Cannot log directly to Azure blob container using SAS token specific to that container #127
Description
In the previous version I was using (3.3.1) I was able to specify a SAS token for a container (and thus limit the token to the scope of the container). However in the new code, since a BlobServiceClient is used to allocate the connection, I have to specify a SAS token for the entire blob storage container, which is harder to maintain (no access policies) and makes me expose more of the blob storage container than desired.
Steps to reproduce:
- Using a blob storage account create a container
- In the container configuration, create an access policy and then create a SAS token
- Create a logger like so:
string logName = $"{{yyyy}}/{{MM}}/{{dd}}/mylog-{Environment.MachineName}.log";
Log.Logger = new LoggerConfiguration()
.ReadFrom.AppSettings()
.WriteTo.AzureBlobStorage(
sharedAccessSignature: "yoursastoken",
storageContainerName: "yourcontainername",
blobEndpoint: new Uri("https://yourblobstorageserver.blob.core.windows.net"),
period: TimeSpan.FromSeconds(30),
storageFileName: logName)
.CreateLogger();
You will get the following error:
[11:58:272024-11-18T19:58:27.5526757Z Failed to create blob container: Azure.RequestFailedException: This request is not authorized to perform this operation.
RequestId:22bd3307-801e-0000-7af4-39de61000000
Time:2024-11-18T19:58:27.3402481Z
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure
Content:
?AuthorizationFailureThis request is not authorized to perform this operation.
RequestId:22bd3307-801e-0000-7af4-39de61000000
Time:2024-11-18T19:58:27.3402481Z
Headers:
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 22bd3307-801e-0000-7af4-39de61000000
x-ms-client-request-id: 8b1b0098-2e19-4043-bba3-2cc3a951cb20
x-ms-version: 2025-01-05
x-ms-error-code: AuthorizationFailure
Date: Mon, 18 Nov 2024 19:58:27 GMT
Content-Length: 246
Content-Type: application/xml
at Azure.Storage.Blobs.ContainerRestClient.CreateAsync(Nullable1 timeout, IDictionary2 metadata, Nullable1 access, String defaultEncryptionScope, Nullable1 preventEncryptionScopeOverride, CancellationToken cancellationToken)
at Azure.Storage.Blobs.BlobContainerClient.CreateInternal(PublicAccessType publicAccessType, IDictionary2 metadata, BlobContainerEncryptionScopeOptions encryptionScopeOptions, Boolean async, CancellationToken cancellationToken, String operationName) at Azure.Storage.Blobs.BlobContainerClient.CreateIfNotExistsInternal(PublicAccessType publicAccessType, IDictionary2 metadata, BlobContainerEncryptionScopeOptions encryptionScopeOptions, Boolean async, CancellationToken cancellationToken)
at Azure.Storage.Blobs.BlobContainerClient.CreateIfNotExistsAsync(PublicAccessType publicAccessType, IDictionary`2 metadata, BlobContainerEncryptionScopeOptions encryptionScopeOptions, CancellationToken cancellationToken)
at Serilog.Sinks.AzureBlobStorage.AzureBlobProvider.DefaultCloudBlobProvider.CreateBlobContainerIfNotExistsAsync(BlobContainerClient blobContainerClient, Boolean bypassBlobCreationValidation)