search

Azure / azure-sdk-for-js

This repository is for active development of the Azure SDK for JavaScript (NodeJS & Browser). For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/javascript/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-js.
MIT License
2.06k stars 1.19k forks source link

[Question] How to create SAS token for folders? #30646

Open stenneepro opened 1 month ago

stenneepro commented 1 month ago

I want to create a SAS token which retricts access to only specific folder and children files. I can see the above function in the Azure portal, but can not find the same function in the SDK.

github-actions[bot] commented 1 month ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage.

jeremymeng commented 1 month ago

@stenneepro do you mean Azure Storage Blob services or Azure Storage File Share? Our Azure SDK clients for both have funtionality to generate a SAS url for a specific resource, for example, https://learn.microsoft.com/en-us/javascript/api/@azure/storage-file-share/shareclient?view=azure-node-latest#@azure-storage-file-share-shareclient-generatesasurl

We also have helpers to generate the sas token: https://github.com/Azure/azure-sdk-for-js/blob/a438b8ae966e7fcf70ba8bbd0fc9f68feb67b29d/sdk/storage/storage-file-share/test/node/fileclient.spec.ts#L289-L305

stenneepro commented 1 month ago

@jeremymeng

I mean Azure Blob Storage account. And what I'm looking for is how to create SAS token for folder not file.

I couldn't find a way to create SAS token for folder, so I had to create container SAS token. It means users who has the container SAS token can access any files in the container, I want to restrict access to specific folders based on end user roles.

jeremymeng commented 1 month ago

@stenneepro The "folder" in Blob is not a real folder. It is just a virtual hierachy based on the separators in the blob names. So basically you can only have permissions on containers and blobs.

stenneepro commented 1 month ago

@jeremymeng Even for data lake blob storage account? Hierarchical namespace is enabled for the storage account.

image (1)

stenneepro commented 1 month ago

@jeremymeng I can see the same function in the Azure portal.

image1 image2 image3

jeremymeng commented 1 month ago

For Hierarchical namespace enabled storage account you can check out the @azure/storage-file-datalake package, for example https://learn.microsoft.com/en-us/javascript/api/@azure/storage-file-datalake/datalakedirectoryclient?view=azure-node-latest#@azure-storage-file-datalake-datalakedirectoryclient-generatesasurl

stenneepro commented 1 month ago

@jeremymeng The url which you posted the above comment is to create service SAS.

We have to create user delegation SAS

jeremymeng commented 1 month ago

@stenneepro It should support user delegation credential as well. Maybe doc is outdated. I found this example for generating the SAS token for file system:

https://learn.microsoft.com/en-us/javascript/api/@azure/storage-file-datalake/?view=azure-node-latest#@azure-storage-file-datalake-generatedatalakesasqueryparameters-1