Now I have a parquet table stored in ADLS gen2: adlss://mycontainer@mystorage.dfs.core.windows.net/folder1/table1 . This is a read-only table and I want to restrict my service principal to only have read access to this table only. So I use ACL to grant access in mycontainer : --X for / and /folder1 R-X for /folder1/table1 and all the child items recursively. My service principal already have a storage data delegator role so it can generate the user delegation key. Then to generate SAS token, according to this , the object id of my service principal should be added to signedUnauthorizedObjectId in SAS token. Question: how to generate the SAS token with signedUnauthorizedObjectId , to let the ACL works in authorization process?

Hi Shunlei Tang - Thanks for reaching out. When specifying the parameters for generating a UserDelegationSAS, you need to specify the OID of the specified used in the signedUnauthorizedObjectId field. Thereafter, you can use this field while creating StringToSign further. Below is a sample code to generate a user delegation SAS and then perform a directory level operation further using Python code. https://github.com/Azure-Developer-Support/CodeRepository/blob/master/Storage/Python/CreateDirectoryUserDelegationSAS.py#L140

How to use a user-delegation SAS token to load parquet table from ADLS gen2?

Accepted answer

Amrinder Singh 5,155 Reputation points Microsoft Employee

2024-05-24T08:15:48.4+00:00

Hi Shunlei Tang - Thanks for reaching out.

When specifying the parameters for generating a UserDelegationSAS, you need to specify the OID of the specified used in the signedUnauthorizedObjectId field.

Thereafter, you can use this field while creating StringToSign further.

Below is a sample code to generate a user delegation SAS and then perform a directory level operation further using Python code.

https://github.com/Azure-Developer-Support/CodeRepository/blob/master/Storage/Python/CreateDirectoryUserDelegationSAS.py#L140
Please sign in to rate this answer.
Shunlei Tang 140 Reputation points Microsoft Employee

2024-05-24T09:53:31.66+00:00

Following the sample code, I modified these line:

signedAuthorizedUserObjectId = user_delegation_object.signed_oid signedUnauthorizedUserObjectId = user_delegation_object.signed_oid

But I got 403 with Signature did not match. String to sign used was XXXX.

Is it because of the stringToSign is different from the signature?

Shunlei Tang 140 Reputation points Microsoft Employee

2024-05-27T08:08:27.65+00:00

When it comes to container-level blob reader role, I can successfully download blob through SAS token from generate_blob_sas or generate_container_sas, but failed to generate&sign a SAS token manually (as what sample code does).

Update:

the sample code seems missing a property here when constructing stringToSign: self.get_value_to_append(QueryStringConstants.SIGNED_ENCRYPTION_SCOPE). After adding this line, I can generate&sign a SAS token manually, and download a blob with RBAC reader role.

So to enable SAS token with ACL, what else do I need to include in the SAS token?

Amrinder Singh 5,155 Reputation points Microsoft Employee

2024-05-28T12:55:46.9466667+00:00

Hi Shunlei Tang - For Additional ACL check, we need to provide signedUnauthorizedObjectId to the OID further.

There will some additional permissions required with SUOID permission. Below is the ref documentation for the same.

https://learn.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#specify-a-signed-object-id-for-a-security-principal
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to use a user-delegation SAS token to load parquet table from ADLS gen2?

0 additional answers

Your answer