New-AzStorageBlobSASToken will not validate the start and expiry time when using StorageAccountKey as the Context

[leoliudan]

Description

when using the UseConnectedAccount as the context , the New-AzStorageBlobSASToken will validate the StartTime and ExpiryTime But if using the StorageAccountKey as the context , the New-AzStorageBlobSASToken will not validate the StartTime and ExpiryTime

$context = New-AzStorageContext -StorageAccountName "danpaas" -UseConnectedAccount $context = New-AzStorageContext -StorageAccountName "danpaas" -StorageAccountKey

Issue script & Debug output

no error happened; this issue could be reproduced. C:\Users\user>pwsh PowerShell 7.4.5 PS C:\Users\user> $blobName = "1.txt" PS C:\Users\user> $containerName = "test" PS C:\Users\user> PS C:\Users\user> # Create a storage context (if not already created) PS C:\Users\user> $context = New-AzStorageContext -StorageAccountName "danpaas" -UseConnectedAccount PS C:\Users\user> $date = Get-Date PS C:\Users\user> $startTime = $date.AddHours(10) PS C:\Users\user> $expiryTime = $date.AddHours(5) PS C:\Users\user> # Generate the SAS token PS C:\Users\user> $sasToken = New-AzStorageBlobSASToken `

-Container $containerName `
-Blob $blobName `
-Permission rwdl `
-StartTime $startTime `
-ExpiryTime $expiryTime `
-Context $context

New-AzStorageBlobSASToken: Start time 10/25/2024 12:32:35 PM +00:00 is later than expiry time 10/25/2024 7:32:35 AM +00:00.

PS C:\Users\user> $startTime = [System.DateTime]::Now.AddMonths(-1) PS C:\Users\user> $expiryTime = [System.DateTime]::Now.AddMonths(-2) PS C:\Users\user> $sasToken = New-AzStorageBlobSASToken `

-Container $containerName `
-Blob $blobName `
-Permission rwdl `
-StartTime $startTime `
-ExpiryTime $expiryTime `
-Context $context

New-AzStorageBlobSASToken: Expiry time 8/25/2024 2:32:47 AM +00:00 is earlier than now.

PS C:\Users\user> $context = New-AzStorageContext -StorageAccountName "danpaas" -StorageAccountKey "access key" PS C:\Users\user> $sasToken = New-AzStorageBlobSASToken `

-Container $containerName `
-Blob $blobName `
-Permission rwdl `
-StartTime $startTime `
-ExpiryTime $expiryTime `
-Context $context

PS C:\Users\user> $date = Get-Date PS C:\Users\user> $startTime = $date.AddHours(10) PS C:\Users\user> $expiryTime = $date.AddHours(5) PS C:\Users\user> $sasToken = New-AzStorageBlobSASToken -Container $containerName -Blob $blobName -Permission rwdl -StartTime $startTime -ExpiryTime $expiryTime -Context $context

Environment data

$psversiontable

Name Value

---

PSVersion 7.4.5 PSEdition Core GitCommitId 7.4.5 OS Microsoft Windows 10.0.26100 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

Module versions

Get-InstalledModule -Name Az.Storage -AllVersions

Version Name Repository Description

---

7.4.0 Az.Storage PSGallery Microsoft Azure PowerShell - Storage service data plane and management cmdlets for …

Error output

no error happened, this issue could be reproduced.

[yifanz7]

@leoliudan The different behaviors here are expected.

When using -UseConnectedAccount (OAuth credential) to generate the SAS url, a user delegation key will be needed, which has a very strict requirement for the start/expiry time, and the PSH cmdlet will need to talk to the server for that. That's the reason of the check here. However for -StorageAccountKey (shared key credential), the preparation is all on the client and PSH cmdlet would return any errors returned by the server. Normally we don't add additional checks like this on the client side.

[leoliudan]

@yifanz7 do you mean we will not add this validation in PSH cmdlet when using the shared key credential, customers need to validate this from their client side. Is my understanding correct?

[yifanz7]

@leoliudan Correct that we will not add this validation in PSH cmdlet. Customers can validate on their own, or the server will return an error if the customers use an invalid SAS url.