Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQ] Support Generation of SAS tokens using User Delegation Keys for Queues and Tables, not just Blob #45003

Closed
neilrees opened this issue Jul 15, 2024 · 2 comments
Closed

[FEATURE REQ] Support Generation of SAS tokens using User Delegation Keys for Queues and Tables, not just Blob #45003

neilrees opened this issue Jul 15, 2024 · 2 comments
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team. Storage Storage Service (Queues, Blobs, Files)

Comments

@neilrees
Copy link

neilrees commented Jul 15, 2024
edited
Loading

Library name

Azure.Storage.Queues & Azure.Data.Tables

Please describe the feature.

It is possible to create a SAS token to a Blob or a Container using a UserDelegationKey and code similar to the following:

var defaultAzureCredential = new DefaultAzureCredential();
var blobServiceClient = new BlobServiceClient(new Uri($"https://{storageAccountName}.blob.core.windows.net"), defaultAzureCredential);
var containerClient = blobServiceClient.GetBlobContainerClient(containerName);

var sasBuilder = new BlobSasBuilder(BlobContainerSasPermissions.All, expiry)
{
    BlobContainerName = containerClient.Name,
    Protocol = SasProtocol.Https
};

var userDelegationKey = await blobServiceClient.GetUserDelegationKeyAsync(DateTimeOffset.UtcNow, expiry);
var sasQueryParameters = sasBuilder.ToSasQueryParameters(userDelegationKey, storageAccountName);
var blobUriBuilder = new BlobUriBuilder(containerClient.Uri)
{
    Sas = sasQueryParameters
};

var uri = blobUriBuilder.ToUri();

However, whilst SAS tokens are supported for Queues and Tables, it requires use of a StorageSharedKeyCredential:

var queueServiceClient = new QueueServiceClient(
   new Uri($"https://{storageAccountName}.queue.core.windows.net"), 
   new StorageSharedKeyCredential(storageAccountName, storageAccountKey));

var queueClient = queueServiceClient.GetQueueClient(tableName);

var sasBuilder = new QueueSasBuilder(QueueSasPermissions.All, expiry)
{
    QueueName = queueClient.Name,
    Protocol = SasProtocol.Https,
};

var uri = queueClient.GenerateSasUri(sasBuilder);

and for Tables a TableSharedKeyCredential:

var tableServiceClient = new TableServiceClient(
   new Uri($"https://{storageAccountName}.table.core.windows.net"), 
   new TableSharedKeyCredential(storageAccountName, userDelegationKey.Value.Value));

var tableClient = tableServiceClient.GetTableClient(tableName);

var sasBuilder = new TableSasBuilder(tableClient.Name, TableSasPermissions.All, expiry)
{
    Protocol = TableSasProtocol.Https
};

var uri = tableClient.GenerateSasUri(sasBuilder);

To create SAS tokens for Queue and Table use of a StorageSharedKeyCredential or a TableSharedKeyCredential and access to the Storage Account Key is required, there is no support for UserDelegationKey.

The same seems to be true in az cli , as az storage container generate-sas has an --as-user argument, which is missing from az storage queue generate-sas and az storage table generate-sas
@github-actions github-actions bot added Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team. Storage Storage Service (Queues, Blobs, Files) labels Jul 15, 2024
@github-actions GitHub Actions
Copy link

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

@amnguye
Copy link
Member

amnguye commented Jul 30, 2024

The SDK currently supports what is supported in the REST API. The Queue and Tables REST API currently does not support retrieving the User Delegation Key.

If you would like to submit a general Azure Storage Feature Request we recommend using
https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request

@amnguye amnguye closed this as completed Jul 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team. Storage Storage Service (Queues, Blobs, Files)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neilrees @amnguye