| title | titleSuffix | description | services | author | ms.author | ms.service | ms.topic | ms.date | ms.reviewer | ms.devlang | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|
Create a user delegation SAS for a blob with Java |
Azure Storage |
Learn how to create a user delegation SAS for a blob with Microsoft Entra credentials by using the Azure Storage client library for Java. |
storage |
pauljewellmsft |
pauljewell |
azure-blob-storage |
how-to |
06/12/2023 |
dineshm |
java |
devx-track-java, devguide-java, devx-track-extended-java |
[!INCLUDE storage-dev-guide-selector-user-delegation-sas]
[!INCLUDE storage-auth-sas-intro-include]
This article shows how to use Microsoft Entra credentials to create a user delegation SAS for a blob using the Azure Storage client library for Java.
[!INCLUDE storage-auth-user-delegation-include]
When a Microsoft Entra security principal attempts to access blob data, that security principal must have permissions to the resource. Whether the security principal is a managed identity in Azure or a Microsoft Entra user account running code in the development environment, the security principal must be assigned an Azure role that grants access to blob data. For information about assigning permissions via Azure RBAC, see Assign an Azure role for access to blob data.
[!INCLUDE storage-dev-guide-user-delegation-sas-java]
Once you've obtained the user delegation key, you can create a user delegation SAS. You can create a user delegation SAS to delegate limited access to a blob resource using the following method from a BlobClient instance:
The user delegation key to sign the SAS is passed to this method along with specified values for BlobServiceSasSignatureValues. Permissions are specified as a BlobSasPermission instance.
The following code example shows how to create a user delegation SAS for a blob:
:::code language="java" source="~/azure-storage-snippets/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobSAS.java" id="Snippet_CreateUserDelegationSASBlob":::
The following code example shows how to use the user delegation SAS created in the earlier example to authorize a BlobClient object. This client object can be used to perform operations on the blob resource based on the permissions granted by the SAS.
:::code language="java" source="~/azure-storage-snippets/blobs/howto/Java/blob-devguide/blob-devguide-blobs/src/main/java/com/blobs/devguide/blobs/BlobSAS.java" id="Snippet_UseUserDelegationSASBlob":::
To learn more about creating a user delegation SAS using the Azure Blob Storage client library for Java, see the following resources.
The Azure SDK for Java contains libraries that build on top of the Azure REST API, allowing you to interact with REST API operations through familiar Java paradigms. The client library method for getting a user delegation key uses the following REST API operation:
- Get User Delegation Key (REST API)
[!INCLUDE storage-dev-guide-resources-java]