How to use a user-delegation SAS token to load parquet table from ADLS gen2?

Shunlei Tang 40 Reputation points Microsoft Employee
2024-05-24T07:28:30.62+00:00

Now I have a parquet table stored in ADLS gen2: adlss://mycontainer@mystorage.dfs.core.windows.net/folder1/table1.

This is a read-only table and I want to restrict my service principal to only have read access to this table only. So I use ACL to grant access in mycontainer:

  • --X for / and /folder1
  • R-X for /folder1/table1 and all the child items recursively.

My service principal already have a storage data delegator role so it can generate the user delegation key. Then to generate SAS token, according to this, the object id of my service principal should be added to signedUnauthorizedObjectId in SAS token.

Question: how to generate the SAS token with signedUnauthorizedObjectId, to let the ACL works in authorization process?

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,402 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,845 questions
{count} votes

Accepted answer
  1. Amrinder Singh 3,795 Reputation points Microsoft Employee
    2024-05-24T08:15:48.4+00:00

    Hi Shunlei Tang - Thanks for reaching out.

    When specifying the parameters for generating a UserDelegationSAS, you need to specify the OID of the specified used in the signedUnauthorizedObjectId field.

    Thereafter, you can use this field while creating StringToSign further.

    Below is a sample code to generate a user delegation SAS and then perform a directory level operation further using Python code.

    https://github.com/Azure-Developer-Support/CodeRepository/blob/master/Storage/Python/CreateDirectoryUserDelegationSAS.py#L140


0 additional answers

Sort by: Most helpful