User Delegation SAS

User Delegation SAS

A SAS token allows us to access a container, directory, or blob. It is used to provide limited access to a client for a limited period. But what if SAS token gets compromised, as anyone who has an SAS token can access resources? To provide more security to an account, user delegation SAS is introduced as User delegation SAS is protected with Azure AD credentials along with exsiting security features.

Now we'll learn how to create a User Delegation SAS. In this article, we will move step by step and will see every step in detail.

Step 1 -Create an Azure AD service principal

Login to azure portal using your credentials and go to:

Azure Active Directory->App registrations->New registration

• Register an application in azure active directory:
  
  
• Now create a  secret
  
  Azure Active Directory-> App registrations-> Select your application-> Go to Certificates & secrets-> New client secret.
  
  Provide a description of the secret, and a duration. When done, select Add.
  
  

Note down the tenant ID, client Id (from registered application overview section) and secret value (once created notedown the secret value as value will not display once you move away from this page) from here. We will use it later.

Step 2- Create an Azure Data Lake Storage Gen2 storage account with hierarchical namespace enabled

In this article, we will create user delegation SAS for an Azure Data Lake Storage Gen2 storage account. While creating a storage account, make sure you have selected enable hierarchical namespace, as below:

Once the storage account is created, note down the Data Lake storage endpoint.

Step 3

Now we have storage account ready, we will now give permission to the Azure AD service principal created in step 1 to read files of the storage account ( Please refer the articles mentioned at the end of this page to read on how to add permission to a storage account).

To access storage account data using Azure AD credentials, it must have the following role assignments:

• A data access role, such as Storage Blob Data Reader or Storage Blob Data Contributor
• The Azure Resource Manager Reader role, at a minimum

Step 4 - Create a User delegation SAS using azure AD service principal in .net application.

User delegation SAS should be created using same service principal ( i.e., the service principal created in step one), as that service principal has access for accessing files and the directory of the storage account.

Create a Data Lake Service client as below (using tenant ID, client ID and secret created in step 1) .In endpoint, pass data lake endpoint created in step 2.

Now we have the user delegation SAS Url ready to be share.

Step 5 - Use of User Delegation SAS for reading files

Here is the summary of what we have achieved using User delegation SAS

In SAS ,once we create a SAS URL and share that to our client then that SAS url is available to the client for that time period .

In User Delegation SAS ,we are adding additional layer of security to storage account .We are giving permission to a Azure AD service principle for the access of storage account and User Delegation SAS url is created using that AAD credentials .So if anytime we will remove that AD service principle access from storage account that SAS url will stop working.

Please refer below articles to have more understanding on the concepts of User Delegation SAS

Referenced Articles

• https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas
• https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#register-an-application-with-azure-ad-and-create-a-service-principal
• https://docs.microsoft.com/en-us/azure/storage/blobs/create-data-lake-storage-account
• https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal