Cosmos Table API SAS for PartitonKey

Vinod Shinde 1 Reputation point
2022-02-04T00:30:42.57+00:00

Hello,
I am generating a SAS uri for Cosmos Table API but get following error when trying to query the table.

"Shared access signature with PartitionKey or RowKey are not supported"

I want to restrict the access to certail PartitionKey only using SAS. If its not possible then any other way access can be restricted to only PartitionKey? This was possible in legacy Azure Table Storage.

Here is the code sample.

// See https://aka.ms/new-console-template for more information
using Azure.Data.Tables;
using Azure.Data.Tables.Sas;

Console.WriteLine("Hello, World!");

var tablePermissions = TableSasPermissions.Read
                        | TableSasPermissions.Update
                        | TableSasPermissions.Add
                        | TableSasPermissions.Delete;
var expiresOn = DateTime.UtcNow.AddMinutes(30);

string accountName = "my-cosmos-table-account";
Uri endPointUri = new Uri("https://my-cosmos-table-account.table.cosmos.azure.com:443/");
string accountKey = "MY ACCOUNT KEY";
string tableName = "MyTableName";

var tableClient = new TableClient(endPointUri, tableName, new TableSharedKeyCredential(accountName, accountKey));

var tableSasBuilder = tableClient.GetSasBuilder(tablePermissions, expiresOn);
var partitionKey = "MyPartitionKey";
tableSasBuilder.PartitionKeyStart = partitionKey;
tableSasBuilder.PartitionKeyEnd = partitionKey;

var sasUri = tableClient.GenerateSasUri(tableSasBuilder);

var tableClientWithSas = new TableClient(sasUri);

var items = tableClientWithSas.Query<TableEntity>();

foreach (var item in items)
{
    System.Diagnostics.Debug.WriteLine(item.PartitionKey);
}
Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,439 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Oury Ba-MSFT 16,076 Reputation points Microsoft Employee
    2022-02-04T19:46:01.21+00:00

    Hi @Vinod Shinde
    Thank you for posting your question on Microsoft Q&A and for using Azure services.
    From what i understand you are trying to restrict the access to certain Partition Key only using SAS. In Azure Cosmos DB Table API Shared access signature as you mentioned above is not supported. It is only supported with table storage.
    You cannot restrict access to certain partition in Cosmos DB Table API using SAS, but you can restrict the access to users by applying the following steps:

    Creating a custom Azure Active Directory role for the users whom you want to restrict access. The custom Active Directory role should have fine-grained access level to operations using Azure Cosmos DB's granular actions.
    Disallowing the execution of non-data operations with keys. You can achieve this by restricting these operations to Azure Resource Manager calls only.

    171495-image.png

    Hope that helps.

    Regards,
    Oury