- Remove From My Forums
Answered by:
Question
-
Hello,
Have about ten storage accounts that I would like to alert when expiration dates where getting near. Does anyone know how to get the SAS expiry date, which is set against the account as far as I can see. I've examined (in debug)the account, client and container in the test code below and also looked at their corresponding types in ILSpy but cannot see any properties or methods that expose the SAS expiry date.
void Main(){CloudStorageAccount account = new CloudStorageAccount(new StorageCredentials(GetName(), GetKey()), true);CloudBlobClient client = account.CreateCloudBlobClient(); foreach (CloudBlobContainer container in client.ListContainers()){Console.WriteLine(container.Name);} }
Wednesday, October 30, 2019 5:15 PM
Answers
-
This from MS Azure support
Thank you for contacting Microsoft Support.
My name is Luis Filipe and I will be the Support Engineer that will be assisting you regarding this service request.
You can reach me replying to this mail or using the contact information in my signature.
Issue:
I need to know when account-level SAS on blob storage containers are due to expire. You are looking for some report, PowerShell or something else you can setup to alert you.
Our analysis:
The SAS could be generated on Azure Portal, on client application or client side scripts (PowerShell/CLI), and the SAS information are not saved on Azure.
For that reason there are no way to have an alert from Azure for when the SAS will expire.
As you probably know the SAS have the “se” on the URI parameter, and this is the only way to know when the SAS will expire.
You may create some application to save the expiry date every time you create one SAS, and with this you may have some alters from that application, but Azure don’t support this feature.
- Marked as answer by The real Slartibartfast Tuesday, November 12, 2019 3:08 PM
Tuesday, November 12, 2019 3:08 PM
All replies
-
There are two ways to set expiry on SAS. The first is to build it into the SAS token itself. Then the only way to check expiry is to inspect the se= parameter of the token. You could maintain a list of known SAS tokens and alert based on the expiry.
The second way to set expiry is to set it in a stored policy on a container. Then the SAS token would reference it using.
You can check the expiry in that case using the Get Container ACL API (sometimes called GetPermissions).
You would need to check each container that may contain a policy and alert based on the time set in the policy.
Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.
------------------------------------------------------------------------------------------Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.
Thursday, October 31, 2019 12:27 PM
-
Hello,
I'm looking at theCloudBlobContainerand specifically the GetPermissions method but I cannot see how to retrieve any existing SAS expiry date.
Also looking at theGetSharedAccessSignature method as this seems a good candidate. This returns what looks to be a SAS signature but not any properties such as the date.
Thursday, October 31, 2019 2:25 PM
-
That code also just seems to get the first SAS as I just created new one which runs from today (31/10) for seven days.
That SAS looks like this ""?sv=2019-02-02*" which must be an old one, there have been at least 10 SAS created on this container.
Thursday, October 31, 2019 2:36 PM
-
@The real SlartibartfastFirstly, apologies for the delay in responding here and any inconvenience this issue may have caused.
GetPermissions return a BlobcontainerPermissions object, which contains the SAS policies
BlobContainerPermissions.SharedAccessPolicies Property
Hope this helps!
Kindly let us know if the above helps or you need further assistance on this issue.
------------------------------------------------------------------------------------------Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.
- Proposed as answer by SumanthMarigowda-MSFTMicrosoft employee Friday, November 8, 2019 4:19 PM
Friday, November 8, 2019 1:02 PM
-
@The real SlartibartfastFirstly, apologies for the delay in responding here and any inconvenience this issue may have caused.
GetPermissions return a BlobcontainerPermissions object, which contains the SAS policies
BlobContainerPermissions.SharedAccessPolicies Property
Hello,
Thanks for the response.
That method GetPermissions is part of theCloudBlobContainer class so this will not work for me.
I need Account-level SAS so not any SAS that is at the container level.
Thanks
Friday, November 8, 2019 5:07 PM
-
@The real SlartibartfastAs for GetPermissions, Account SAS doens't use stored access policies so there is no need for this API.
Set the expiry on the token itself.
Kindly let us know if the above helps or you need further assistance on this issue.
------------------------------------------------------------------------------------------Do click on"Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.
- Edited by SumanthMarigowda-MSFTMicrosoft employee Monday, November 11, 2019 5:10 PM
Monday, November 11, 2019 5:06 PM
-
@The real SlartibartfastAs for GetPermissions, Account SAS doens't use stored access policies so there is no need for this API.
Set the expiry on the token itself.
Hello,
So how do I get the SAS expiry on an account-level SAS that I created in the Azure portal? I'm not trying to SET the expiry, I'm trying to READ it.
Account-level SAS is used extensively for SQL database backup to URL. Problem is we don;t know when they are expiring.
Thanks
Monday, November 11, 2019 5:11 PM
-
This from MS Azure support
Thank you for contacting Microsoft Support.
My name is Luis Filipe and I will be the Support Engineer that will be assisting you regarding this service request.
You can reach me replying to this mail or using the contact information in my signature.
Issue:
I need to know when account-level SAS on blob storage containers are due to expire. You are looking for some report, PowerShell or something else you can setup to alert you.
Our analysis:
The SAS could be generated on Azure Portal, on client application or client side scripts (PowerShell/CLI), and the SAS information are not saved on Azure.
For that reason there are no way to have an alert from Azure for when the SAS will expire.
As you probably know the SAS have the “se” on the URI parameter, and this is the only way to know when the SAS will expire.
You may create some application to save the expiry date every time you create one SAS, and with this you may have some alters from that application, but Azure don’t support this feature.
- Marked as answer by The real Slartibartfast Tuesday, November 12, 2019 3:08 PM
Tuesday, November 12, 2019 3:08 PM