def container_access_policy(self):
# SAS URL is calculated from storage key, so this test runs live only
if TestMode.need_recording_file(self.test_mode):
return
# Instantiate a BlobServiceClient using a connection string
from azure.storage.blob import BlobServiceClient
blob_service_client = BlobServiceClient.from_connection_string(
self.connection_string)
# Instantiate a ContainerClient
container_client = blob_service_client.get_container_client(
"myaccesscontainer")
try:
# Create new Container
container_client.create_container()
# [START set_container_access_policy]
# Create access policy
from azure.storage.blob import AccessPolicy, ContainerSasPermissions
access_policy = AccessPolicy(
permission=ContainerSasPermissions(read=True),
expiry=datetime.utcnow() + timedelta(hours=1),
start=datetime.utcnow() - timedelta(minutes=1))
identifiers = {'test': access_policy}
# Set the access policy on the container
container_client.set_container_access_policy(
signed_identifiers=identifiers)
# [END set_container_access_policy]
# [START get_container_access_policy]
policy = container_client.get_container_access_policy()
# [END get_container_access_policy]
# [START generate_sas_token]
# Use access policy to generate a sas token
from azure.storage.blob import generate_container_sas
sas_token = generate_container_sas(
container_client.account_name,
container_client.container_name,
account_key=container_client.credential.account_key,
policy_id='my-access-policy-id')
# [END generate_sas_token]
# Use the sas token to authenticate a new client
# [START create_container_client_sastoken]
from azure.storage.blob import ContainerClient
container = ContainerClient.from_container_url(
container_url=
"https://account.blob.core.windows.net/mycontainer",
credential=sas_token)
# [END create_container_client_sastoken]
finally:
# Delete container
container_client.delete_container()
async def container_access_policy_async(self):
# Instantiate a BlobServiceClient using a connection string
from azure.storage.blob.aio import BlobServiceClient
blob_service_client = BlobServiceClient.from_connection_string(
self.connection_string)
async with blob_service_client:
# Instantiate a ContainerClient
container_client = blob_service_client.get_container_client(
"myaccesscontainerasync")
try:
# Create new Container
await container_client.create_container()
# [START set_container_access_policy]
# Create access policy
from azure.storage.blob import AccessPolicy, ContainerSasPermissions
access_policy = AccessPolicy(
permission=ContainerSasPermissions(read=True),
expiry=datetime.utcnow() + timedelta(hours=1),
start=datetime.utcnow() - timedelta(minutes=1))
identifiers = {'my-access-policy-id': access_policy}
# Set the access policy on the container
await container_client.set_container_access_policy(
signed_identifiers=identifiers)
# [END set_container_access_policy]
# [START get_container_access_policy]
policy = await container_client.get_container_access_policy()
# [END get_container_access_policy]
# [START generate_sas_token]
# Use access policy to generate a sas token
from azure.storage.blob import generate_container_sas
sas_token = generate_container_sas(
container_client.account_name,
container_client.container_name,
account_key=container_client.credential.account_key,
policy_id='my-access-policy-id')
# [END generate_sas_token]
# Use the sas token to authenticate a new client
# [START create_container_client_sastoken]
from azure.storage.blob.aio import ContainerClient
container = ContainerClient.from_container_url(
container_url=
"https://account.blob.core.windows.net/mycontainerasync",
credential=sas_token,
)
# [END create_container_client_sastoken]
finally:
# Delete container
await container_client.delete_container()
def test_set_container_acl_with_one_signed_identifier(self):
# Arrange
container = self._create_container()
# Act
access_policy = AccessPolicy(permission=ContainerPermissions.READ,
expiry=datetime.utcnow() + timedelta(hours=1),
start=datetime.utcnow())
signed_identifiers = {'testid': access_policy}
response = container.set_container_access_policy(signed_identifiers)
# Assert
self.assertIsNotNone(response.get('etag'))
self.assertIsNotNone(response.get('last_modified'))
def test_set_container_acl_too_many_ids(self):
# Arrange
container_name = self._create_container()
# Act
identifiers = dict()
for i in range(0, 6):
identifiers['id{}'.format(i)] = AccessPolicy()
# Assert
with self.assertRaises(ValueError) as e:
container_name.set_container_access_policy(identifiers)
self.assertEqual(
str(e.exception),
'Too many access policies provided. The server does not support setting more than 5 access policies on a single resource.'
)
def test_set_container_acl_with_signed_identifiers(self):
# Arrange
container = self._create_container()
# Act
access_policy = AccessPolicy(permission=ContainerPermissions.READ,
expiry=datetime.utcnow() + timedelta(hours=1),
start=datetime.utcnow() - timedelta(minutes=1))
identifiers = {'testid': access_policy}
container.set_container_access_policy(identifiers)
# Assert
acl = container.get_container_access_policy()
self.assertIsNotNone(acl)
self.assertEqual('testid', acl.get('signed_identifiers')[0].id)
self.assertIsNone(acl.get('public_access'))
def test_set_container_acl_with_three_identifiers(self):
# Arrange
container = self._create_container()
access_policy = AccessPolicy(permission=ContainerSasPermissions(read=True),
expiry=datetime.utcnow() + timedelta(hours=1),
start=datetime.utcnow() - timedelta(minutes=1))
identifiers = {i: access_policy for i in range(3)}
# Act
container.set_container_access_policy(identifiers)
# Assert
acl = container.get_container_access_policy()
self.assertEqual(3, len(acl.get('signed_identifiers')))
self.assertEqual('0', acl.get('signed_identifiers')[0].id)
self.assertIsNotNone(acl.get('signed_identifiers')[0].access_policy)
self.assertIsNone(acl.get('public_access'))
def test_set_container_acl_with_lease_id(self):
# Arrange
container = self._create_container()
lease_id = container.acquire_lease()
# Act
access_policy = AccessPolicy(
permission=ContainerSasPermissions(read=True),
expiry=datetime.utcnow() + timedelta(hours=1),
start=datetime.utcnow())
signed_identifiers = {'testid': access_policy}
container.set_container_access_policy(signed_identifiers,
lease=lease_id)
# Assert
acl = container.get_container_access_policy()
self.assertIsNotNone(acl)
self.assertIsNone(acl.get('public_access'))
def test_set_container_acl(self):
# Arrange
container = self._create_container()
# Act
access_policy = AccessPolicy(
permission=ContainerSasPermissions(read=True),
expiry=datetime.utcnow() + timedelta(hours=1),
start=datetime.utcnow())
signed_identifier = {'testid': access_policy}
response = container.set_container_access_policy(signed_identifier)
self.assertIsNotNone(response.get('etag'))
self.assertIsNotNone(response.get('last_modified'))
# Assert
acl = container.get_container_access_policy()
self.assertIsNotNone(acl)
self.assertEqual(len(acl.get('signed_identifiers')), 1)
self.assertIsNone(acl.get('public_access'))
async def get_and_set_container_access_policy():
service_client = BlobServiceClient.from_connection_string(
CONNECTION_STRING)
container_client = service_client.get_container_client("mynewcontainer")
async with service_client:
print("\n..Creating container")
try:
await container_client.create_container()
except ResourceExistsError:
pass
# Create access policy
access_policy = AccessPolicy(
permission=ContainerSasPermissions(read=True, write=True),
expiry=datetime.utcnow() + timedelta(hours=1),
start=datetime.utcnow() - timedelta(minutes=1))
identifiers = {'read': access_policy}
# Specifies full public read access for container and blob data.
public_access = PublicAccess.Container
# Set the access policy on the container
await container_client.set_container_access_policy(
signed_identifiers=identifiers, public_access=public_access)
for identifier_name, access_policy in identifiers.items():
print(
"Created container has identifier '{}' with permissions '{}', start date '{}', and expiry date '{}'."
.format(identifier_name, access_policy.permission,
access_policy.start, access_policy.expiry))
# Get the access policy on the container
print("\n..Getting container access policy")
access_policy = await container_client.get_container_access_policy()
print(f"Blob Access Type: {access_policy['public_access']}")
for identifier in access_policy['signed_identifiers']:
print(
f"Identifier '{identifier.id}' has permissions '{identifier.access_policy.permission}''"
)
def test_list_containers_with_public_access(self):
# Arrange
container = self._create_container()
access_policy = AccessPolicy(
permission=ContainerSasPermissions(read=True),
expiry=datetime.utcnow() + timedelta(hours=1),
start=datetime.utcnow())
signed_identifiers = {'testid': access_policy}
resp = container.set_container_access_policy(
signed_identifiers, public_access=PublicAccess.Blob)
# Act
containers = list(
self.bsc.list_containers(
name_starts_with=container.container_name))
# Assert
self.assertIsNotNone(containers)
self.assertGreaterEqual(len(containers), 1)
self.assertIsNotNone(containers[0])
self.assertNamedItemInContainer(containers, container.container_name)
self.assertEqual(containers[0].public_access, PublicAccess.Blob)
