Azure Blob SAS URL for blob private endpoint ?

MS Techie 2,716 Reputation points
2023-02-22T10:11:30.08+00:00

I have gone to my azure blob storage and enabled private endpoint on it.

My Private Link URL will have the word privatelink in it ..like below

https://mystorageaccountname.privatelink.blob.core.windows.net.

But my blob SAS URL will be like

https://mystorageaccountname.blob.core.windows.net/?sv=2021-06-08&ss=bfqt&srt=sco&sp=rwdlacupiytfx&se=2023-02-22T17:44:10Z&st=2023-02-22T09:44:10Z&spr=https&sig=vp229Zp13IroruUvpcGDfkoF5i9iyuZnhe2c8lTYUMA

As you can see, the SAS URL , does not have the privatelink URL in it .

So how to create SAS URL containing private endpoint URL in it

Basically i want on-prem application to connect to azure blob , via SAS URL , going through private endpoint URL

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,978 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Vasileios Dionysopoulos 641 Reputation points
    2023-02-22T10:30:32.4466667+00:00

    Hello,

    Τo create a SAS URL for Azure Blob storage that includes an Azure Private Link URL, you can follow these steps:

    1. Generate a Shared Access Signature (SAS) for your Azure Blob storage account, container, or blob using the Azure Portal, Azure CLI, or Azure Storage SDKs.
    2. In the SAS URL, replace the storage account name in the URL with the Private Link URL of the storage account. For example, if your storage account name is mystorageaccount and the Private Link URL is https://myprivatelink.blob.core.windows.net, replace mystorageaccount.blob.core.windows.net with myprivatelink.blob.core.windows.net in the SAS URL.
    3. The SAS URL should now include the Private Link URL and can be used to access your Azure Blob storage securely over the private endpoint.

    Note that to use the SAS URL with the Private Link URL, the client making the request must be connected to the same virtual network or Azure ExpressRoute circuit as the storage account.

    I hope I help.

    Please upvote if the answer is fit on you.


  2. Vasileios Dionysopoulos 641 Reputation points
    2023-02-22T18:52:34.05+00:00

    You can create a SAS URL that includes the Private Link URL of your Azure Blob storage account by using the Azure Storage SDKs.

    Here's an example of how you can create a SAS URL that includes the Private Link URL:

    from azure.storage.blob import generate_account_sas, ResourceTypes, AccountSasPermissions, generate_blob_sas
    
    account_name = "mystorageaccountname"
    account_key = "myaccountkey"
    private_link_domain = "mystorageaccountname.privatelink.blob.core.windows.net"
    
    # Generate an account-level SAS token for the storage account
    sas_token = generate_account_sas(
        account_name=account_name,
        account_key=account_key,
        resource_types=ResourceTypes(object=True),
        permission=AccountSasPermissions(read=True, write=True, list=True),
        protocol="https",
        start_time=datetime.utcnow(),
        expiry=datetime.utcnow() + timedelta(hours=1)
    )
    
    # Create a blob-level SAS token that includes the Private Link URL
    sas_url = generate_blob_sas(
        account_name=account_name,
        account_key=None,
        container_name="mycontainer",
        blob_name="myblob",
        permission=BlobSasPermissions(read=True),
        protocol="https",
        start_time=datetime.utcnow(),
        expiry=datetime.utcnow() + timedelta(hours=1),
        ip=None,
        user_delegation_key=None,
        cache_control=None,
        content_disposition=None,
        content_encoding=None,
        content_language=None,
        content_type=None,
        claims=None,
        snapshot=None,
        version=None,
        encoded_account_sas=sas_token,
        url_prefix=f"https://{private_link_domain}"
    )
    
    print(sas_url)
    

    In this example, you first generate an account-level SAS token for the storage account, and then use it to generate a blob-level SAS token that includes the Private Link URL. The url_prefix parameter is used to specify the Private Link URL of the storage account.

    Note that in order to use the SAS URL with the Private Link URL, the client making the request must be connected to the same virtual network or Azure ExpressRoute circuit as the storage account.

    Also there are some things you can acheck:

    1. Check that the client is connected to the same virtual network or Azure ExpressRoute circuit as the storage account. If the client is not connected to the same network, it will not be able to access the storage account over the Private Link.
      1. Ensure that the Private Endpoint for the Azure Blob storage account has been configured correctly. Check that the Private Endpoint has been provisioned in the same virtual network as the client and that the Private DNS zone has been configured correctly.
      2. Verify that the SAS URL has been correctly updated to include the Private Link URL. Double-check that you have replaced the storage account name in the URL with the Private Link URL of the storage account correctly, as described earlier.
      3. If you are still facing issues, check the logs and diagnostic information to see if there are any errors or issues that could be causing the problem. You can use the Azure Portal or Azure Storage SDKs to access the logs and diagnostics information for the storage account.

    Hope I help.

    0 comments No comments

  3. Marcel 6 Reputation points
    2024-05-13T21:28:31.2233333+00:00

    I'm unsure if I understand correctly. Will this work in this scenario: 1) vnet is vpn connected to on-prem and uses on-prem custom DNS servers 2) storage account is exposed only via private endpoint IP in vnet 3) client is on-prem trying to connect to internal IP (private endpoint) using SAS

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.