(Objective-C) Create an Azure Service SAS

Shows how to generate an Azure Service SAS.

Chilkat Objective-C Library Downloads MAC OS X (Cocoa) Libs iOS Libs

#import <CkoAuthAzureSAS.h>
#import <CkoDateTime.h>
#import <NSString.h>
#import <CkoFileAccess.h>

// This requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// ----------------------------------------------------------------------------------------------
// Create a Shared Access Signature (SAS) token for an Azure Service (Blob, Queue, Table, or File)
// -----------------------------------------------------------------------------------------------

// See https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas
// for details.

CkoAuthAzureSAS *authSas = [[CkoAuthAzureSAS alloc] init];
authSas.AccessKey = @"AZURE_ACCESS_KEY";

// Specify the format of the string to sign.
// Each comma character in the following string represents a LF ("\n") character.
// The names specified in the StringToSign are replaced with the values specified
// in the subsequent calls to SetTokenParam and SetNonTokenParam,.

// Note: The trailing comma in the StringToSign is intentional and important. This indicates that the 
// string to sign will end with a "\n".

// Also note: The names in the StringToSign are case sensitive.  The names
// specified in the 1st argument in the calls to SetNonTokenParam and SetTokenParam should
// match a name listed in StringToSign. 

// Version 2018-11-09 and later
// 
// Version 2018-11-09 adds support for the signed resource and signed blob snapshot time fields. 
// These must be included in the string-to-sign. To construct the string-to-sign for Blob service resources, use the following format:
// 
// StringToSign = signedpermissions + "\n" +  
//                signedstart + "\n" +  
//                signedexpiry + "\n" +  
//                canonicalizedresource + "\n" +  
//                signedidentifier + "\n" +  
//                signedIP + "\n" +  
//                signedProtocol + "\n" +  
//                signedversion + "\n" +  
//                signedResource + "\n"
//                signedSnapshotTime + "\n" +
//                rscc + "\n" +  
//                rscd + "\n" +  
//                rsce + "\n" +  
//                rscl + "\n" +  
//                rsct  
// 

authSas.StringToSign = @"signedpermissions,signedstart,signedexpiry,canonicalizedresource,signedidentifier,signedIP,signedProtocol,signedversion,signedResource,signedSnapshotTime,rscc,rscd,rsce,rscl,rsct";

[authSas SetTokenParam: @"signedpermissions" authParamName: @"sp" value: @"rw"];

CkoDateTime *dt = [[CkoDateTime alloc] init];
[dt SetFromCurrentSystemTime];
[authSas SetTokenParam: @"signedstart" authParamName: @"st" value: [dt GetAsIso8601: @"YYYY-MM-DDThh:mmTZD" bLocal: NO]];

// This SAS token will be valid for 30 days.
[dt AddDays: [NSNumber numberWithInt: 30]];
[authSas SetTokenParam: @"signedexpiry" authParamName: @"se" value: [dt GetAsIso8601: @"YYYY-MM-DDThh:mmTZD" bLocal: NO]];

// The canonicalizedresouce portion of the string is a canonical path to the signed resource. It must include the service name (blob, table, queue or file) for version
// 2021-08-06 or later, the storage account name, and the resource name, and must be URL-decoded. Names of blobs must include the blobs container. Table names must be
// lower-case. The following examples show how to construct the canonicalizedresource portion of the string, depending on the type of resource.
// For example:
// URL = https://chilkat.blob.core.windows.net/mycontainer/starfish.jpg
// canonicalizedresource = "/blob/chilkat/mycontainer/starfish.jpg"  
// IMPORTANT: See https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas for all details..
[authSas SetNonTokenParam: @"canonicalizedresource" value: @"/blob/chilkat/mycontainer/starfish.jpg"];

[authSas SetTokenParam: @"signedProtocol" authParamName: @"spr" value: @"https"];

//  Specifiy values and query param names for each field.
//  If a field is not specified, then an empty string will be used for its value.
[authSas SetTokenParam: @"signedversion" authParamName: @"sv" value: @"2018-11-09"];

// Indicate that we are creating a service SAS that is limited to the blob resource.
// (Specify b if the shared resource is a blob. This grants access to the content and metadata of the blob.
//  Specify c if the shared resource is a container. This grants access to the content and metadata of any blob in the container, and to the list of blobs in the container. )
[authSas SetTokenParam: @"signedResource" authParamName: @"sr" value: @"b"];

// Note that we did not call SetTokenParam for "signedIP", "signedSnapshotTime", "rscc", and others.  For any omitted fields
// the value will default to the empty string.

// Generate the SAS token.
NSString *sasToken = [authSas GenerateToken];
if (authSas.LastMethodSuccess != YES) {
    NSLog(@"%@",authSas.LastErrorText);
    return;
}

NSLog(@"%@%@",@"SAS token: ",sasToken);

// Save the SAS Service token to a file.
// We can then use this pre-generated token for future Azure Storage Account operations.
CkoFileAccess *fac = [[CkoFileAccess alloc] init];
[fac WriteEntireTextFile: @"qa_data/tokens/azureStorageServiceSas.txt" fileData: sasToken charset: @"utf-8" includePreamble: NO];