Share via

Azure Java SDK: how to create a SAS token for a blob storage directory?

Piotr Kwiatkowski 25 Reputation points
2023-09-28T09:53:22.13+00:00

Hi,

I would like to create a SAS token for a blob directory, using Java SDK. I can only do that either for a particular blob or entire container, but not for a particular path.

As I found out here https://learn.microsoft.com/en-us/rest/api/storageservices/create-service-sas, it has something to do with signedResource. It is represented in the token value with a key=value pair, e.g. sr=b ("b" stands for "blob"), sr=c ("c" for "container"), etc. When I create a token in Java app, I can only get "sr=b" (when I create for a blob) or "sr=c" (when I create for the container). When I do that using Azure Storage Explorer, I can create a token with "sr=d" (where "d" probably stands for "directory") and in this case such token works for all files stored in this particular directory.

This is the code I use to generate token:

public String generateUrlForDownload(String containerName, String blobName, boolean allowHttp) {
        BlobClient blobClient = blobServiceClient.getBlobContainerClient(containerName).getBlobClient(blobName);
        BlobSasPermission blobSasPermission = new BlobSasPermission().setReadPermission(true);
        OffsetDateTime expiryTime = OffsetDateTime.now().plusMinutes(allowHttp ? HTTP_SAS_EXPIRY_TIME_IN_MINUTES : HTTPS_SAS_EXPIRY_TIME_IN_MINUTES);
        BlobServiceSasSignatureValues values = new BlobServiceSasSignatureValues(expiryTime, blobSasPermission)
                .setStartTime(OffsetDateTime.now())
                .setProtocol(allowHttp
                        ? SasProtocol.HTTPS_HTTP
                        : SasProtocol.HTTPS_ONLY
                );
        String endpointPrefix = allowHttp ? HTTP : HTTPS;
        String accountName = connectionStringParams.get("AccountName");
        String endpointSuffix = connectionStringParams.get("EndpointSuffix");
        String sas = blobClient.generateSas(values);
        return endpointPrefix + accountName + "." + BLOB + "." + endpointSuffix + "/" + containerName + "/" + blobName + "?" + sas;
    }

I use fairly new Azure libraries:

azure-core:1.41.0 azure-storage-blob:12.22.3

Is it possible to programatically create a token for a directory, using Azure Java SDK?

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,192 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva Villa 285 Reputation points Microsoft Employee Moderator
    2023-10-05T03:39:34.9166667+00:00

    You can utilize the PathSasPermission Class for generating a ServiceSAS token for a specific path.

    The purpose of PathSasPermission Classs construct a string representing the permissions granted by a ServiceSAS to a path. Setting a value to true means that any SAS which uses these permissions will grant permissions for that operation.

    Please refer below article for more information about PathSasPermission.
    https://learn.microsoft.com/en-us/java/api/com.azure.storage.file.datalake.sas.pathsaspermission?view=azure-java-stable

    Please do let me know if you have any additional questions with regards to this question and I would be happy to assist you.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.