Bdtjtk

I need to create a SAS so I can create an Azure SQL Extended Event session. The event session needs a file data storage target via SAS and I can't create one that works. Here's what I've tried:

• Identified a storage account that's not blob; just general. I'm pretty sure I need general so I can create files directly.


• Created a file share therein.


• Using azure storage explorer, right clicked on that file share and selected, "Get Shared Access Signature."


• Checked Read, Write, List and created.


• This gives me the URL https://mystorageacct.file.core.windows.net/xevents?st=2018-12-25T16%3A29%3A51Z&se=2018-12-29T16%3A29%3A00Z&sp=rwl&sv=2018-03-28&sr=s&sig=mysig
  


• If I just try to follow this URL or create a CloudFile object with it in code, I get the oft-seen error, Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. Signature did not match. String to sign used was rwl 2018-12-25T16:29:51Z 2018-12-29T16:29:00Z /file/cs7f0fbc5104d4ax435dx883/$root 2018-03-28
  


• Tried adding in comp=list&restype=container as suggested here. No joy.


• Ensured I have no access policy in use.


• Went to the azure portal and created a different SAS at the storage account level (couldn't see a way to create it on the file share). That gave me this "File service SAS URL": https://mystorageacct.file.core.windows.net/?sv=2018-03-28&ss=bfqt&srt=sco&sp=rwdlacup&se=2018-12-30T01:25:16Z&st=2018-12-26T17:25:16Z&spr=https&sig=mysig
  


• If I try that URL I get Value for one of the query parameters specified in the request URI is invalid. I don't know which parameter is in question, they look fine to me, but I don't know what the value srt=sco indicates. Based on this doc srt is resource type, but I don't know what the value sco indicates.

Very confused, looking for suggestions.

For any future readers, extended event sessions confusingly (because they write a file) require blob containers, not general/file/queue containers. At least I could only get them to work that way.

You are probably confused by how the SAS URLs are presented. In fact, the SAS URLs you got just provide examples of how to use the SAS token, they can't be used directly. Hence you saw those errors occur.

1. 
   

   Service-level SAS URL, i.e. the one you got from Storage Explorer.

   
   
   

   It's in the format of fileEndPoint/fileShareName?SASToken. The SASToken gives us permission to operate on all files inside the specified file share. To leverage the token, we need to add fileName in the URL, i.e. fileEndPoint/fileShareName/fileName?SASToken.

   
   
   

   comp=list&restype=container is to list blobs in Blob Container, not for File Share.

   
   


2. 
   

   Account-Level SAS URL, the one you got form Azure portal.

   
   
   

   It's in the format of fileEndPoint/?SASToken. Likewise, we need to complement the URL to make it valid, i.e. fileEndPoint/fileShareName/fileName?SASToken. Note that this SASToken has all permission on all Storage resources because all choices are checked.

   
   
   

   sco means we have permission to operate on service, container, and object, which indicates the scope of permission, check doc for details.

   
   

I am not familiar with Azure SQL Extended Event session, but if you only need to work with files inside one file share, 1st is enough.