PhpRiot
Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...


When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store

Shared Access Signature

Windows Azure Bob Storage provides a feature called "Shared Access Signatures". By default, there is only one level of authorization possible in Windows Azure Blob Storage: either a container is private or it is public. Shared Access Signatures provide a more granular method of authorization: read, write, delete and list permissions can be assigned on a container or a blob and given to a specific client using an URL-based model.

An example would be the following signature:


http://phpstorage.blob.core.windows.net/phpazuretestshared1?st=2009-08-17T09%3A06%3A17Z&se=2009-08-17T09%3A56%3A17Z&sr=c&sp=w&sig=hscQ7Su1nqd91OfMTwTkxabhJSaspx%2BD%2Fz8UqZAgn9s%3D
        

The above signature gives write access to the "phpazuretestshared1" container of the "phpstorage" account.

Generating a Shared Access Signature

When you are the owner of a Windows Azure Bob Storage account, you can create and distribute a shared access key for any type of resource in your account. To do this, the generateSharedAccessUrl() method of the Zend_Service_WindowsAzure_Storage_Blob storage client can be used.

The following example code will generate a Shared Access Signature for write access in a container named "container1", within a timeframe of 3000 seconds.

Example 896. Generating a Shared Access Signature for a container

<?php
$storageClient   
= new Zend_Service_WindowsAzure_Storage_Blob();
$sharedAccessUrl $storageClient->generateSharedAccessUrl(
    
'container1',
    
'',
    
'c',
    
'w',
    
$storageClient ->isoDate(time() - 500),
    
$storageClient ->isoDate(time() + 3000)
);

The following example code will generate a Shared Access Signature for read access in a blob named test.txt in a container named "container1" within a time frame of 3000 seconds.

Example 897. Generating a Shared Access Signature for a blob

<?php
$storageClient   
= new Zend_Service_WindowsAzure_Storage_Blob();
$sharedAccessUrl $storageClient->generateSharedAccessUrl(
    
'container1',
    
'test.txt',
    
'b',
    
'r',
    
$storageClient ->isoDate(time() - 500),
    
$storageClient ->isoDate(time() + 3000)
);

Working with Shared Access Signatures from others

When you receive a Shared Access Signature from someone else, you can use the Windows Azure SDK for PHP to work with the addressed resource. For example, the following signature can be retrieved from the owner of a storage account:


http://phpstorage.blob.core.windows.net/phpazuretestshared1?st=2009-08-17T09%3A06%3A17Z&se=2009-08-17T09%3A56%3A17Z&sr=c&sp=w&sig=hscQ7Su1nqd91OfMTwTkxabhJSaspx%2BD%2Fz8UqZAgn9s%3D
            

The above signature gives write access to the "phpazuretestshared1" "container" of the phpstorage account. Since the shared key for the account is not known, the Shared Access Signature can be used to work with the authorized resource.

Example 898. Consuming a Shared Access Signature for a container

<?php
$storageClient 
= new Zend_Service_WindowsAzure_Storage_Blob(
    
'blob.core.windows.net''phpstorage'''
);
$storageClient->setCredentials(
    new 
Zend_Service_WindowsAzure_Credentials_SharedAccessSignature()
);
$storageClient->getCredentials()->setPermissionSet(array(
    
'http://phpstorage.blob.core.windows.net/phpazuretestshared1?st=2009-08-17T09%3A06%3A17Z&se=2009-08-17T09%3A56%3A17Z&sr=c&sp=w&sig=hscQ7Su1nqd91OfMTwTkxabhJSaspx%2BD%2Fz8UqZAgn9s%3D'
));
$storageClient->putBlob(
    
'phpazuretestshared1''NewBlob.txt''C:\Files\dataforazure.txt'
);

Note that there was no explicit permission to write to a specific blob. Instead, the Windows Azure SDK for PHP determined that a permission was required to either write to that specific blob, or to write to its container. Since only a signature was available for the latter, the Windows Azure SDK for PHP chose those credentials to perform the request on Windows Azure blob storage.

Zend Framework