User Delegation SAS Token for Blog Storage

 

Photo from Kaique Rocha on Pexels.com
Photo from  Kaique Rocha on Pexels.com

In my previous blog, Azure Blob Storage: SAS Token, we talked about using Azure Blob Storage Account key to generate Shared Access Signature (SAS) token. In this blog, we are going to show how to generate a User Delegation SAS token. 

I created a Service Principal (you can create an Application ID instead if you wish to) and assigned Storage Blob Data Contributor to it. This role assignment is required for this form of token to work.

1. Setup

1.1 Export Environment Parameters

STORAGE_ACCOUNT_URL=<storage account URL>
STORAGE_CONTAINER_NAME=<storage container name>
STORAGE_BLOB_NAME=<storage blob name>
AZURE_CLIENT_ID=<service principal or app id>
AZURE_CLIENT_SECRET=<service principal or app secret>
AZURE_TENANT_ID=<tenant id>

1.2 Install Python package

pip install azure-identity
pip install azure-storage-blob

2. Code

Copy the code below to a file named main.py and execute it accordingly. python main.py

import datetime
import os

from azure.identity import DefaultAzureCredential
import azure.storage.blob as azureblob
from azure.storage.blob import BlobServiceClient

config = {
    "STORAGE_ACCOUNT_URL": os.getenv("STORAGE_ACCOUNT_URL"),
    "STORAGE_CONTAINER_NAME": os.getenv("STORAGE_CONTAINER_NAME"),
    "STORAGE_BLOB_NAME": os.getenv("STORAGE_BLOB_NAME"),
}

if __name__ == "__main__":
    blob_client = azureblob.BlobServiceClient(
        config["STORAGE_ACCOUNT_URL"], credential=DefaultAzureCredential()
    )

    start = datetime.datetime.utcnow()
    end = start + datetime.timedelta(hours=1)

	# start and end time is the lifespan of the user token.
    # it cannot be long than 1 hour.
    user_token = blob_client.get_user_delegation_key(start, end)

    # generate container based token
    container_sas_token = azureblob.generate_container_sas(
        account_name=blob_client.account_name,
        container_name=config["STORAGE_CONTAINER_NAME"],
        user_delegation_key=user_token, # this is used in place of account account_key
        permission=azureblob.AccountSasPermissions(read=True, list=True),
        expiry=end,
    )
    print(container_sas_token)

    # generate blob based token
    blob_sas_token = azureblob.generate_blob_sas(
        account_name=blob_client.account_name,
        user_delegation_key=user_token, # this is used in place of account account_key
        container_name=config["STORAGE_CONTAINER_NAME"],
        blob_name=config["STORAGE_BLOB_NAME"],
        permission=azureblob.AccountSasPermissions(read=True),
        start=start,
        expiry=end,
    )
    print(blob_sas_token)

The code is self-explanatory as it is very identical to the one in Azure Blob Storage: SAS Token, Much of the information that we need to know about this form of token can be found here. This is a user delegated token hence it is not allowed to perform actions on the blob if the user does not have permissions to do the same. However, the SAS token that is generated with Blog Storage Account Key can perform all granted actions.

This User Delegation SAS Token is relatively new. Please read this announcement for more information.



Comments

Post a Comment

Popular posts from this blog

OpenAI: Functions Feature in 2023-07-01-preview API version

Image
  Image from https://www.pexels.com/@pavel-danilyuk/ One of the cool features of OpenAI version 2023-07-01 is its custom Functions feature. This feature is close to me because I am working on a project where we require OpenAI to generate JSON responses. We always want the generated JSON to be consistent, otherwise, we need to do some post-processing tasks to get the JSON object in the correct schema. In the blog, we observe the completion with and without this new feature. Development Setup python -m venv .venv poetry init poetry shell poetry add openai poetry add python-dotenv poetry add pydantic I am using Python version 3.11 Create .env file OPENAI_API_TYPE="azure" OPENAI_API_BASE="<OpenAI endpoint>" OPENAI_API_KEY="<OpenAI secret>" OPENAI_API_VERSION="2023-07-01-preview" OPENAI_DEPLOYMENT_ID="<deployment identifier>" Without OpenAI functions feature We use two sample texts for experimentation. We want to get the na
Read more

Storing embedding in Azure Database for PostgreSQL

Image
  Image from https://www.pexels.com/@tara-winstead/ There are many options to store text embeddings. In this blog, we shall look at storing embedding in Azure Database for PostgreSQL. Installing Azure Database for PostgreSQL Install Azure Database for PostgreSQL Flexible Server.  Once it is deployed, enable two extensions. Install Python modules python -m venv .venv poetry init poetry shell poetry add openai[datalib] poetry add python-dotenv poetry add psycopg2-binary My Python version is 3.10. Create .env OPENAI_API_TYPE="azure" OPENAI_API_BASE="<HTTP endpoint to Azure OpenAI Service>" OPENAI_API_KEY="<secret to Azure OpenAI Service>" OPENAI_API_VERSION="2023-05-15" TEXT_MODEL="<deployment id of text embedding model>" PGHOST="<my-service>.postgres.database.azure.com" PGUSER="<user name>" PGPASSWORD="<secret>" PGPORT="5432" PGDATABASE="< database name
Read more

Happy New Year, 2024 from DALL-E

Image
generated by DALL-E Wishing everyone a happy new year. Year 2023 is great for me because I learned much about OpenAI. I am involved in a live deployment with it, and involved in a handful of interesting user scenarios around it. On top of this, a copilot hackathon. The image above is generated by DALL-E and following is the code. 1. Dependencies python = "^3.10" pydantic-settings = "^2.1.0" openai = "^1.3.8" 2. Environment Parameters OPENAI_AZURE_ENDPOINT="<your azure openai endpoint>" AZURE_OPENAI_API_KEY="<your azure openai secret>" OPENAI_API_VERSION="2023-12-01-preview" OPENAI_DALLE_MODEL="dalle" Note: OPENAI_API_VERSION has to be 2023-12-01-preview otherwise you will get an exception openai.NotFoundError: Error code: 404 - {'error': {'code': '404', 'message': 'Resource not found'}} dalle  is the name of my dall-e-3 deployment model. You need to change it to
Read more