Can I configure SAS tokens for multiple storage containers from the same account in the same Spark session

Bulukani Mlalazi 11 Reputation points
2022-11-09T11:35:50.753+00:00

The documentation here (https://learn.microsoft.com/en-us/azure/databricks/external-data/azure-storage#access-azure-data-lake-storage-gen2-or-blob-storage-using-a-sas-token) indicates that it is possible to configure multiple SAS tokens via the following statement:

"You can configure SAS tokens for multiple storage accounts in the same Spark session."

What I would like to know is whether it is possible to configure SAS tokens for multiple containers, since SAS tokens provide granular access on that level?

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,402 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. PRADEEPCHEEKATLA-MSFT 83,306 Reputation points Microsoft Employee
    2022-11-10T11:53:30.53+00:00

    Hello @Bulukani Mlalazi ,

    Thanks for the question and using MS Q&A platform.

    Yes, it is certainly possible to configure SAS tokens for mulitple containers. You can create as many SAS tokens as you would like by using different combinations of permissions, expiry time and source IP address.

    The SAS token is a string that you generate on the client side, for example by using one of the Azure Storage client libraries. The SAS token is not tracked by Azure Storage in any way. You can create an unlimited number of SAS tokens on the client side. After you create a SAS, you can distribute it to client applications that require access to resources in your storage account.

    Client applications provide the SAS URI to Azure Storage as part of a request. Then, the service checks the SAS parameters and the signature to verify that it is valid. If the service verifies that the signature is valid, then the request is authorized. Otherwise, the request is declined with error code 403 (Forbidden).

    Here's an example of a service SAS URI, showing the resource URI and the SAS token. Because the SAS token comprises the URI query string, the resource URI must be followed first by a question mark, and then by the SAS token:

    259114-image.png

    Fore more details, refer to Grant limited access to Azure Storage resources using shared access signatures (SAS).

    Hope this will help. Please let us know if any further queries.

    ------------------------------

    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is jhow you can be part of Q&A Volunteer Moderators