm looking for simple way of verifying an arbitrary Azure Table connection string that uses a SAS such as the one below using the Azure Storage's Java SDK:
https://example.table.core.windows.net/example?sig=aaabbbcccdddeeefffggghhh%3D&se=2020-01-01T00%3A00%3A00Z&sv=2015-04-05&tn=example&sp=raud
I tried a bunch of different methods exposed by the CloudTable api, but none of them works.
CloudTable.exists()throws a StorageException, regardless of whether the credentials are validgetName(),getStorageUri(),getUri(), and other getters - all work locally, regardless of the credentialsgetServiceClient().downloadServiceProperties()andgetServiceClient().getServiceStats()also throw various exceptions, whilegetServiceClient().getEndpoint()andgetServiceClient().getCredentials()and others always work locally.Why don't I just query the Table for a row or two? Well, in many cases I need to verify a SAS that gives only write or update premissions (without
deleteorreadpermissions), and I do not want to execute a statement that changes something in the table just to check the credentials.
Upvotes: 1
Views: 264
Answers (1)
Reputation: 136306
To answer your questions:
CloudTable.exists() throws a StorageException, regardless of whether the credentials are valid
I believe there's a bug with the SDK when using this method with SAS Token. I remember running into the same issue some time back.
getName(), getStorageUri(), getUri(), and other getters - all work locally, regardless of the credentials
These will work as they don't make network call. They simply use the data available to them in the different instance variables and return the data.
getServiceClient().downloadServiceProperties() and getServiceClient().getServiceStats() also throw various exceptions, while getServiceClient().getEndpoint() and getServiceClient().getCredentials() and others always work locally.
In order for getServiceClient().someMethod() to work using SAS, you would need Account SAS instead of Service SAS (which you're using right now).
Why don't I just query the Table for a row or two? Well, in many cases I need to verify a SAS that gives only write or update premissions (without delete or read permissions), and I do not want to execute a statement that changes something in the table just to check the credentials.
One possible way to check the validity of a SAS Token for write operation is to perform a write operation which you know will fail with an error. For example, you can try to insert an entity which is already there. In this case, you should get a Conflict (409) error. Other thing you could try to do is perform an optimistic write by specifying some random Etag value and check for Precondition Failed (412) error. If you get a 403 error or 404 error, that would indicate there's something wrong with your SAS token.
Upvotes: 2
Related Questions
- Generating SAS for Azure storage access
- Connect to Azure Storage Account using only SAS token?
- Azure Table Storage - Create Connection String from a read-only SAS token
- How to generate the Azure Table Service SAS token from c# code?
- Azure SAS token for specific tables
- Azure Table Storage Authenticate REST call through javascript
- How to use SAS on StorageCredentials for Azure Table Storage?
- microsoft azure table authentication stringtosign error
- Windows Azure Tables REST Api Authentication
- azure table services authentication