Establish a connectivity between Azure Synapse workspace and Storage account using private endpoint using SAS token.

srigowri 26 Reputation points
2022-12-05T14:23:32.42+00:00

Hi Team,

We are trying to establish a connectivity between Azure Synapse workspace and Storage account using private endpoint.

We have the following steps in place:

  • An Azure Synapse workspace is created with Managed Virtual Network
  • Azure Storage account has Networking configuration such that it allows traffic from specified networks and resource instances.
  • A managed private endpoint for Azure Synapse workspace is approved in Azure Storage Account.

We are now trying to create a Synapse view using SAS token, but running in to issues which reads

Content of directory on path '/folder/sub1=/sub2=/sub3=*/**' cannot be listed.

P.S: If Storage Blob Data Contributor Role for Synapse Workspace associated with the Storage Account and if we use managed identity instead of SAS , then the query runs fine.

We would like to run Azure Synapse queries using SAS token and no Contributor role assigned..Is it possible?
Is it possible to auto approve the managed private endpoint?

References:
https://learn.microsoft.com/en-us/azure/synapse-analytics/sql/develop-storage-files-storage-access-control?tabs=shared-access-signature#tabpanel_1_shared-access-signature
https://learn.microsoft.com/en-us/azure/synapse-analytics/security/connect-to-a-secure-storage-account

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,714 questions
Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,395 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
469 questions
0 comments
Accepted answer
  1. PRADEEPCHEEKATLA-MSFT 77,676 Reputation points Microsoft Employee
    2022-12-06T10:43:13.97+00:00

    Hello @srigowri

    Thanks for the question and using MS Q&A platform.

    We would like to run Azure Synapse queries using SAS token and no Contributor role assigned..Is it possible?

    The user would need to be assigned to one of the RBAC role : Azure storage blob data owner\contributor\reader role. However, there might be scenario that you would or could not provide access to the ADLS account or container and provide access to granular level directories and folder levels and not complete storage container or blob.

    Note: The Azure Synapse managed identity needs the Storage Blob Data Contributor role on this storage account.

    267715-image.png

    For more details, refer to Exploring data using Synapse Serverless secured by Azure Data Lake directory based SAS Token

    Hope this will help. Please let us know if any further queries.

    ------------------------------

    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is jhow you can be part of Q&A Volunteer Moderators
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest