Consumer Delegation SAS
A SAS token permits entry to a container, listing, or blob and is used to offer restricted entry to a shopper for a restricted interval, what if SAS token will get compromised as anybody who’s having SAS token can entry sources. To offer extra safety to an account SAS consumer delegation SAS is launched as Consumer delegation SAS is secured with Azure AD credentials.
Now the purpose comes how one can create a consumer delegation SAS. Right here on this article, we are going to transfer step-by-step and can see each step in detail-
Step 1 –Create an Azure AD service principal
Login to azure portal utilizing your credentials and go to
Azure Lively Listing->App registrations->New registration
- Register an utility azure lively listing
- Create shopper ID and secret
Azure Lively Listing-> App registrations-> choose your application-> Certificates & secrets and techniques-> Shopper secrets and techniques ->New shopper secret.
Present an outline of the key, and a length. When completed, choose Add.
Word down tenant ID, shopper Id ( from registered utility overview part )and secret from right here we are going to use it later.
Step 2– Create an Azure Knowledge Lake Storage Gen2 storage account with hierarchical namespace enabled
On this article, we are going to consumer delegation SAS for Azure Knowledge Lake Storage Gen2 storage account, whereas creating storage account ensure you have chosen allow hierarchical namespace as under –
As soon as the storage account is created, be aware down Knowledge Lake storage endpoint
Now we’ve got storage account prepared, we are going to now give permission to service principal created in step 1 to learn information of storage account. Please learn under article to assign permission to storage account.
To entry blob knowledge within the Azure portal with Azure AD credentials, a consumer should have the next function assignments:
- An information entry function, resembling Storage Blob Knowledge Reader or Storage Blob Knowledge Contributor
- The Azure Useful resource Supervisor Reader function, at a minimal
Step 4 – Create a Consumer delegation SAS utilizing azure AD service principal in .internet utility.
Consumer delegation SAS needs to be created utilizing identical service principal ( i.e. service principal created in step 1 ) as that service principal has entry for accessing information and listing of storage account.
Create Knowledge Lake Service Shopper as under, utilizing tenant ID, shopper ID and secret created in step 1.
In endpoint go knowledge lake endpoint created in step 2.
Now we’ve got consumer delegation SAS Url able to be share.
Step 5 – Use of Consumer Delegation SAS for studying information