0

I'm uploading large blobs in blocks of 1MB to Azure Storage. This works when I create a SAS with a Write permission, but it throws the below error with a Create permission.

ErrorCode: AuthorizationPermissionMismatch

This request is not authorized to perform this operation using this permission

Is this expected behavior? I'd like to pass SAS tokens to users and allow them to create a blob but not overwrite it once it's been created. How can I accomplish this?

user246392
  • 2,661
  • 11
  • 54
  • 96

1 Answers1

0

Update:

When you upload block blobs, you need Write permission.

enter image description here

And this is the doc:

https://learn.microsoft.com/en-us/rest/api/storageservices/create-account-sas#blob-service

Original Answer:

Please make sure you have give the create permission:

enter image description here

Below is my code(C#), it works fine(I can create even the blob is not exist.):

using Azure.Storage.Blobs;
using Azure.Storage.Blobs.Models;
using System;
using System.IO;
using System.Text;
using System.Threading.Tasks;

namespace ConsoleApp28
{
    class Program
    {
        static void Main(string[] args)
        {
            string containerName = "test";
            string token = "?sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2021-01-04T09:41:18Z&st=2021-01-04T01:41:18Z&spr=https&sig=UVhS9bPGqWhjKnlrQIMkWHD6Bdfdpym8vgZoQ6W9qDE%3D";
            string sas_uri = "https://0730bowmanwindow.blob.core.windows.net/test?sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2021-01-04T09:41:18Z&st=2021-01-04T01:41:18Z&spr=https&sig=UVhS9bPGqWhjKnlrQIMkWHD6Bdfdpym8vgZoQ6W9qDE%3D";

            BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri(sas_uri));
            
            BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(containerName);

            BlobClient blobClient = containerClient.GetBlobClient("20210104.txt");
            byte[] byteArray = Encoding.UTF8.GetBytes("This is a test.20210104");

            MemoryStream stream = new MemoryStream(byteArray);
            blobClient.Upload(stream, true);
        }
    }
}
Cindy Pau
  • 13,085
  • 1
  • 15
  • 27
  • You checked every box in that image. Can you check Blob only, Object only, and Create only and try again? Also, you're uploading by calling the `Upload` method. In my case, I upload multiple blocks by staging them and then commit the block ids at the end. See https://stackoverflow.com/a/65517234/246392. – user246392 Jan 04 '21 at 05:02
  • @user246392 I have update my answer, please have a check. You must give the Write permission. I have do a test, give it write permission works fine on my side. – Cindy Pau Jan 04 '21 at 08:13
  • Giving write permission also allows the client to write to the same blob name multiple times. Is there a way to generate a token that allows a file upload only once? I need to prevent file overwrites. – user246392 Jan 04 '21 at 15:15
  • @user246392 In a word, 'there is no way to let a sas token been used only once'. The only way to expired sas token manually is to change the key(But this way will expire all the sas token based on this key). So you can choose to do a workaround like below: get the ip of the user and limit only the user with specific ip can use the temporary sas token. – Cindy Pau Jan 06 '21 at 09:07
  • Thanks. Is it possible to IP address filtering when we create a token for a specific blob? I used `SharedAccessBlobPolicy` class in v11 and don't see a property for IP address whitelisting. – user246392 Jan 07 '21 at 00:00