Sample code for 30+ languages & platforms
Tcl

Create an Azure Service SAS

See more Azure Cloud Storage Examples

Shows how to generate an Azure Service SAS.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

# This requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# ----------------------------------------------------------------------------------------------
# Create a Shared Access Signature (SAS) token for an Azure Service (Blob, Queue, Table, or File)
# -----------------------------------------------------------------------------------------------

# See https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas
# for details.

set authSas [new_CkAuthAzureSAS]

CkAuthAzureSAS_put_AccessKey $authSas "AZURE_ACCESS_KEY"

# Specify the format of the string to sign.
# Each comma character in the following string represents a LF ("\n") character.
# The names specified in the StringToSign are replaced with the values specified
# in the subsequent calls to SetTokenParam and SetNonTokenParam,.

# Note: The trailing comma in the StringToSign is intentional and important. This indicates that the 
# string to sign will end with a "\n".

# Also note: The names in the StringToSign are case sensitive.  The names
# specified in the 1st argument in the calls to SetNonTokenParam and SetTokenParam should
# match a name listed in StringToSign. 

# Version 2018-11-09 and later
# 
# Version 2018-11-09 adds support for the signed resource and signed blob snapshot time fields. 
# These must be included in the string-to-sign. To construct the string-to-sign for Blob service resources, use the following format:
# 
# StringToSign = signedpermissions + "\n" +  
#                signedstart + "\n" +  
#                signedexpiry + "\n" +  
#                canonicalizedresource + "\n" +  
#                signedidentifier + "\n" +  
#                signedIP + "\n" +  
#                signedProtocol + "\n" +  
#                signedversion + "\n" +  
#                signedResource + "\n"
#                signedSnapshotTime + "\n" +
#                rscc + "\n" +  
#                rscd + "\n" +  
#                rsce + "\n" +  
#                rscl + "\n" +  
#                rsct  
# 

CkAuthAzureSAS_put_StringToSign $authSas "signedpermissions,signedstart,signedexpiry,canonicalizedresource,signedidentifier,signedIP,signedProtocol,signedversion,signedResource,signedSnapshotTime,rscc,rscd,rsce,rscl,rsct"

CkAuthAzureSAS_SetTokenParam $authSas "signedpermissions" "sp" "rw"

set dt [new_CkDateTime]

CkDateTime_SetFromCurrentSystemTime $dt
CkAuthAzureSAS_SetTokenParam $authSas "signedstart" "st" [CkDateTime_getAsIso8601 $dt "YYYY-MM-DDThh:mmTZD" 0]

# This SAS token will be valid for 30 days.
CkDateTime_AddDays $dt 30
CkAuthAzureSAS_SetTokenParam $authSas "signedexpiry" "se" [CkDateTime_getAsIso8601 $dt "YYYY-MM-DDThh:mmTZD" 0]

# The canonicalizedresouce portion of the string is a canonical path to the signed resource. It must include the service name (blob, table, queue or file) for version
# 2021-08-06 or later, the storage account name, and the resource name, and must be URL-decoded. Names of blobs must include the blob�s container. Table names must be
# lower-case. The following examples show how to construct the canonicalizedresource portion of the string, depending on the type of resource.
# For example:
# URL = https://chilkat.blob.core.windows.net/mycontainer/starfish.jpg
# canonicalizedresource = "/blob/chilkat/mycontainer/starfish.jpg"  
# IMPORTANT: See https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas for all details..
CkAuthAzureSAS_SetNonTokenParam $authSas "canonicalizedresource" "/blob/chilkat/mycontainer/starfish.jpg"

CkAuthAzureSAS_SetTokenParam $authSas "signedProtocol" "spr" "https"

#  Specifiy values and query param names for each field.
#  If a field is not specified, then an empty string will be used for its value.
CkAuthAzureSAS_SetTokenParam $authSas "signedversion" "sv" "2018-11-09"

# Indicate that we are creating a service SAS that is limited to the blob resource.
# (Specify b if the shared resource is a blob. This grants access to the content and metadata of the blob.
#  Specify c if the shared resource is a container. This grants access to the content and metadata of any blob in the container, and to the list of blobs in the container. )
CkAuthAzureSAS_SetTokenParam $authSas "signedResource" "sr" "b"

# Note that we did not call SetTokenParam for "signedIP", "signedSnapshotTime", "rscc", and others.  For any omitted fields
# the value will default to the empty string.

# Generate the SAS token.
set sasToken [CkAuthAzureSAS_generateToken $authSas]
if {[CkAuthAzureSAS_get_LastMethodSuccess $authSas] != 1} then {
    puts [CkAuthAzureSAS_lastErrorText $authSas]
    delete_CkAuthAzureSAS $authSas
    delete_CkDateTime $dt
    exit
}

puts "SAS token: $sasToken"

# Save the SAS Service token to a file.
# We can then use this pre-generated token for future Azure Storage Account operations.
set fac [new_CkFileAccess]

CkFileAccess_WriteEntireTextFile $fac "qa_data/tokens/azureStorageServiceSas.txt" $sasToken "utf-8" 0

delete_CkAuthAzureSAS $authSas
delete_CkDateTime $dt
delete_CkFileAccess $fac