User Delegation SAS Token for Blog Storage

 

Photo from Kaique Rocha on Pexels.com
Photo from  Kaique Rocha on Pexels.com

In my previous blog, Azure Blob Storage: SAS Token, we talked about using Azure Blob Storage Account key to generate Shared Access Signature (SAS) token. In this blog, we are going to show how to generate a User Delegation SAS token. 

I created a Service Principal (you can create an Application ID instead if you wish to) and assigned Storage Blob Data Contributor to it. This role assignment is required for this form of token to work.

1. Setup

1.1 Export Environment Parameters

STORAGE_ACCOUNT_URL=<storage account URL>
STORAGE_CONTAINER_NAME=<storage container name>
STORAGE_BLOB_NAME=<storage blob name>
AZURE_CLIENT_ID=<service principal or app id>
AZURE_CLIENT_SECRET=<service principal or app secret>
AZURE_TENANT_ID=<tenant id>

1.2 Install Python package

pip install azure-identity
pip install azure-storage-blob

2. Code

Copy the code below to a file named main.py and execute it accordingly. python main.py

import datetime
import os

from azure.identity import DefaultAzureCredential
import azure.storage.blob as azureblob
from azure.storage.blob import BlobServiceClient

config = {
    "STORAGE_ACCOUNT_URL": os.getenv("STORAGE_ACCOUNT_URL"),
    "STORAGE_CONTAINER_NAME": os.getenv("STORAGE_CONTAINER_NAME"),
    "STORAGE_BLOB_NAME": os.getenv("STORAGE_BLOB_NAME"),
}

if __name__ == "__main__":
    blob_client = azureblob.BlobServiceClient(
        config["STORAGE_ACCOUNT_URL"], credential=DefaultAzureCredential()
    )

    start = datetime.datetime.utcnow()
    end = start + datetime.timedelta(hours=1)

	# start and end time is the lifespan of the user token.
    # it cannot be long than 1 hour.
    user_token = blob_client.get_user_delegation_key(start, end)

    # generate container based token
    container_sas_token = azureblob.generate_container_sas(
        account_name=blob_client.account_name,
        container_name=config["STORAGE_CONTAINER_NAME"],
        user_delegation_key=user_token, # this is used in place of account account_key
        permission=azureblob.AccountSasPermissions(read=True, list=True),
        expiry=end,
    )
    print(container_sas_token)

    # generate blob based token
    blob_sas_token = azureblob.generate_blob_sas(
        account_name=blob_client.account_name,
        user_delegation_key=user_token, # this is used in place of account account_key
        container_name=config["STORAGE_CONTAINER_NAME"],
        blob_name=config["STORAGE_BLOB_NAME"],
        permission=azureblob.AccountSasPermissions(read=True),
        start=start,
        expiry=end,
    )
    print(blob_sas_token)

The code is self-explanatory as it is very identical to the one in Azure Blob Storage: SAS Token, Much of the information that we need to know about this form of token can be found here. This is a user delegated token hence it is not allowed to perform actions on the blob if the user does not have permissions to do the same. However, the SAS token that is generated with Blog Storage Account Key can perform all granted actions.

This User Delegation SAS Token is relatively new. Please read this announcement for more information.



Comments

Post a Comment

Popular posts from this blog

Happy New Year, 2024 from DALL-E

Image
generated by DALL-E Wishing everyone a happy new year. Year 2023 is great for me because I learned much about OpenAI. I am involved in a live deployment with it, and involved in a handful of interesting user scenarios around it. On top of this, a copilot hackathon. The image above is generated by DALL-E and following is the code. 1. Dependencies python = "^3.10" pydantic-settings = "^2.1.0" openai = "^1.3.8" 2. Environment Parameters OPENAI_AZURE_ENDPOINT="<your azure openai endpoint>" AZURE_OPENAI_API_KEY="<your azure openai secret>" OPENAI_API_VERSION="2023-12-01-preview" OPENAI_DALLE_MODEL="dalle" Note: OPENAI_API_VERSION has to be 2023-12-01-preview otherwise you will get an exception openai.NotFoundError: Error code: 404 - {'error': {'code': '404', 'message': 'Resource not found'}} dalle  is the name of my dall-e-3 deployment model. You need to change it to
Read more

Bing Search as tool for OpenAI

Image
  Image from https://www.pexels.com/@skitterphoto/ Many times, we need to search for information in the web when we are working with OpenAI. One of the reasons is that the dataset for training for OpenAI is never up to date. For instance, the OpenAI GPT-4 Turbo has knowledge of events up to April 2023. Here is the Python implementation with Pydantic model. Dependencies python = "^3.10" pydantic-settings = "^2.1.0" pydantic = "^2.5.2" azure-cognitiveservices-search-websearch = "^2.0.0" Environment These are the environment parameters needed. Have the following in a .env file. azure_bing_search_endpoint="https://api.bing.microsoft.com" azure_bing_search_key="<key>" We look under "Keys and Endpoint" for these values. Pydantic Setting Model from pydantic_settings import BaseSettings class BingSearchSettings(BaseSettings): azure_bing_search_endpoint: str azure_bing_search_key: str class Config:
Read more

OpenAI: Functions Feature in 2023-07-01-preview API version

Image
  Image from https://www.pexels.com/@pavel-danilyuk/ One of the cool features of OpenAI version 2023-07-01 is its custom Functions feature. This feature is close to me because I am working on a project where we require OpenAI to generate JSON responses. We always want the generated JSON to be consistent, otherwise, we need to do some post-processing tasks to get the JSON object in the correct schema. In the blog, we observe the completion with and without this new feature. Development Setup python -m venv .venv poetry init poetry shell poetry add openai poetry add python-dotenv poetry add pydantic I am using Python version 3.11 Create .env file OPENAI_API_TYPE="azure" OPENAI_API_BASE="<OpenAI endpoint>" OPENAI_API_KEY="<OpenAI secret>" OPENAI_API_VERSION="2023-07-01-preview" OPENAI_DEPLOYMENT_ID="<deployment identifier>" Without OpenAI functions feature We use two sample texts for experimentation. We want to get the na
Read more