verify_sas.py checks whether a SAS token has the right scope and permissions
to be used by Fabric / Synapse COPY INTO against an ADLS Gen2 / Blob path.
It performs three probes:
- SAS inspection — parses
sv/ss/srt/sp/st/se/sprand flags missing flags. - Service probe (
srt=s) — calls Get Account Info. - List probe (
srt=c,sp=l) — lists blobs under the prefix. - Read probe (
srt=o,sp=r) — downloads the first few bytes of up to N matched files.
For COPY INTO with wildcards, the SAS must have ss=b, srt=sco, and
sp containing at least rl.
# from the repo root
python -m venv .venv
.\.venv\Scripts\Activate.ps1
pip install -r requirements.txt
# create your local .env from the template
Copy-Item .env.example .envThen edit .env and fill in the SAS_* values. .env is gitignored.
| Variable | Required | Default | Description |
|---|---|---|---|
SAS_ACCOUNT |
yes | — | Storage account name (no .blob.core.windows.net). |
SAS_CONTAINER |
yes | — | Container name. |
SAS_PREFIX |
no | "" |
Blob name prefix (folder path) to list under. |
SAS_TOKEN |
yes | — | Full SAS query string, with or without leading ?. |
SAS_FILE_PATTERN |
no | .csv |
Suffix used to filter listed blobs. |
SAS_MAX_FILES_TO_TEST |
no | 3 |
How many matched files to download-probe. |
SAS_PROBE_BYTES |
no | 512 |
Bytes to download per file as a read check. |
python verify_sas.pyExit codes:
0— SAS can list and read;COPY INTOshould succeed.1— list or read failed (output shows status code and likely cause).2— required env var missing, orSAS_TOKENstill contains theREPLACE_MEplaceholder.
AuthorizationResourceTypeMismatchon read →srtis missingo.403on list →srtis missingc, orspis missingl, or the storage account firewall blocks your IP.AuthenticationFailed→sigis wrong (often re-encoded by copy/paste), the token is expired (se), or not yet valid (st).